TLS升级到1.3

一、安装编译最新版的openssl 1.1.1m

安装所需的编译包

#  yum install -y zlib*

亦或考虑

yum -y install gcc zlib zlib-devel pcre-devel openssl openssl-devel wget

下载源码包

# wget --no-check-certificate https://www.openssl.org/source/old/1.1.1/openssl-1.1.1m.tar.gz #  tar zxvf openssl-1.1.1m.tar.gz

注：

         ##### 检查是否支持 TLS1.3

         # grep TLS1_3_VERSION ./* -R

编译及安装

# cd openssl-1.1.1m # ./config --prefix=/usr/local/ssl # make -j4 # make install

#备份老版本的openssl

# mv /usr/bin/openssl /usr/bin/openssl.bak # mv /usr/include/openssl /usr/include/openssl.bak

创建新的符号链接

# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl # ln -s /usr/local/ssl/include/openssl /usr/include/openssl # ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1 # ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

修改配置

  

#vim /etc/ld.so.conf ### 在最后添加两行 /usr/local/lib64 /usr/local/ssl/lib

重新加载配置并验证

重新加载

# ldconfig -v

验证 openssl 版本 及是否支持TLS1.3 版本

# openssl version # openssl ciphers -V |grep TLSv1.3 或 #openssl s_client -help 2>&1 | awk '/-(ssl|tls)[0-9]/{print $1}'

   

或

# openssl s_client -help 2>&1 | awk '/-(ssl|tls)[0-9]/{print $1}'

二、升级Nginx到1.20.1

下载

# wget http://nginx.org/download/nginx-1.20.1.tar.gz # tar zxvf nginx-1.20.1.tar.gz

安装所需编译包

#yum install -y gcc gcc-c++ autoconf automake zlib zlib-devel openssl openssl-devel pcre pcre-devel

编译及安装

# cd nginx-1.20.1 # ./configure --prefix=/usr/local/nginx-1.20.1 --with-openssl=../openssl-1.1.1m --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_realip_module # make # make install

若要严格权限，则可以考虑：

###可参考https://www.cnblogs.com/visionsl/p/8184647.html # groupadd -r nginx # useradd -r -g nginx nginx # useradd -s /sbin/nologin -M nginx # ./configure --prefix=/usr/local/nginx-1.20.1 --user=nginx --group=nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_realip_module --with-openssl=../openssl-1.1.1m # make # make install

提示：

如果 nginx 在编译过程中遇到 undefined reference to `pthread_atfork' 错误，需要在运行 ./configure 命令之后，修改 obj/Makefile 文件，将第一个 -lpthread 删除，并将第二个 -lpthread 移动到该行最后。保存后然后再执行 make 命令。若只有一个-lpthread，则将其改为-pthread。

确认nginx版本

# /usr/local/nginx-1.20.1/sbin/nginx -v

  

修改配置文件

#vim nginx.conf

找到 HTTPS server这段 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # 增加 TLSv1.3 ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

检查Nginx配置文件

# /usr/local/nginx-1.20.1/sbin/nginx -t

启动  ./nginx 停止  ./nginx -s stop 重启  ./nginx -s reload

检测确认安装结果

# 样例：假设 cccc.abc.com:60036 是支持TLS1.3的网站 # /usr/local/openssl1.1.1/bin/openssl s_client -connect cccc.abc.com:50036 -tls1_3

自启及服务模式

vi /etc/init.d/nginx #!/bin/bash # nginx Startup script for the Nginx HTTP Server # it is v.0.0.2 version. # chkconfig: - 85 15 # description: Nginx is a high-performance web and proxy server. #              It has a lot of features, but it's not for everyone. # processname: nginx # pidfile: /var/run/nginx.pid # config: /usr/local/nginx/conf/nginx.conf nginxd=/usr/local/nginx/sbin/nginx nginx_config=/usr/local/nginx/conf/nginx.conf nginx_pid=/var/run/nginx.pid RETVAL=0 prog="nginx" # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -x $nginxd ] || exit 0 # Start nginx daemons functions. start() { if [ -e $nginx_pid ];then    echo "nginx already running...."    exit 1 fi    echo -n $"Starting $prog: "    daemon $nginxd -c ${nginx_config}    RETVAL=$?    echo    [ $RETVAL = 0 ] && touch /var/lock/subsys/nginx    return $RETVAL } # Stop nginx daemons functions. stop() {         echo -n $"Stopping $prog: "         killproc $nginxd         RETVAL=$?         echo         [ $RETVAL = 0 ] && rm -f /var/lock/subsys/nginx /var/run/nginx.pid } # reload nginx service functions. reload() {     echo -n $"Reloading $prog: "     #kill -HUP `cat ${nginx_pid}`     killproc $nginxd -HUP     RETVAL=$?     echo } # See how we were called. case "$1" in start)         start         ;; stop)         stop         ;; reload)         reload         ;; restart)         stop         start         ;; status)         status $prog         RETVAL=$?         ;; *)         echo $"Usage: $prog {start|stop|restart|reload|status|help}"         exit 1 esac exit $RETVAL