测试环境
AnolisOS-8.6-x86_64-minimal.iso
Virtual Box,2 vCPU, 4G RAM, 40 vDisk
下载软件包
https://github.com/jntass/TASSL-1.1.1
https://nginx.org/en/download.html
安装依赖
yum install -y make gcc pcre-devel zlib-devel
编译安装tassl
unzip TASSL-1.1.1-master.zip
**注:**由于许多系统有自带的 ssl 库,为避免潜在的动态库冲突,此处仅生成静态库
./config no-shared --prefix=/usr/local/tassl
make && make install
查看版本
/usr/local/tassl/bin/openssl version -a
制作国密证书
cd /usr/local/tassl/tassl_demo/cert
./gen_sm2_cert.sh
ll certs/
total 84
-rw-r–r-- 1 root root 891 Apr 21 17:14 CA.crt 根证书/密钥
-rw-r–r-- 1 root root 509 Apr 21 17:14 CA.csr
-rw------- 1 root root 302 Apr 21 17:14 CA.key
-rw-r–r-- 1 root root 1412 Apr 21 17:14 CA.pem
-rw-r–r-- 1 root root 41 Apr 21 17:14 CA.srl
-rw-r–r-- 1 root root 802 Apr 21 17:14 CE.crt 客户端加密证书/密钥
-rw-r–r-- 1 root root 513 Apr 21 17:14 CE.csr
-rw------- 1 root root 302 Apr 21 17:14 CE.key
-rw-r–r-- 1 root root 1325 Apr 21 17:14 CE.pem
-rw-r–r-- 1 root root 806 Apr 21 17:14 CS.crt 客户端签名证书/密钥
-rw-r–r-- 1 root root 513 Apr 21 17:14 CS.csr
-rw------- 1 root root 302 Apr 21 17:14 CS.key
-rw-r–r-- 1 root root 1331 Apr 21 17:14 CS.pem
-rw-r–r-- 1 root root 806 Apr 21 17:14 SE.crt 服务端加密证书/密钥
-rw-r–r-- 1 root root 509 Apr 21 17:14 SE.csr
-rw------- 1 root root 302 Apr 21 17:14 SE.key
-rw-r–r-- 1 root root 1330 Apr 21 17:14 SE.pem
-rw-r–r-- 1 root root 806 Apr 21 17:14 SS.crt 服务端签名证书/密钥
-rw-r–r-- 1 root root 513 Apr 21 17:14 SS.csr
-rw------- 1 root root 302 Apr 21 17:14 SS.key
-rw-r–r-- 1 root root 1331 Apr 21 17:14 SS.pem
编译安装nginx
tar -zxvf nginx-1.25.5.tar.gz
cd nginx-1.25.5
./configure --without-http_uwsgi_module --with-http_ssl_module --with-stream --with-stream_ssl_module --prefix=/usr/local/nginx --with-openssl=/root/TASSL-1.1.1-master
注: --with-openssl后跟tassl源码路径,非安装路径, 以上配置会将tassl以静态库形式编译进nginx中
检查版本
/usr/local/nginx/sbin/nginx -V
nginx配置文件修改
cd /usr/local/nginx/conf
# HTTPS server
#
server {
listen 443 ssl;
server_name 192.168.1.53;
ssl_certificate /usr/local/tassl/tassl_demo/cert/certs/SS.crt;
ssl_certificate_key /usr/local/tassl/tassl_demo/cert/certs/SS.key;
ssl_certificate /usr/local/tassl/tassl_demo/cert/certs/SE.crt;
ssl_certificate_key /usr/local/tassl/tassl_demo/cert/certs/SE.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
检查配置文件是否正确
/usr/local/nginx/sbin/nginx -t
启动nginx
/usr/local/nginx/sbin/nginx
netstat -ntlp | grep nginx
测试验证
安装密信国密浏览器
https://192.168.1.53