Nginx TLS1.3 编译配置

日期 2018-10-24
nginx
Nginx TLS1.3 编译配置

几个月前已经发布TLS 1.3正式版,在Chrome 70+和Firefox 63+也已经正式支持TLS1.3 Final版本的协议。

本文使用BoringSSL为nginx提供ssl支持,也可以使用openssl 1.1.1+版本,但是目前LibreSSL还不支持。

编译boringssl
#下载源码 或者直接 git clone
wget https://github.com/google/boringssl/archive/master.zip -O boringssl.zip
unzip -q boringssl.zip
mv boringssl-master boringssl

cd boringssl && mkdir build && cd build && cmake ../ && make && cd ../


# 保存编译结果
# 新建boringssl/.openssl/目录,将boringssl/include/全部复制到boringssl/.openssl/include/
# 新建boringssl/.openssl/lib/目录,将boringssl/build/crypto/libcrypto.a 和 boringssl/build/ssl/libssl.a 文件复制到 boringssl/.openssl/lib 目录

mkdir -p .openssl/lib && cd .openssl && cp -R ../include . && cd ../
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib
cd ../

编译Nginx

下载依赖

wget https://nginx.org/download/nginx-1.15.5.tar.gz
wget https://zlib.net/zlib-1.2.11.tar.gz
wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz


解压
tar xzf nginx-1.15.5.tar.gz
tar xzf zlib-1.2.11.tar.gz
tar xzf pcre-8.42.tar.gz

编译
cd nginx-1.15.5
./configure --with-openssl=../boringssl --with-pcre=../pcre-8.42 --with-zlib=../zlib-1.2.11 --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module 


###!!! 修复编译问题
touch ../boringssl/.openssl/include/openssl/ssl.h

make 
make install

查看Nginx编译信息

nginx -V


nginx version: nginx/1.15.5
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) 
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-openssl=../boringssl/ --with-pcre=../pcre-8.42 --with-zlib=../zlib-1.2.11 --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module

配置nginx.conf

...

http {

ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve auto;

ssl_prefer_server_ciphers on;

ssl_ciphers "[TLS_AES_128_GCM_SHA256|TLS_CHACHA20_POLY1305_SHA256]:[TLS_AES_256_GCM_SHA384|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256]:[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-CHACHA20-POLY1305]:[ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:[ECDHE-ECDSA-AES128-SHA|ECDHE-RSA-AES128-SHA]:[ECDHE-ECDSA-AES256-SHA|ECDHE-RSA-AES256-SHA]:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA";


}

...

检测是否成功开启使用TLS1.3

  • Chrome 开发者工具 -> Security 可以看到连接版本
  • 在openssl 1.1.1+ 版本中openssl s_client -connect 127.0.0.1:443
  • 使用上面编译好的boringssl/build/tool/bssl s_client -connect 127.0.0.1:443

输出 

Connecting to 127.0.0.1:443
Connected.
  Version: TLSv1.3
  Resumed session: no
  Cipher: TLS_AES_128_GCM_SHA256
  ECDHE curve: X25519
...

浏览器SSL检测 https://ssl.hakase.io/

使用Cloudflare CDN会默认开启了TLS1.3。