在 Ubuntu 18.04.4 上无法让 TLSv1.3 与 nginx 1.14.0 和 OpenSSL 1.1.1 配合使用

Question 1

我的问题已经解决了。我有一个 default_server 配置/etc/nginx/sites-enabled/，其中还包含 ssl_protocols 参数中没有 TLSv1.3 标志（事实上，它根本没有 ssl_protocols 参数）。这显然导致了失败，即使我的测试是在由不同服务器块提供服务的主机名上运行的。想想吧！

Answer

我的问题已经解决了。我有一个 default_server 配置/etc/nginx/sites-enabled/，其中还包含 ssl_protocols 参数中没有 TLSv1.3 标志（事实上，它根本没有 ssl_protocols 参数）。这显然导致了失败，即使我的测试是在由不同服务器块提供服务的主机名上运行的。想想吧！

Question 2

你好，我尝试在其他帖子上回答，但不知什么原因，我无法回答。

我在自己的服务器上尝试了您的测试，但是得到了以下结果：

curl -I -v --tlsv1.3 --tls-max 1.3 https://bw.domain.com
*   Trying 10.0.1.86:443...
* TCP_NODELAY set
* Connected to bw.domain.com (10.0.1.86) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=bw.domain.com
*  start date: Feb  3 16:54:01 2020 GMT
*  expire date: May  3 16:54:01 2020 GMT
*  subjectAltName: host "bw.domain.com" matched cert's "bw.domain.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: bw.domain.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Wed, 19 Feb 2020 15:23:50 GMT
Date: Wed, 19 Feb 2020 15:23:50 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 1373
Content-Length: 1373
< Connection: keep-alive
Connection: keep-alive
< Cache-Control: public, max-age=600
Cache-Control: public, max-age=600
< Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'
< Referrer-Policy: same-origin
Referrer-Policy: same-origin
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< Content-Security-Policy: frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ;
Content-Security-Policy: frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ;
< Access-Control-Allow-Origin:
Access-Control-Allow-Origin:

<
* Connection #0 to host bw.domain.com left intact

我的反向代理是 nginx，但其配置了 Mozilla 中间层。尽管有中间层 ssl-params，但 TLS1.3 握手似乎已建立。

# openssl version                      
OpenSSL 1.1.1d  10 Sep 2019

# nginx -V                             
nginx version: nginx/1.16.1
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled

# uname -a
Linux 5.4.15-arch1-1

我正在使用以下 nginx-ssl 参数

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECD
SA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
#ssl_stapling on;
#ssl_stapling_verify on;

resolver 10.0.1.1;

Answer

你好，我尝试在其他帖子上回答，但不知什么原因，我无法回答。

我在自己的服务器上尝试了您的测试，但是得到了以下结果：

curl -I -v --tlsv1.3 --tls-max 1.3 https://bw.domain.com
*   Trying 10.0.1.86:443...
* TCP_NODELAY set
* Connected to bw.domain.com (10.0.1.86) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=bw.domain.com
*  start date: Feb  3 16:54:01 2020 GMT
*  expire date: May  3 16:54:01 2020 GMT
*  subjectAltName: host "bw.domain.com" matched cert's "bw.domain.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: bw.domain.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Wed, 19 Feb 2020 15:23:50 GMT
Date: Wed, 19 Feb 2020 15:23:50 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 1373
Content-Length: 1373
< Connection: keep-alive
Connection: keep-alive
< Cache-Control: public, max-age=600
Cache-Control: public, max-age=600
< Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'
< Referrer-Policy: same-origin
Referrer-Policy: same-origin
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< Content-Security-Policy: frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ;
Content-Security-Policy: frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb moz-extension://* ;
< Access-Control-Allow-Origin:
Access-Control-Allow-Origin:

<
* Connection #0 to host bw.domain.com left intact

我的反向代理是 nginx，但其配置了 Mozilla 中间层。尽管有中间层 ssl-params，但 TLS1.3 握手似乎已建立。

# openssl version                      
OpenSSL 1.1.1d  10 Sep 2019

# nginx -V                             
nginx version: nginx/1.16.1
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled

# uname -a
Linux 5.4.15-arch1-1

我正在使用以下 nginx-ssl 参数

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECD
SA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
#ssl_stapling on;
#ssl_stapling_verify on;

resolver 10.0.1.1;

在 Ubuntu 18.04.4 上无法让 TLSv1.3 与 nginx 1.14.0 和 OpenSSL 1.1.1 配合使用

答案1

答案2

相关内容