NFgixは1.15.3アップグレードし、BoringSSLを使ってTLSv 1.3をオープンします。
4267 ワード
nginx-1.14.0.tar.gz openssl-1.1.0h.tar.gz pcre-8.42.tar.gz
#
http://nginx.org/download/
https://boringssl.googlesource.com/boringssl/
https://www.pcre.org/
#
wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz
tar xvf nginx-1.14.0.tar.gz
tar xvf pcre-8.42.tar.gz
#
mkdir -p boringssl-install/boringssl
tar xvf boringssl-master.tar.gz -C boringssl-install/boringssl
cd boringssl-install/boringssl/
#
# BoringSSL Golang
apt-get install -y build-essential make cmake golang
mkdir -p build .openssl/lib .openssl/include
ln -sf ~/nginx_upgrade/boringssl-install/boringssl/include/openssl ~/nginx_upgrade/boringssl-install/boringssl/.openssl/include/openssl
最新のboringsslはデフォルトではtlsv 1.3のfinalバージョンしか開いていませんが、多くのブラウザはdraft 13 draft 28だけをサポートしていますので、tlsv 13_を開く必要があります。all.# https://github.com/cloudflare/sslconfig/issues/87
sed -i 's|tls13_rfc = 0|tls13_all = 0|' include/openssl/ssl.h
sed -i 's| tls13_all,| tls13_rfc,|' include/openssl/ssl.h
sed -i 's|tls13_variant_t tls13_variant = tls13_rfc;|tls13_variant_t tls13_variant = tls13_all;|g' ssl/internal.h
コンパイルを続けるtouch .openssl/include/openssl/ssl.h
cmake -B~/nginx_upgrade/boringssl-install/boringssl/build/ -H~/nginx_upgrade/boringssl-install/boringssl/
make -C ~/nginx_upgrade/boringssl-install/boringssl/build
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib/
cd ../../nginx-1.15.3
# --with-openssl BoringSSL
# prefix conf-path Nginx
./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --with-openssl=../boringssl-install/boringssl/ --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-http_stub_status_module --with-pcre=../pcre-8.42 --with-mail --with-mail_ssl_module
# configure , touch , make, boringssl
touch ~/nginx_upgrade/boringssl-install/boringssl/.openssl/include/openssl/ssl.h
make
# BoringSSL
./objs/nginx -V
nginx version: nginx/1.15.3
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
ssl_ciphers "[TLS13-AES-128-GCM-SHA256|TLS13-CHACHA20-POLY1305-SHA256] TLS13-AES-256-GCM-SHA384 [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 DES-CBC3-SHA AES128-SHA256 AES256-SHA256 CAMELLIA AES256-SHA AES CAMELLIA DES-CBC3-SHA ECDHE-ECDSA-AES256-SHA";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
/etc/init.d/nginx reload
mv /usr/sbin/nginx /usr/sbin/nginx.old
cp ./objs/nginx /usr/sbin/
#
nginx -v
nginx version: nginx/1.15.3
#
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
kill -USR2 `cat /run/nginx.pid`
kill -WINCH `cat /run/nginx.pid.oldbin`
kill -QUIT `cat /run/nginx.pid.oldbin`
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh --full --html https://your_domain
# tlsv1.3
TLS 1.1 offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): draft 28, draft 23, final