nginx 1.15.10 - 尽管配置正确,但 TLSv1.3 仍未应用

tag-icon tag-icon nginx ssl ssl-certificate firefox hsts
nginx 1.15.10 - 尽管配置正确,但 TLSv1.3 仍未应用 
nginx -V
nginx version: nginx/1.15.10
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) 
built with OpenSSL 1.1.0j  20 Nov 2018 (running with OpenSSL 1.1.1b  26 Feb 2019)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.15.10/debian/debuild-base/nginx-1.15.10=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

我正在尝试使用来自开发人员官方存储库的 nginx 在 Debian Stretch 上启用 TLSv1.3。到目前为止,没有成功 - Firefox 65 和 ssllabs 的测试未显示它支持 TLSv1.3,当我删除 TLSv1.2 支持时,我在 Firefox 中收到奇怪的“SSL_ERROR_INTERNAL_ERROR_ALERT”致命错误。谷歌搜索没有显示任何有希望的线索,并且“它对每个人都有效”(真是令人震惊!)。

以下是相关的配置片段,均与 SSL/TLS 相关:

listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
server_name mysite.intra;

# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# NOTE: some settings below might be redundant
#ssl on;
ssl_certificate /[hidden];
ssl_certificate_key /[hidden];

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
#ssl_protocols TLSv1.3;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 1.1.1.1 1.0.0.1 8.8.8.8;

以下是对配置目录进行递归搜索以查找任何提及 TLS 的内容:

Searching 21 files for "TLS"
/mnt/sshfs/mysite/etc/nginx/nginx.conf:
   24      default_type  application/octet-stream;
   25  
   26:     #ssl_protocols TLSv1.2 TLSv1.3;
   27      #ssl_prefer_server_ciphers on;
   28  

/mnt/sshfs/mysite/etc/nginx/sites-available/default:
   21   access_log /var/log/nginx/mysite-access.log combined;
   22  
   23:     # Use Mozilla's guidelines for SSL/TLS settings
   24:     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
   25      # NOTE: some settings below might be redundant
   26   #ssl on;
   ..
   32   ssl_session_tickets off;
   33   ssl_prefer_server_ciphers on;
   34:  ssl_protocols TLSv1.3 TLSv1.2;
   35   ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
   36   ssl_stapling on;

/mnt/sshfs/mysite/etc/nginx/sites-enabled/default:
   21   access_log /var/log/nginx/mysite-access.log combined;
   22  
   23:     # Use Mozilla's guidelines for SSL/TLS settings
   24:     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
   25      # NOTE: some settings below might be redundant
   26   #ssl on;
   ..
   32   ssl_session_tickets off;
   33   ssl_prefer_server_ciphers on;
   34:  ssl_protocols TLSv1.3 TLSv1.2;
   35   ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
   36   ssl_stapling on;

10 matches across 3 files

有人能解释一下这里发生了什么吗?

答案1

使用 OpenSSL 1.1.0j 构建 2018 年 11 月 20 日(运行 OpenSSL 1.1.1b,2019 年 2 月 26 日)

nginx 是基于 OpenSSL 1.1.0 构建的。TLS 1.3 仅在 OpenSSL 1.1.1 中实现。

仅仅替换系统上现有的库是不够的,因为启用 TLS 1.3 需要的 API 仅适用于 OpenSSL 1.1.1。由于您的 nginx 不是针对 OpenSSL 1.1.1 构建的,因此它不是为使用此 API 而构建的,因此无法启用 TLS 1.3。我希望您在错误日志中看到一些消息,指出这是配置问题。

要修复此问题,您需要针对 OpenSSL 1.1.1 重建 nginx。请参阅Debian 9 使用 OpenSSL 1.1.1 和 TLSv1.3 扩展 Nginx寻求帮助。

相关内容