SRE文档

深浅模式

Nginx 配置文件 server 段添加 ssl_protocols TLSv1.3;

TLSv1.3 现行 cipher 只有以下三种:

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

server {
    
   ssl_protocols TLSv1.2;
ssl_ciphers   'ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384';
}

#
server {
	listen 80;
	listen 443 ssl http2;
	server_name 192.168.122.217 hx.com;
	ssl_certificate     /data/apps/nginx/ssl/hx.com.crt; 
        ssl_certificate_key  /data/apps/nginx/ssl/hx.com.key; 


        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        keepalive_timeout    75s;
        keepalive_requests   100;

  ssl_protocols   TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers    'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';

ssl_early_data  on;

	location / {
		chunked_transfer_encoding on;
		root html;
		index index.html;
	}
}
server {
    
   ssl_protocols TLSv1.2;
ssl_ciphers   'ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384';
}

#
server {
	listen 80;
	listen 443 ssl http2;
	server_name 192.168.122.217 hx.com;
	ssl_certificate     /data/apps/nginx/ssl/hx.com.crt; 
        ssl_certificate_key  /data/apps/nginx/ssl/hx.com.key; 


        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        keepalive_timeout    75s;
        keepalive_requests   100;

  ssl_protocols   TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers    'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';

ssl_early_data  on;

	location / {
		chunked_transfer_encoding on;
		root html;
		index index.html;
	}
}

tengine2.3 配置

ssl_early_data on;

  • 生成ssl配置文件

https://ssl-config.mozilla.org

1.1证书转换

.crt的ssl证书文件转换成.pem格式

openssl x509 -in www.xx.com.crt -out www.xx.com.pem

openssl rsa -in ulqkmns.cn.key -out ulqkmns.cn.key.pem

  • 检查证书的私钥和证书是否匹配

bash
[root@--]# openssl x509 -noout -modulus -in ssl.crt | openssl md5
(stdin)= 8216eeaa8e1a346dd1f5dfecaadfec1d
[root@--]# openssl rsa -noout -modulus -in ssl.key | openssl md5
(stdin)= 8216eeaa8e1a346dd1f5dfecaadfec1d
[root@--]# openssl x509 -noout -modulus -in ssl.crt | openssl md5
(stdin)= 8216eeaa8e1a346dd1f5dfecaadfec1d
[root@--]# openssl rsa -noout -modulus -in ssl.key | openssl md5
(stdin)= 8216eeaa8e1a346dd1f5dfecaadfec1d