Nginx 配置文件 server 段添加 ssl_protocols TLSv1.3;
TLSv1.3 现行 cipher 只有以下三种:
TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
server {
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384';
}
#
server {
listen 80;
listen 443 ssl http2;
server_name 192.168.122.217 hx.com;
ssl_certificate /data/apps/nginx/ssl/hx.com.crt;
ssl_certificate_key /data/apps/nginx/ssl/hx.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
keepalive_timeout 75s;
keepalive_requests 100;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
ssl_early_data on;
location / {
chunked_transfer_encoding on;
root html;
index index.html;
}
}
server {
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384';
}
#
server {
listen 80;
listen 443 ssl http2;
server_name 192.168.122.217 hx.com;
ssl_certificate /data/apps/nginx/ssl/hx.com.crt;
ssl_certificate_key /data/apps/nginx/ssl/hx.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
keepalive_timeout 75s;
keepalive_requests 100;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
ssl_early_data on;
location / {
chunked_transfer_encoding on;
root html;
index index.html;
}
}
tengine2.3 配置
ssl_early_data on;
- 生成ssl配置文件
https://ssl-config.mozilla.org
1.1证书转换
.crt的ssl证书文件转换成.pem格式
openssl x509 -in www.xx.com.crt -out www.xx.com.pem
openssl rsa -in ulqkmns.cn.key -out ulqkmns.cn.key.pem
检查证书的私钥和证书是否匹配
bash
[root@--]# openssl x509 -noout -modulus -in ssl.crt | openssl md5
(stdin)= 8216eeaa8e1a346dd1f5dfecaadfec1d
[root@--]# openssl rsa -noout -modulus -in ssl.key | openssl md5
(stdin)= 8216eeaa8e1a346dd1f5dfecaadfec1d
[root@--]# openssl x509 -noout -modulus -in ssl.crt | openssl md5
(stdin)= 8216eeaa8e1a346dd1f5dfecaadfec1d
[root@--]# openssl rsa -noout -modulus -in ssl.key | openssl md5
(stdin)= 8216eeaa8e1a346dd1f5dfecaadfec1d