SRE文档ssl_session_tickets on;
ssl_session_ticket_key ~/ssl_session_ticket.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ~/ocsp.cer;
resolver 208.67.222.222 valid=300s;
resolver_timeout 5s;ssl_session_tickets on;
ssl_session_ticket_key ~/ssl_session_ticket.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ~/ocsp.cer;
resolver 208.67.222.222 valid=300s;
resolver_timeout 5s;TLS 会话恢复的目的是简化 TLS 握手,它包含两种方案:Session Cache 和 Session Ticket,这俩都是将之前握手的 Session 存起来,供后续连接使用。
所不同的是,Session Cache 将缓存丢在服务端,占用服务端资源;而 Session Ticket 丢在客户端,不占用服务端资源,而是对客户端提出缓存要求,这对客户端浏览器的兼容性提出了要求。目前主流浏览器普遍支持 Session Cache,而 Session Ticket 的支持度较一般。
在以上配置中,出现了一个 ssl_session_ticket.key,这个文件是用于让多台机器使用相同的 key 文件,否则 Nginx 会使用随机生成的 key 文件,无法复用 Session Ticket,降低性能。对于单服务器站点,此文件无需配置。可执行以下指令生成该文件:
openssl rand 48 > ssl_session_ticket.key
- ssl_stapling_file
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_file
Syntax: ssl_stapling_file file;
Default: —
Context: http, serverSyntax: ssl_stapling_file file;
Default: —
Context: http, server- 生成ocsp 文件
openssl ocsp -no_nonce \
-issuer intermediate.pem \
-cert website.pem \
-CAfile bundle.pem \
-VAfile bundle.pem \
-url http://ocsp.int-x3.letsencrypt.org \
-respout stapled.deropenssl ocsp -no_nonce \
-issuer intermediate.pem \
-cert website.pem \
-CAfile bundle.pem \
-VAfile bundle.pem \
-url http://ocsp.int-x3.letsencrypt.org \
-respout stapled.der- 配置
ssl_stapling on;
ssl_stapling_file .../stapled.der;ssl_stapling on;
ssl_stapling_file .../stapled.der;stapled.der 这个文件有限期为7天
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl_dhparam /path/to/dhparam.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
#verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver 127.0.0.1;
- crt to pem
openssl x509 -in www.xx.com.crt -out www.xx.com.pem
获取中间件证书
openssl s_client -connect xx.com:443 -showcerts < /dev/null 2>&1
CONNECTED(00000004)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.bitcoinwin.io
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, CN = *.bitcoinwin.io
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIGOjCCBSKgAwIBAgIIHTBwaOYexGowDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwMTA4MDg1NjE1WhcN
MjEwMjE4MDQxNjE3WjA9MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxGDAWBgNVBAMMDyouYml0Y29pbndpbi5pbzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMEgX8NDssfFEwo3iA1fRNij9ZIRMS9EEtex5vrcwonVGf4F
NwaXrtC94zt0RA7tjuV3Olb/Oi/u29G3+9rnYM1WCI9m8c+7dBQzdqQeR6RkUnjQ
ug047qnQn7mYoiuA6azcw2vgAXX1mDBH+rYyn29UWmYioPrS7CIEBuxZbRZK3ndR
SfRs8pIi6ZdxYw08rIche/Ht9x3LRWvvT8exrAW7LnztHI3YmYz4pMTsGEs/UhEw
REGmwx6DWxawa/CgurKupZu6P9sEvVlugrpkM2AUITyy8eU9UYBXjLHfJIJENVb9
6fbTdCS8udttGq2IUBDe0ja6X+/nQDbwQJbY/dUCAwEAAaOCAsQwggLAMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t
L2dkaWcyczEtMTYyOS5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG
CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp
ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME
GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjApBgNVHREEIjAggg8qLmJpdGNvaW53
aW4uaW+CDWJpdGNvaW53aW4uaW8wHQYDVR0OBBYEFB0DZn+RDJqm+HakmikSsc4b
bA1jMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUApLkJkLQYWBSHuxOizGdwCjw1
mAT5G9+443fNDsgN3BAAAAFvhF5jdwAABAMARjBEAiBt4gu5ciVvYdTHVgpAmBMc
BEeb+qJc239BMD903MTMOgIgAc+35MY/9iDDPksQfb2rHoHQ3AM/ffL+vCVcEVN9
+qEAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAW+EXmSWAAAE
AwBHMEUCIHDyY9iPaImQ1ZBdc3dMhlKi1V8jSGPjdgdkwkL6Uw8xAiEAnJTJE5wU
Vi3vElEo0W1/9iopV38Bh8Sz/PUA7WKV5YkwDQYJKoZIhvcNAQELBQADggEBAGDq
0l3U1o0+QDVQnYGsY06ERTn095wnbaBCyGc/rfxJlrtixCBOMpzkL5Q6L2SkQOTj
9MUtqXHEh5rfpXwtY6J14ghZP/c/HWuBfkFR8Ba0AKf2obsICzJA6StI44VEv0XZ
JxP94B3HlfDTR1lcHS5VW88CqqEW13gtU6tF/RYmbO4uw6554pQyVllJw2EhYyNH
vRVi3RcmE+GKmG4ZJI98y5AeE8aOM7qIPc6RXRKM7JrlYRg43BeJXbrqaknq2tWN
euPrXC7/4KL/e9QAijdCA2qUkDWALJGkPrUUzIIAAgGaG1vYw37Y/Uk7XhJzMQ2U
oXEVzD9zAmOYdO2+i40=
-----END CERTIFICATE-----
1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
rw==
-----END CERTIFICATE-----
3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
---
Server certificate
subject=OU = Domain Control Validated, CN = *.bitcoinwin.io
issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5693 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 959412EF2EE6AAA15C723B577AF63A36AC2761C600948FC048EEF38813875637
Session-ID-ctx:
Master-Key: 66A51845AA2374CB7C565EE26F15D1B2DEFA1F4C36034F95331CC1E45C1B7D6BA48E45ACECDF7ED9AADC1CFE219D12F9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e2 bb 80 56 bb 80 7c 52-48 8d a0 fd d8 99 24 ce ...V..|RH.....$.
0010 - 80 0d 02 7a 81 d1 87 cc-8e a8 9a 6b a4 7f 75 db ...z.......k..u.
0020 - 8f cf e5 bb c2 11 24 82-f4 57 dc b6 18 6b 32 8c ......$..W...k2.
0030 - 53 6e 9c 1f 7c 89 0a f9-21 54 97 86 3f a2 38 02 Sn..|...!T..?.8.
0040 - c1 b3 c1 31 2f d8 1c fb-96 dd 14 b3 f8 7b 6f a5 ...1/........{o.
0050 - 9d 00 da d4 7c 40 2b 82-95 db 3c ec 33 80 74 25 ....|@+...<.3.t%
0060 - da 76 93 af 95 c0 da f9-77 69 77 93 bf 18 8a 9e .v......wiw.....
0070 - 5e 79 23 9e 74 34 fb 80-de dd 20 d6 aa 40 eb 64 ^y#.t4.... ..@.d
0080 - ca 4b fe 21 40 7f de f3-5c e6 7f d7 e7 7d 5d cc .K.!@...\....}].
0090 - e0 21 eb 8f 05 8c 25 56-59 b9 6c 8b 66 72 5f 3a .!....%VY.l.fr_:
00a0 - 69 c6 65 d1 bf b0 d2 dd-f3 f1 5a 2b c4 e1 d3 2a i.e.......Z+...*
00b0 - 15 e6 c9 9d 5d 82 b7 10-25 08 d4 8c 50 24 0d 3b ....]...%...P$.;
00c0 - 1c f1 0e 33 2e 54 dc c2-da 78 31 12 75 5d 04 2c ...3.T...x1.u].,
Start Time: 1579080694
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
DONEopenssl s_client -connect xx.com:443 -showcerts < /dev/null 2>&1
CONNECTED(00000004)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.bitcoinwin.io
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, CN = *.bitcoinwin.io
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIGOjCCBSKgAwIBAgIIHTBwaOYexGowDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwMTA4MDg1NjE1WhcN
MjEwMjE4MDQxNjE3WjA9MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxGDAWBgNVBAMMDyouYml0Y29pbndpbi5pbzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMEgX8NDssfFEwo3iA1fRNij9ZIRMS9EEtex5vrcwonVGf4F
NwaXrtC94zt0RA7tjuV3Olb/Oi/u29G3+9rnYM1WCI9m8c+7dBQzdqQeR6RkUnjQ
ug047qnQn7mYoiuA6azcw2vgAXX1mDBH+rYyn29UWmYioPrS7CIEBuxZbRZK3ndR
SfRs8pIi6ZdxYw08rIche/Ht9x3LRWvvT8exrAW7LnztHI3YmYz4pMTsGEs/UhEw
REGmwx6DWxawa/CgurKupZu6P9sEvVlugrpkM2AUITyy8eU9UYBXjLHfJIJENVb9
6fbTdCS8udttGq2IUBDe0ja6X+/nQDbwQJbY/dUCAwEAAaOCAsQwggLAMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t
L2dkaWcyczEtMTYyOS5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG
CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp
ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME
GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjApBgNVHREEIjAggg8qLmJpdGNvaW53
aW4uaW+CDWJpdGNvaW53aW4uaW8wHQYDVR0OBBYEFB0DZn+RDJqm+HakmikSsc4b
bA1jMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUApLkJkLQYWBSHuxOizGdwCjw1
mAT5G9+443fNDsgN3BAAAAFvhF5jdwAABAMARjBEAiBt4gu5ciVvYdTHVgpAmBMc
BEeb+qJc239BMD903MTMOgIgAc+35MY/9iDDPksQfb2rHoHQ3AM/ffL+vCVcEVN9
+qEAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAW+EXmSWAAAE
AwBHMEUCIHDyY9iPaImQ1ZBdc3dMhlKi1V8jSGPjdgdkwkL6Uw8xAiEAnJTJE5wU
Vi3vElEo0W1/9iopV38Bh8Sz/PUA7WKV5YkwDQYJKoZIhvcNAQELBQADggEBAGDq
0l3U1o0+QDVQnYGsY06ERTn095wnbaBCyGc/rfxJlrtixCBOMpzkL5Q6L2SkQOTj
9MUtqXHEh5rfpXwtY6J14ghZP/c/HWuBfkFR8Ba0AKf2obsICzJA6StI44VEv0XZ
JxP94B3HlfDTR1lcHS5VW88CqqEW13gtU6tF/RYmbO4uw6554pQyVllJw2EhYyNH
vRVi3RcmE+GKmG4ZJI98y5AeE8aOM7qIPc6RXRKM7JrlYRg43BeJXbrqaknq2tWN
euPrXC7/4KL/e9QAijdCA2qUkDWALJGkPrUUzIIAAgGaG1vYw37Y/Uk7XhJzMQ2U
oXEVzD9zAmOYdO2+i40=
-----END CERTIFICATE-----
1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
rw==
-----END CERTIFICATE-----
3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
---
Server certificate
subject=OU = Domain Control Validated, CN = *.bitcoinwin.io
issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5693 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 959412EF2EE6AAA15C723B577AF63A36AC2761C600948FC048EEF38813875637
Session-ID-ctx:
Master-Key: 66A51845AA2374CB7C565EE26F15D1B2DEFA1F4C36034F95331CC1E45C1B7D6BA48E45ACECDF7ED9AADC1CFE219D12F9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e2 bb 80 56 bb 80 7c 52-48 8d a0 fd d8 99 24 ce ...V..|RH.....$.
0010 - 80 0d 02 7a 81 d1 87 cc-8e a8 9a 6b a4 7f 75 db ...z.......k..u.
0020 - 8f cf e5 bb c2 11 24 82-f4 57 dc b6 18 6b 32 8c ......$..W...k2.
0030 - 53 6e 9c 1f 7c 89 0a f9-21 54 97 86 3f a2 38 02 Sn..|...!T..?.8.
0040 - c1 b3 c1 31 2f d8 1c fb-96 dd 14 b3 f8 7b 6f a5 ...1/........{o.
0050 - 9d 00 da d4 7c 40 2b 82-95 db 3c ec 33 80 74 25 ....|@+...<.3.t%
0060 - da 76 93 af 95 c0 da f9-77 69 77 93 bf 18 8a 9e .v......wiw.....
0070 - 5e 79 23 9e 74 34 fb 80-de dd 20 d6 aa 40 eb 64 ^y#.t4.... ..@.d
0080 - ca 4b fe 21 40 7f de f3-5c e6 7f d7 e7 7d 5d cc .K.!@...\....}].
0090 - e0 21 eb 8f 05 8c 25 56-59 b9 6c 8b 66 72 5f 3a .!....%VY.l.fr_:
00a0 - 69 c6 65 d1 bf b0 d2 dd-f3 f1 5a 2b c4 e1 d3 2a i.e.......Z+...*
00b0 - 15 e6 c9 9d 5d 82 b7 10-25 08 d4 8c 50 24 0d 3b ....]...%...P$.;
00c0 - 1c f1 0e 33 2e 54 dc c2-da 78 31 12 75 5d 04 2c ...3.T...x1.u].,
Start Time: 1579080694
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
DONE编号为 0 的证书是站点证书;
编号为 1 的证书是中间证书
我的证书链一共是三级,服务端只需要发送两个证书,对于四级证书链,服务端就需要发送三个证书了。总之,只有根证书无需发送
将站点证书保存为 site.pem;中间证书保存为 intermediate.pem(如果有多个中间证书,按照子证书在上的顺序保存);再从系统中导出对应的根证书存为 root.pem。这样,证书链上的所有证书都搞定了。为了确保无误,建议再验证一下每个证书的 Common Name:
$ openssl x509 -in site.pem -noout -subject
subject= /CN=www.imququ.com
$ openssl x509 -in intermediate.pem -noout -subject
subject= /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G4
$ openssl x509 -in root.pem -noout -subject
subject= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3$ openssl x509 -in site.pem -noout -subject
subject= /CN=www.imququ.com
$ openssl x509 -in intermediate.pem -noout -subject
subject= /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G4
$ openssl x509 -in root.pem -noout -subject
subject= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3openssl x509 -in site.pem -noout -subject
openssl x509 -in intermediate.pem -noout -subject
openssl x509 -in site.pem -noout -ocsp_uri
openssl ocsp -issuer intermediate.pem -cert site.pem -no_nonce -text -url http://ocsp.godaddy.comopenssl x509 -in site.pem -noout -subject
openssl x509 -in intermediate.pem -noout -subject
openssl x509 -in site.pem -noout -ocsp_uri
openssl ocsp -issuer intermediate.pem -cert site.pem -no_nonce -text -url http://ocsp.godaddy.com- 完整配置
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; # prefer a list of ciphers to prevent old and slow ciphers
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
charset utf-8;
ssl_certificate /data/apps/nginx/ssl/domain.crt;
ssl_certificate_key /data/apps/nginx/ssl/domain.key;
# OCSP
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /data/apps/nginx/ssl/stapling_ocsp;
ssl_trusted_certificate /data/apps/nginx/ssl/domain.crt;
resolver 8.8.8.8 valid=300s;
resolver_timeout 2s;
ssl_buffer_size 4k; ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; # prefer a list of ciphers to prevent old and slow ciphers
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
charset utf-8;
ssl_certificate /data/apps/nginx/ssl/domain.crt;
ssl_certificate_key /data/apps/nginx/ssl/domain.key;
# OCSP
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /data/apps/nginx/ssl/stapling_ocsp;
ssl_trusted_certificate /data/apps/nginx/ssl/domain.crt;
resolver 8.8.8.8 valid=300s;
resolver_timeout 2s;
ssl_buffer_size 4k;测试带宽
$ wget -O=/dev/null http://url/download.tgz
$ curl -o /dev/null http://url/download.tgz
$ scp download.tgz jaseywang@host-2:$ wget -O=/dev/null http://url/download.tgz
$ curl -o /dev/null http://url/download.tgz
$ scp download.tgz jaseywang@host-2: