几个月前已经发布TLS 1.3正式版,在Chrome 70+和Firefox 63+也已经正式支持TLS1.3 Final版本的协议。
本文使用BoringSSL为nginx提供ssl支持,也可以使用openssl 1.1.1+版本,但是目前LibreSSL还不支持。
编译boringssl
#下载源码 或者直接 git clone wget https://github.com/google/boringssl/archive/master.zip -O boringssl.zip unzip -q boringssl.zip mv boringssl-master boringssl
cd boringssl && mkdir build && cd build && cmake ../ && make && cd ../
# 保存编译结果 # 新建boringssl/.openssl/目录,将boringssl/include/全部复制到boringssl/.openssl/include/ # 新建boringssl/.openssl/lib/目录,将boringssl/build/crypto/libcrypto.a 和 boringssl/build/ssl/libssl.a 文件复制到 boringssl/.openssl/lib 目录
mkdir -p .openssl/lib && cd .openssl && cp -R ../include . && cd ../ cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib cd ../
|
编译Nginx
下载依赖
wget https://nginx.org/download/nginx-1.15.5.tar.gz wget https://zlib.net/zlib-1.2.11.tar.gz wget https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.gz
解压 tar xzf nginx-1.15.5.tar.gz tar xzf zlib-1.2.11.tar.gz tar xzf pcre-8.42.tar.gz
编译 cd nginx-1.15.5 ./configure --with-openssl=../boringssl --with-pcre=../pcre-8.42 --with-zlib=../zlib-1.2.11 --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module
###!!! 修复编译问题 touch ../boringssl/.openssl/include/openssl/ssl.h
make make install
|
查看Nginx编译信息
nginx -V
nginx version: nginx/1.15.5 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --with-openssl=../boringssl/ --with-pcre=../pcre-8.42 --with-zlib=../zlib-1.2.11 --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module
|
配置nginx.conf
...
http {
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_ecdh_curve auto;
ssl_prefer_server_ciphers on;
ssl_ciphers "[TLS_AES_128_GCM_SHA256|TLS_CHACHA20_POLY1305_SHA256]:[TLS_AES_256_GCM_SHA384|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256]:[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-CHACHA20-POLY1305]:[ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:[ECDHE-ECDSA-AES128-SHA|ECDHE-RSA-AES128-SHA]:[ECDHE-ECDSA-AES256-SHA|ECDHE-RSA-AES256-SHA]:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA";
}
...
|
检测是否成功开启使用TLS1.3
- Chrome 开发者工具 -> Security 可以看到连接版本
- 在openssl 1.1.1+ 版本中
openssl s_client -connect 127.0.0.1:443
- 使用上面编译好的
boringssl/build/tool/bssl s_client -connect 127.0.0.1:443
输出
Connecting to 127.0.0.1:443 Connected. Version: TLSv1.3 Resumed session: no Cipher: TLS_AES_128_GCM_SHA256 ECDHE curve: X25519 ...
|
浏览器SSL检测 https://ssl.hakase.io/
使用Cloudflare CDN会默认开启了TLS1.3。