环境:centos7 1810
此次文档包含的安装包下载链接https://download.csdn.net/download/weixin_45548465/87512505
GmSSL-master.zip
nginx-1.21.6.tar.gz
360浏览器带国密算法.exe
Wireshark-win64-3.4.5.exe
安装编译依赖包
yum install -y vim lrzsz tree screen psmisc lsof tcpdump wget ntpdate gcc gcc-c++ glibc glibc-devel pcre pcre-devel openssl openssl-devel systemd-devel net-tools iotop bc zip unzip zlib-devel bash-completion nfs-utils automake libxml2 libxml2-devel libxslt libxslt-devel perl perl-ExtUtils-Embed
一、GMSSL安装
参考:https://github.com/guanzhi/GmSSL
下载安装包GmSSL-master.zip
unzip /root/GmSSL-master.zip
cd GmSSL-master/
./config --prefix=/usr/local/gmssl
make -j4 && sudo make install
查看版本提示找不到 libssl.so.1.1 库文件
/usr/local/gmssl/bin/gmssl version
建立软链接后解决,我的安装目录在/usr/local/gmssl下,执行以下命令,可以find搜索下库文件,libssl.so.1.1和libcrypto.so.1.1
ln -s /usr/local/gmssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/gmssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln -sv /usr/local/gmssl/bin/gmssl /usr/sbin/
二、编译安装nginx,openssl换成gmssl路径
参考:https://nginx.org/
下载安装包
nginx-1.21.6.tar.gz
tar xvf nginx-1.21.6.tar.gz -C /usr/local/
vim /usr/local/nginx-1.21.6/auto/lib/openssl/conf
将全部 $OPENSSL/.openssl/修改为$OPENSSL/ 大约是39到42行
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
cd /usr/local/nginx-1.21.6/
./configure --prefix=/apps/nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-openssl=/usr/local/gmssl
make -j4 &&sudo make install
验证版本
ln -sv /apps/nginx/sbin/nginx /usr/sbin
nginx -V
编辑主配置文件 在最后面 } 上面加上下面代码 让其支持以conf结尾的子配置文件
mkdir /apps/nginx/conf/conf.d
vim /apps/nginx/conf/nginx.conf
include /apps/nginx/conf/conf.d/*.conf;
}
三、sm2证书生成
创建相关文件和目录
mkdir /usr/local/gmssl/ssl/CA ##存放ca证书及密钥和证书请求
mkdir /usr/local/gmssl/ssl/newcerts ##存放新签署证书的目录
touch /usr/local/gmssl/ssl/index.txt #签署证书的数据记录文件,下面会生成index这个文件
touch /usr/local/gmssl/ssl/serial #新证书签署号记录文件下,下面会生成serial这个文件
touch /usr/local/gmssl/ssl/crlnumber # 吊销证书用,下面会生成这个文件
echo '01' > /usr/local/gmssl/ssl/serial #给文件一个初始号
echo '01' > /usr/local/gmssl/ssl/crlnumber #给文件一个初始号
vim /usr/local/gmssl/ssl/openssl.cnf
dir = /usr/local/gmssl/ssl/ ##修改默认工作目录
private_key = $dir/CA/rootca.key ##根ca私钥存放路径
certificate = $dir/CA/rootcasm2.cer ##根ca公钥存放路径
添加 [ v3enc_req ]参数
[ v3enc_req ]
basicConstraints = CA:FALSE
keyUsage = keyAgreement, keyEncipherment, dataEncipherment
自签发CA证书
gmssl ecparam -genkey -name SM2 -out /usr/local/gmssl/ssl/CA/rootca.key
gmssl req -new -x509 -sm3 -key /usr/local/gmssl/ssl/CA/rootca.key -out /usr/local/gmssl/ssl/CA/rootcasm2.cer -days 10000 -subj '/C=CN/O=HUB/OU=WUHAN_SM2'
server签名证书
gmssl ecparam -genkey -name SM2 -noout -out /usr/local/gmssl/ssl/CA/server.key
gmssl req -new -SM3 -key /usr/local/gmssl/ssl/CA/server.key -out /usr/local/gmssl/ssl/CA/server.csr -subj '/C=CN/O=HUB/OU=WUHAN_SM2/CN=www.test.com'
cd /usr/local/gmssl/ssl/CA/
gmssl x509 -req -SM3 -days 3650 -in server.csr -extfile ../openssl.cnf -extensions v3_req -CA rootcasm2.cer -CAkey rootca.key -set_serial 1000000001 -out server.cer
server加密证书
gmssl ecparam -genkey -name SM2 -noout -out server_en.key
gmssl req -new -SM3 -key server_en.key -out server1.csr -subj '/C=CN/O=HUB/OU=WUHAN_SM2/CN=www.test.com'
gmssl x509 -req -SM3 -days 3650 -in server1.csr -extfile ../openssl.cnf -extensions v3enc_req -CA rootcasm2.cer -CAkey rootca.key -set_serial 1000002001 -out server_en.cer
client签名证书
gmssl ecparam -genkey -name SM2 -noout -out client.key
gmssl req -new -key client.key -out client.req -subj "/C=CN/O=HUB/OU=WUHAN_SM2/CN=client"
gmssl x509 -req -SM3 -days 3650 -in client.req -extfile ../openssl.cnf -extensions v3_req -CA rootcasm2.cer -CAkey rootca.key -CAcreateserial -out client.cer
client加密证书
gmssl ecparam -genkey -name SM2 -noout -out client_en.key
gmssl req -new -key client_en.key -out client_en.req -subj "/C=CN/O=HUB/OU=WUHAN_SM2/CN=client"
gmssl x509 -req -SM3 -days 3650 -in client_en.req -CA rootcasm2.cer -extfile ../openssl.cnf -extensions v3enc_req -CAkey rootca.key -CAcreateserial -out client_en.cer
nginx配置
vim /apps/nginx/conf/conf.d/ssl.conf
server{
listen 443 ssl;
ssl_certificate /usr/local/gmssl/ssl/CA/server.cer;
ssl_certificate_key /usr/local/gmssl/ssl/CA/server.key;
ssl_certificate /usr/local/gmssl/ssl/CA/server_en.cer;
ssl_certificate_key /usr/local/gmssl/ssl/CA/server_en.key;
ssl_session_cache shared:SSL:1m; #开启缓存 大小1M
ssl_session_timeout 5m; # 指定客户端可以重用会话参数的时间(超时之后不可使用)
#ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECC-SM4-SM3:ECDHE-SM4-SM3:SM2-WITH-SMS4-SM3:ECDHE-SM2-WITH-SMS4-GCM-SM3:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.190.178:8080;
proxy_redirect default; }
}
nginx -c /apps/nginx/conf/nginx.conf
nginx -s reload
客户端浏览器验证
下载360浏览器国密版,https://browser.360.cn/se/ver/gmzb.html
需要在设置->安全设置中开启国密支持
wireshark抓包
下载国密版https://github.com/pengtianabc/wireshark-gm/releases/tag/wireshark-3.4.5-gm
gmssl提供的验证方式
服务端证书链(证书排序:签名在前,加密后,CA证书最后):
gmssl s_server -port 443 -key server.key -cert server.cer -dkey server_en.key -dcert server_en.cer -CAfile rootcasm2.cer
gmssl s_client -connect localhost:443 -key client.key -cert client.cer -CAfile rootcasm2.cer
备注:
github上有二次开发的nginx,参考https://github.com/pengtianabc/nginx-gm