NFgixは1.15.3アップグレードし、BoringSSLを使ってTLSv 1.3をオープンします。

ダウンロードに必要なパッケージ

nginx-1.14.0.tar.gz   openssl-1.1.0h.tar.gz pcre-8.42.tar.gz
#   
http://nginx.org/download/
https://boringssl.googlesource.com/boringssl/
https://www.pcre.org/
# 
wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz

解凍

tar xvf nginx-1.14.0.tar.gz
tar xvf pcre-8.42.tar.gz

まず、boringssl

をコンパイルします。

#   
mkdir -p boringssl-install/boringssl
tar xvf boringssl-master.tar.gz -C boringssl-install/boringssl
cd boringssl-install/boringssl/

#         
# BoringSSL    Golang   
apt-get install -y build-essential make cmake golang

mkdir -p build .openssl/lib .openssl/include
ln -sf ~/nginx_upgrade/boringssl-install/boringssl/include/openssl ~/nginx_upgrade/boringssl-install/boringssl/.openssl/include/openssl

最新のboringsslはデフォルトではtlsv 1.3のfinalバージョンしか開いていませんが、多くのブラウザはdraft 13 draft 28だけをサポートしていますので、tlsv 13_を開く必要があります。all.

# https://github.com/cloudflare/sslconfig/issues/87
sed -i 's|tls13_rfc = 0|tls13_all = 0|' include/openssl/ssl.h
sed -i 's|  tls13_all,|  tls13_rfc,|' include/openssl/ssl.h
sed -i 's|tls13_variant_t tls13_variant = tls13_rfc;|tls13_variant_t tls13_variant = tls13_all;|g' ssl/internal.h

コンパイルを続ける

touch .openssl/include/openssl/ssl.h
cmake -B~/nginx_upgrade/boringssl-install/boringssl/build/ -H~/nginx_upgrade/boringssl-install/boringssl/
make -C ~/nginx_upgrade/boringssl-install/boringssl/build
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib/

コンパイルnginx

cd ../../nginx-1.15.3
#    --with-openssl    BoringSSL   
# prefix conf-path   Nginx          
./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --with-openssl=../boringssl-install/boringssl/ --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-http_stub_status_module --with-pcre=../pcre-8.42 --with-mail --with-mail_ssl_module
#   configure  ，   touch   ，     make,      boringssl
touch ~/nginx_upgrade/boringssl-install/boringssl/.openssl/include/openssl/ssl.h
make 

バージョン情報を表示する

#     BoringSSL
./objs/nginx -V
nginx version: nginx/1.15.3
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled

パスワードグループを変更し、tlsv 1.3プロトコル

を追加します。

ssl_ciphers "[TLS13-AES-128-GCM-SHA256|TLS13-CHACHA20-POLY1305-SHA256] TLS13-AES-256-GCM-SHA384 [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 DES-CBC3-SHA AES128-SHA256 AES256-SHA256 CAMELLIA AES256-SHA AES CAMELLIA DES-CBC3-SHA ECDHE-ECDSA-AES256-SHA";

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

/etc/init.d/nginx reload

平滑レベルアップ

mv /usr/sbin/nginx /usr/sbin/nginx.old
cp ./objs/nginx /usr/sbin/
#     
nginx -v
nginx version: nginx/1.15.3
#       
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
kill -USR2 `cat /run/nginx.pid`
kill  -WINCH `cat /run/nginx.pid.oldbin`
kill -QUIT `cat /run/nginx.pid.oldbin`

認証サイトはtlsv.13

を使っています。

git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh --full --html https://your_domain

#            tlsv1.3    
TLS 1.1    offered
TLS 1.2    offered (OK)
TLS 1.3    offered (OK): draft 28, draft 23, final