Debian wheezy 上的 nginx 和 TLS > 1.0?

Debian wheezy 上的 nginx 和 TLS > 1.0?

你好,我已经搜索了几个小时,但我只找到了使用旧版 nginx/openssl 版本的解决方案。

我的问题是:如何才能在 nginx 中激活 TLSv1.2,客户端将通过 TLSv1.2 进行连接。

客户端仅会连接 TLSv1.0(浏览器/ openssl -connect

我的实际配置是:

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers   on;

完整的配置如下:

  upstream myapp {
    server 127.0.0.1:5050;
  }
  server {
  listen *:443 ssl;

  server_name gu471.de;
  server_name www.gu471.de;
  server_name ipv4.gu471.de;
  server_name ipv4.www.gu471.de;

  ssl_certificate             /ssl/gu471.crt;
  ssl_certificate_key         /ssl/privkey.pem;
  ssl_client_certificate      /ssl/linux_intermediate.pem;
  ssl_session_timeout         5m;

  ssl_protocols TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384';
  ssl_prefer_server_ciphers   on;

  access_log "/var/www/.logs/acc_gu471.nginx.log";
  error_log "/var/www/.logs/err_gu471.nginx.log";

  root     /var/www/HP/current/public;
  index    index.html;

  location / {
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  Host $http_host;
    proxy_redirect  off;
    try_files /system/maintenance.html $uri $uri/index.html $uri.html @ruby;
  }

  location @ruby {
    proxy_pass http://myapp;
  }
}

版本:

OpenSSL 1.0.1k 8 Jan 2015
nginx version: nginx/1.6.2

openssl 密码 -v | grep 1.2

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

openssl s_client-连接gu471.de:443

CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=GT02672551/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.gu471.de
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFpDCCBIygAwIBAgICQJAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
NiBDQSAtIEczMB4XDTE0MTAxNDIzMjEwM1oXDTE1MTAxODA2NDQ0NFowgY4xEzAR
BgNVBAsTCkdUMDI2NzI1NTExMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRMwEQYDVQQDDAoqLmd1NDcxLmRlMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzvx+d4gdKY1naj2AQhYvPhPuDVbw
AwZuYixj8LJdAX9HfZJ5pfwSRt52OzAR7NgX7eb/4WOQJq8jJN/febyIOAcdpvP6
AW9ajewLuaEe2c0EQp1YCT4AxGRmw2sn2P92YpK5Rmd9xBiqGuVK3xraE5AAEBpF
MQX0trLVyHYB90GqhXP22wRXvJKk93cBj+JS+WHZvMdOuCMuWl/H3evjngrM7OwN
sun3sNx2rLaA0Raq9j9NF2l8Ws5DuEgKsW4lAEz1F4J2i6CWMQq2+biMBZztZMdU
3JiKYkGmO7rOF3vOccFrMQtqgeU2VZK5bzwl+vwOC+jXK7pSVBUP5dxzZ7NHdXsY
oqQ51vmRmif+rUATukzfMdMKxRMTYsCssooYeO3AkEamI7409Qdp50Gg9oKiPqTF
vZmOuUyi8TvhXFRMFnLD5wleHFi/PDh/SgwPP8+R0SxUE/YrNzPsJ+dSJyQOm7fb
hgWYe7cnqm62uQjcplwERWPvDIpkMd6i0ekNdfAiQFpe1jk5G5caQaZriUdktkTX
2T9J9KLxEcqm9qz8aiXC1plARXkN3NXzi4ZTIdNox7qNdS/qnp/brUjYwgv+n530
J5F7JwtJuMSKDWc8RiLD3Y7eSGArXoDpIGfY0Le6o08OfpRyBwVY/8zPsOJy1eCL
2GyG9n2u3TlcVCECAwEAAaOCAVAwggFMMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85G
f6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2
LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5j
cnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAfBgNVHREEGDAWggoqLmd1NDcxLmRlgghndTQ3MS5kZTArBgNVHR8EJDAiMCCg
HqAchhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMBAf8EAjAAMEUG
A1UdIAQ+MDwwOgYKYIZIAYb4RQEHNjAsMCoGCCsGAQUFBwIBFh5odHRwczovL3d3
dy5yYXBpZHNzbC5jb20vbGVnYWwwDQYJKoZIhvcNAQELBQADggEBAKSnKXcLaecA
IZ/+e0WszTMibFrAkMNt0HQyYn8TxbjkDfdZPjiANB9u+t//5V1V69HMqlqeZoWw
mW0qdrI7mjdQCG/vj6TvYYOgmePsbzsnV6BTW+K1EBn5u5nlzTGDiAjvnXzQ1l+R
Sk4dN4IEP8Lq5YJMr5zN0fOkyEr2t5yXdx+o2XaoIpbxSblR+q4XOyAKcw5Q8hda
fOhz2dV6JiiC3fsecITPiVWRRMIuNnIMXnh8o5g30kBgNBMnZrZGL3aJVW3K0Baf
+y4NqaRWNLf2yD6Rib4R1voX/ghL32bUhCbeY5esYfF0ipbYtXnJhbDl3zzNBwn5
r9bkbMomQyI=
-----END CERTIFICATE-----
subject=/OU=GT02672551/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.gu471.de
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4312 bytes and written 429 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 22D59B35BFB970ABB84426CE7506239CD48EA85E8B03DB26B7E4EB5560FBF411
    Session-ID-ctx:
    Master-Key: 4C11244E8E10BEE266DCE6577D39C5C9D9AD947AE7E9010075EC28BDFEC252736B8C2894ACBCA311113FB656A8020BA4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fe 84 be 26 38 31 cc cb-d9 7e 88 0f cb 27 b4 dd   ...&81...~...'..
    0010 - ef fe 0f c0 9e 9a 6f 21-f6 04 1e 9d 5e ee f2 ab   ......o!....^...
    0020 - 37 01 38 d4 d2 61 54 49-7f 72 18 be ce 68 c9 dc   7.8..aTI.r...h..
    0030 - b9 a2 bd 65 c2 72 23 d2-d5 7b 8d 89 18 d6 6c a0   ...e.r#..{....l.
    0040 - 04 2c 97 41 5f 55 6e f3-ab 62 2d 7a c5 43 ff 10   .,.A_Un..b-z.C..
    0050 - 51 1d e4 8c 85 d8 68 5b-17 b3 47 ce 23 35 63 28   Q.....h[..G.#5c(
    0060 - 0e 72 63 96 af 47 45 72-1f 54 36 a8 f7 6a 81 73   .rc..GEr.T6..j.s
    0070 - 41 65 db 53 8f 8f 05 84-1e a5 e6 34 dc 31 f2 2b   Ae.S.......4.1.+
    0080 - da 7a 03 a0 93 84 a8 d4-5e de d1 42 9c b2 7d a4   .z......^..B..}.
    0090 - 33 05 ef 2a fa 05 f0 61-ad fb 62 a7 45 91 07 99   3..*...a..b.E...
    00a0 - 35 cd 98 7d 98 e1 d4 86-55 ae dc 32 27 a4 24 27   5..}....U..2'.$'
    Start Time: 1438188405
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

有什么方法可以找出为什么我的服务器不能通过 TLSv1.2 进行通信?

答案1

不幸的是,ssl_protocols在默认配置文件中,当未找到子域的配置文件时会触发覆盖ssl_protocols子域的设置。

因此,在默认配置中进行设置(甚至不应该触发子域)也会TLSv1.2有所帮助。

相关内容