你好,我已经搜索了几个小时,但我只找到了使用旧版 nginx/openssl 版本的解决方案。
我的问题是:如何才能在 nginx 中激活 TLSv1.2,客户端将通过 TLSv1.2 进行连接。
客户端仅会连接 TLSv1.0(浏览器/ openssl -connect)
我的实际配置是:
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
完整的配置如下:
upstream myapp {
server 127.0.0.1:5050;
}
server {
listen *:443 ssl;
server_name gu471.de;
server_name www.gu471.de;
server_name ipv4.gu471.de;
server_name ipv4.www.gu471.de;
ssl_certificate /ssl/gu471.crt;
ssl_certificate_key /ssl/privkey.pem;
ssl_client_certificate /ssl/linux_intermediate.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
access_log "/var/www/.logs/acc_gu471.nginx.log";
error_log "/var/www/.logs/err_gu471.nginx.log";
root /var/www/HP/current/public;
index index.html;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
try_files /system/maintenance.html $uri $uri/index.html $uri.html @ruby;
}
location @ruby {
proxy_pass http://myapp;
}
}
版本:
OpenSSL 1.0.1k 8 Jan 2015
nginx version: nginx/1.6.2
openssl 密码 -v | grep 1.2
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
openssl s_client-连接gu471.de:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=GT02672551/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.gu471.de
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFpDCCBIygAwIBAgICQJAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
NiBDQSAtIEczMB4XDTE0MTAxNDIzMjEwM1oXDTE1MTAxODA2NDQ0NFowgY4xEzAR
BgNVBAsTCkdUMDI2NzI1NTExMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDDAoqLmd1NDcxLmRlMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzvx+d4gdKY1naj2AQhYvPhPuDVbw
AwZuYixj8LJdAX9HfZJ5pfwSRt52OzAR7NgX7eb/4WOQJq8jJN/febyIOAcdpvP6
AW9ajewLuaEe2c0EQp1YCT4AxGRmw2sn2P92YpK5Rmd9xBiqGuVK3xraE5AAEBpF
MQX0trLVyHYB90GqhXP22wRXvJKk93cBj+JS+WHZvMdOuCMuWl/H3evjngrM7OwN
sun3sNx2rLaA0Raq9j9NF2l8Ws5DuEgKsW4lAEz1F4J2i6CWMQq2+biMBZztZMdU
3JiKYkGmO7rOF3vOccFrMQtqgeU2VZK5bzwl+vwOC+jXK7pSVBUP5dxzZ7NHdXsY
oqQ51vmRmif+rUATukzfMdMKxRMTYsCssooYeO3AkEamI7409Qdp50Gg9oKiPqTF
vZmOuUyi8TvhXFRMFnLD5wleHFi/PDh/SgwPP8+R0SxUE/YrNzPsJ+dSJyQOm7fb
hgWYe7cnqm62uQjcplwERWPvDIpkMd6i0ekNdfAiQFpe1jk5G5caQaZriUdktkTX
2T9J9KLxEcqm9qz8aiXC1plARXkN3NXzi4ZTIdNox7qNdS/qnp/brUjYwgv+n530
J5F7JwtJuMSKDWc8RiLD3Y7eSGArXoDpIGfY0Le6o08OfpRyBwVY/8zPsOJy1eCL
2GyG9n2u3TlcVCECAwEAAaOCAVAwggFMMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85G
f6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2
LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5j
cnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAfBgNVHREEGDAWggoqLmd1NDcxLmRlgghndTQ3MS5kZTArBgNVHR8EJDAiMCCg
HqAchhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMBAf8EAjAAMEUG
A1UdIAQ+MDwwOgYKYIZIAYb4RQEHNjAsMCoGCCsGAQUFBwIBFh5odHRwczovL3d3
dy5yYXBpZHNzbC5jb20vbGVnYWwwDQYJKoZIhvcNAQELBQADggEBAKSnKXcLaecA
IZ/+e0WszTMibFrAkMNt0HQyYn8TxbjkDfdZPjiANB9u+t//5V1V69HMqlqeZoWw
mW0qdrI7mjdQCG/vj6TvYYOgmePsbzsnV6BTW+K1EBn5u5nlzTGDiAjvnXzQ1l+R
Sk4dN4IEP8Lq5YJMr5zN0fOkyEr2t5yXdx+o2XaoIpbxSblR+q4XOyAKcw5Q8hda
fOhz2dV6JiiC3fsecITPiVWRRMIuNnIMXnh8o5g30kBgNBMnZrZGL3aJVW3K0Baf
+y4NqaRWNLf2yD6Rib4R1voX/ghL32bUhCbeY5esYfF0ipbYtXnJhbDl3zzNBwn5
r9bkbMomQyI=
-----END CERTIFICATE-----
subject=/OU=GT02672551/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.gu471.de
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4312 bytes and written 429 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 22D59B35BFB970ABB84426CE7506239CD48EA85E8B03DB26B7E4EB5560FBF411
Session-ID-ctx:
Master-Key: 4C11244E8E10BEE266DCE6577D39C5C9D9AD947AE7E9010075EC28BDFEC252736B8C2894ACBCA311113FB656A8020BA4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - fe 84 be 26 38 31 cc cb-d9 7e 88 0f cb 27 b4 dd ...&81...~...'..
0010 - ef fe 0f c0 9e 9a 6f 21-f6 04 1e 9d 5e ee f2 ab ......o!....^...
0020 - 37 01 38 d4 d2 61 54 49-7f 72 18 be ce 68 c9 dc 7.8..aTI.r...h..
0030 - b9 a2 bd 65 c2 72 23 d2-d5 7b 8d 89 18 d6 6c a0 ...e.r#..{....l.
0040 - 04 2c 97 41 5f 55 6e f3-ab 62 2d 7a c5 43 ff 10 .,.A_Un..b-z.C..
0050 - 51 1d e4 8c 85 d8 68 5b-17 b3 47 ce 23 35 63 28 Q.....h[..G.#5c(
0060 - 0e 72 63 96 af 47 45 72-1f 54 36 a8 f7 6a 81 73 .rc..GEr.T6..j.s
0070 - 41 65 db 53 8f 8f 05 84-1e a5 e6 34 dc 31 f2 2b Ae.S.......4.1.+
0080 - da 7a 03 a0 93 84 a8 d4-5e de d1 42 9c b2 7d a4 .z......^..B..}.
0090 - 33 05 ef 2a fa 05 f0 61-ad fb 62 a7 45 91 07 99 3..*...a..b.E...
00a0 - 35 cd 98 7d 98 e1 d4 86-55 ae dc 32 27 a4 24 27 5..}....U..2'.$'
Start Time: 1438188405
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
有什么方法可以找出为什么我的服务器不能通过 TLSv1.2 进行通信?
答案1
不幸的是,ssl_protocols在默认配置文件中,当未找到子域的配置文件时会触发覆盖ssl_protocols子域的设置。
因此,在默认配置中进行设置(甚至不应该触发子域)也会TLSv1.2有所帮助。