debian update openssl 1.1.1 Nginx 1.15 开启 Tls 1.3.bak

最近看见Tls 1.3 标准定稿发布了正式版本,就试着自己动手搞搞实验

环境是瓦工的 debian 9

网上google了一圈后下面搬砖记录一下升级过程

安装openssl

# tar -zxvf openssl-1.1.1-pre8.tar.gz
# cd openssl-1.1.1-pre8

#指定安装目录、配置文件目录
# ./config shared zlib --prefix=/usr/local/openssl-1.1.1-pre8 --openssldir=/usr/local/openssl-1.1.1-pre8/ssl

#显示安装信息
# perl configdata.pm --dump

# make
# make test 
# make install

备份并添加新的符号链接

# mv /usr/bin/openssl /usr/bin/openssl.20180814
# ln -s /usr/local/openssl-1.1.1-pre8/bin/openssl openssl

查看版本 时应该会有 libssl.so.1.1 => not found libcrypto.so.1.1 => not found 2个动态链接库 找不到

openssl version -a
  1. 关联新的库文件
# cd /etc/ld.so.conf.d/
# vi openssl-1.1.1-pre8.conf
/usr/local/openssl-1.1.1-pre8/lib

刷新上面的配置

ldconfig -v

这时 openssl version -a  已经能正常显示了

接着 升级 Nginx 并编译开启 tls1.3

$ wget http://nginx.org/download/nginx-1.15.2.tar.gz
$ tar zxvf nginx-1.15.2.tar.gz
$ cd nginx-1.15.2

OpenSSL 打补丁

cd openssl-1.1.1-pre8
wget https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl-equal-pre8_ciphers.patch

patch -p1 < openssl-equal-pre8_ciphers.patch

接着进入 nginx-1.15.2 目录 配置 编译参数

./configure --with-openssl=/root/openssl-1.1.1-pre8 --with-openssl-opt=enable-tls1_3 --with-http_v2_module --with-http_ssl_module

make 编译

先备份旧版Nginx。

$ mv /path/to/nginx/sbin/nginx /path/to/nginx/sbin/nginx.old

再把编译好的版本拷过去。

$cp objs/nginx /path/to/nginx/sbin/

然后编辑Nginx配置文件。在  nginx.conf 也可以加载站点的.conf上

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256 :EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:!3DES:!MD5;


重启Nginx

/etc/init.d/nginx restart

/etc/init.d/nginx reload

最后chrome 开启TLS 1.3 draft28支持

chrome://flags/#tls13-variant

这里我的chrome 68 默认协商并匹配不到 TLS 1.3 draft28

开启 draft28 支持后访问 Nginx 网站已经走了TLS 1.3

世界,您好!

欢迎使用WordPress的。这是您的第一篇文章。编辑或删除它,然后开始写作吧!

public static class HttpRequestMessageExtensions
{
    private const string HttpContext = "MS_HttpContext";
    private const string RemoteEndpointMessage = "System.ServiceModel.Channels.RemoteEndpointMessageProperty";
    private const string OwinContext = "MS_OwinContext";

    public static string GetClientIpAddress(this HttpRequestMessage request)
    {
        //Web-hosting
        if (request.Properties.ContainsKey(HttpContext))
        {
            dynamic ctx = request.Properties[HttpContext];
            if (ctx != null)
            {
                return ctx.Request.UserHostAddress;
            }
        }
        //Self-hosting
        if (request.Properties.ContainsKey(RemoteEndpointMessage))
        {
            dynamic remoteEndpoint = request.Properties[RemoteEndpointMessage];
            if (remoteEndpoint != null)
            {
                return remoteEndpoint.Address;
            }
        }
        //Owin-hosting
        if (request.Properties.ContainsKey(OwinContext))
        {
            dynamic ctx = request.Properties[OwinContext];
            if (ctx != null)
            {
                return ctx.Request.RemoteIpAddress;
            }
        }
        return null;
    }
}