经检验,是因为centos8系统自带的openssl版本太高导致的。
centos7自带的apache就没问题,xp ie6和ie8可以正常访问https。建议使用centos7系统。
如果系统没法换,只能用centos8的话,那么可以参考下面的方法。
https://zh.purasbar.com/post.php?t=26190【方法一】
在apache的配置文件/etc/httpd/conf.d/ssl.conf中启用TLSv1.0。
启用后IE8可以正常访问https,但IE6默认情况下没法访问。IE6默认情况下只开启了SSLv3,没有开启TLSv1.0,而CentOS8自带的OpenSSL 1.1.1k不支持SSLv3(除非重新源码编译openssl1.1.1并指定enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers选项)。IE6只有在Internet选项里面勾选了TLS1.0才能访问https网站。
打开apache配置文件/etc/httpd/conf.d/ssl.conf,将下面两行
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
修改为
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
保存文件,用sudo systemctl restart httpd命令重启apache服务器,IE8就可以访问https了。
提示:
(1)update-crypto-policies保持默认的“DEFAULT”状态即可,不需要修改。
$ sudo update-crypto-policies --show
DEFAULT
(2)ssl.conf里面下列两行中的“-SSLv3”表示禁用SSLv3的意思。
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
如果改成“+SSLv3”就表示启用SSLv3,但是CentOS8自带的OpenSSL 1.1.1k不支持SSLv3,修改后apache无法启动成功。
Apr 19 11:26:32 systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit httpd.service has begun starting up.
Apr 19 11:26:32 httpd[366766]: AH00526: Syntax error on line 61 of /etc/httpd/conf.d/ssl.conf:
Apr 19 11:26:32 httpd[366766]: SSLv3 not supported by this version of OpenSSL
Apr 19 11:26:32 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 19 11:26:32 systemd[1]: httpd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit httpd.service has entered the 'failed' state with result 'exit-code'.
Apr 19 11:26:32 systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit httpd.service has failed.
--
-- The result is failed.
openssl命令的-ssl3选项也无法使用:
$ openssl s_client -connect localhost:443 -ssl3
s_client: Option unknown option -ssl3
s_client: Use -help for summary.
【方法二】
源码编译低版本的openssl。由于apache是动态链接系统里面的openssl,所以apache也需要重新编译。
禁用系统自带的apache2.4,自己单独编译一套低版本的openssl、apache和php(如openssl-1.0.1f+apache2.2.23+php7.1.2)。不需要调整其他任何设置。
禁用系统自带的apache2.4,并禁止开机自启动:
sudo systemctl stop httpd
sudo systemctl disable httpd
update-crypto-policies不用动,可保持默认的DEFAULT状态。
安装低版本openssl:
cd ~
mkdir temp
cd temp
wget https://www.openssl.org/source/old/1.0.1/openssl-1.0.1f.tar.gz
tar xf openssl-1.0.1f.tar.gz
cd openssl-1.0.1f/
./config --prefix=/opt/openssl-1.0.1f shared
make
sudo make install_sw
在/etc/ld.so.conf.d文件夹中新建一个mynewssl.conf文件,内容为/opt/openssl-1.0.1f/lib。
然后执行sudo ldconfig。
安装低版本apache2.2:
wget https://archive.apache.org/dist/httpd/httpd-2.2.23.tar.gz
tar xf httpd-2.2.23.tar.gz
cd httpd-2.2.23
./configure --prefix=/opt/httpd-2.2.23 --enable-deflate --enable-expires --enable-heads --with-mpm-worker --enable-rewrite --enable-so --with-included-apr --enable-ssl --with-ssl=/opt/openssl-1.0.1f --enable-mods-shared=all
make
sudo make install
打开/opt/httpd-2.2.23/conf/httpd.conf,将
Include conf/extra/httpd-ssl.conf
取消注释。
打开/opt/httpd-2.2.23/conf/extra/httpd-ssl.conf,正确配置证书文件路径,如:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
启动新安装的apache2:
sudo /opt/httpd-2.2.23/bin/apachectl start
经检验,XP系统下的IE6、IE8和win11下的edge、firefox均能正常访问https。
新安装一个php7:
(sudo yum install libxml2-devel libpng-devel)
wget https://www.php.net/distributions/php-7.1.2.tar.gz
tar xf php-7.1.2.tar.gz
cd php-7.1.2
./configure --prefix=/opt/php-7.1.2 --with-apxs2=/opt/httpd-2.2.23/bin/apxs --enable-mbstring --with-gd --with-mysqli --with-pdo-mysql --with-gettext --with-openssl=/opt/openssl-1.0.1f
make
sudo make install
在/opt/httpd-2.2.23/conf/httpd.conf末尾加入
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
重启新安装的apache2:
sudo /opt/httpd-2.2.23/bin/apachectl restart
建立/opt/httpd-2.2.23/htdocs/info.php文件:
<?php
phpinfo();
[配置虚拟主机:/home/xxx/xxx/config/xxx.conf]
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
DocumentRoot "/opt/httpd-2.2.23/htdocs"
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/home/xxx/xxx/certificate/xxx.com.crt"
SSLCertificateKeyFile "/home/xxx/xxx/certificate/xxx.com.key"
SSLCertificateChainFile "/home/xxx/xxx/certificate/xxx.com.ca-bundle"
DocumentRoot "/opt/httpd-2.2.23/htdocs"
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "/home/xxx/xxx"
ServerName xxx.com
Redirect 301 / https://xxx.com/
<Directory "/home/xxx/xxx">
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/home/xxx/xxx/certificate/xxx.com.crt"
SSLCertificateKeyFile "/home/xxx/xxx/certificate/xxx.com.key"
SSLCertificateChainFile "/home/xxx/xxx/certificate/xxx.com.ca-bundle"
DocumentRoot "/home/xxx/xxx"
ServerName xxx.com
<Directory "/home/xxx/xxx">
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
写好之后在/opt/httpd-2.2.23/conf/httpd.conf的最后一行包含一下:
Include /home/xxx/xxx/config/xxx.conf
请注意,Include的所有conf配置文件中,NameVirtualHost *:80和NameVirtualHost *:443只允许出现一次。最好是在第一个conf里面出现。
[测试]
访问 http://服务器IP地址 或 https://服务器IP地址 ,出来的是It works!
访问 http://xxx.com 自动跳转到 https://xxx.com ,出来的是/home/xxx/xxx下的网站。
[补充]
经验证,安装以下版本的服务器
httpd-2.4.17 (apr-1.5.2, apr-util-1.5.4)
openssl-1.0.2k
nghttp2-1.61.0
可以在保证IE6和IE8都能访问https的情况下,成功启用HTTP/2。
虽然XP系统下的IE浏览器不支持HTTP/2,但是firefox52.9esr是支持HTTP/2的。
apache里面
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
要改成
SSLProtocol all
SSLProxyProtocol all
才能使用IE6访问https。
【方法三】
重新源码编译openssl1.1.1,编译时指定enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers选项。apache、php也要重新编译并绑定到这个openssl上。
7962
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
