nginx openssl 升级tls1.2

前端之家收集整理的这篇文章主要介绍了nginx openssl 升级tls1.2前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

微信小程序需要tls1.2,也就是说openssl要是1.0.2以上的版本。重新安装openssl后,Nginx也是要重新安装的。

服务器的Nginx安装好了,重新安装,就用了Nginx -V的配置。下面是详细过程。

1,下载Nginx,openssl

Nginx:  http://Nginx.org/download/

openssl: https://www.openssl.org/source/

2,安装openssl

# tar zxvf openssl-1.0.2l.tar.gz
# mkdir /usr/local/openssl12
# cd openssl-1.0.2l/
# ./config --prefix=/usr/local/openssl12/
# make && make install

3,安装Nginx

安装依赖包

# yum install gcc-c++ readline-devel zlib-devel libffi-devel \
openssl-devel make autoconf automake libtool bison libxml2-devel \
libxslt-devel libyaml-devel pcre pcre-devel gd gd-devel perl-devel \
perl-ExtUtils-Embed GeoIP-devel

安装Nginx

# tar zxvf Nginx-1.10.2.tar.gz
# cd Nginx-1.10.2/
# vim auto/lib/openssl/conf #找到以下内容把.openssl去掉

CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"

# ./configure --prefix=/usr/share/Nginx \
--sbin-path=/usr/sbin/Nginx \
--modules-path=/usr/lib64/Nginx/modules \
--conf-path=/etc/Nginx/Nginx.conf \
--error-log-path=/var/log/Nginx/error.log \
--http-log-path=/var/log/Nginx/access.log \
--http-client-body-temp-path=/var/lib/Nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/Nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/Nginx/tmp/fastcgi
--http-uwsgi-temp-path=/var/lib/Nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/Nginx/tmp/scgi \
--pid-path=/var/run/Nginx.pid \
--lock-path=/var/lock/subsys/Nginx \
--user=Nginx --group=Nginx --with-file-aio --with-ipv6 \
--with-http_ssl_module --with-http_v2_module --with-http_realip_module \
--with-http_addition_module --with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic \
--with-http_sub_module --with-http_dav_module --with-http_flv_module \
--with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module \
--with-http_random_index_module --with-http_secure_link_module \
--with-http_degradation_module --with-http_slice_module --with-http_stub_status_module \
--with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre \
--with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector \
--param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=' -Wl,-E' \
--with-openssl=/usr/local/openssl12

# make && make install

以上是真实的服务器上安装的。以下是在阿里云上面安装的。

./configure --prefix=/usr/share/Nginx --sbin-path=/usr/sbin/Nginx \
--modules-path=/usr/lib64/Nginx/modules --conf-path=/etc/Nginx/Nginx.conf \
--error-log-path=/var/log/Nginx/error.log --http-log-path=/var/log/Nginx/access.log \
--http-client-body-temp-path=/var/lib/Nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/Nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/Nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/Nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/Nginx/tmp/scgi \
--pid-path=/run/Nginx.pid --lock-path=/run/lock/subsys/Nginx --user=Nginx \
--group=Nginx --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module \
--with-http_addition_module --with-http_image_filter_module=dynamic --with-http_sub_module \
--with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module \
--with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module \
--with-http_degradation_module --with-http_slice_module --with-http_stub_status_module \
--with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre \
--with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-openssl=/usr/local/openssl12

因为Nginx都是事先用yum安装好的,手动编译安装的时候,用了Nginx -V的参数。阿里云,安装的时候要注意,有很多包都没有,安装的时候报了很多错,查找一下,如果有不需要的模块,在编译参数中就去掉,如果有缺失的就安装一下。如果安装成功后,Nginx还是报错。就找一下以下目录。

# /usr/share/Nginx/modules #把报错的模块删除,要先备份

然后在重新启动Nginx

4,配置Nginx

ssl on;
ssl_certificate /etc/Nginx/mall.pem;
ssl_certificate_key /etc/Nginx/mall.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1.2; #注意这个1.2
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;

5,下载nmap测试tls

# yum install nmap
# nmap --script ssl-enum-ciphers -p 443 XXXXXX.com

openssl 1.0.2l tls12

openssl 1.0.2l tls12

6,firefox查看tls

firefox_tls1.2

firefox_tls1.2

猜你在找的Nginx相关文章