Nginx
儘管有 Openssl 1.1.1g,但啟用 Nginx TLSv1.3 錯誤
我有 Nginx 1.18.0 和 OpenSSL 啟用 v1.1.1g。我知道在此版本之前無法啟用 TLSv1.3,但即使使用此版本也是不可能的。如果我檢查 ssl checkers 網站,它的啟用 v1.2 完全沒有任何錯誤,但不是 v1.3
任何想法可能是什麼原因造成的?
nginx 配置
server { listen 443 ssl default_server; server_name www.website.com; #### REAL SSL STARTS #### ssl_certificate /etc/nginx/ssl/ssl-bundle.crt; ssl_certificate_key /etc/nginx/ssl/STAR_website_com.pem; ssl_prefer_server_ciphers on; ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; proxy_ssl_protocols TLSv1.2 TLSv1.3; ### REAL SSL ENDS #### # proxy_cookie_path / "/; HTTPOnly; Secure"; # access_log /var/log/nginx/website443.access.log; #access_log /var/log/nginx/domains/website.com.au.bytes bytes; error_log /var/log/nginx/domains/website443.com.error.log; #access_log /var/log/nginx/website.com.au.access.log; #error_log /var/log/nginx/website.com.au.error.log; #php-fpm log /usr/log/www.access.log
Nginx -V
[root@test2-au ssl]# nginx -V nginx version: nginx/1.18.0 custom build maintained on github.com/karljohns0n/nginx-more built by gcc 8.3.1 20190507 (Red Hat 8.3.1-4) (GCC) built with **OpenSSL 1.1.1g** 21 Apr 2020 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/cache/client_body --http-proxy-temp-path=/var/lib/nginx/cache/proxy --http-fastcgi-temp-path=/var/lib/nginx/cache/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/cache/uwsgi --http-scgi-temp-path=/var/lib/nginx/cache/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-compat --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_geoip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-http_slice_module --with-stream_ssl_preread_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DTCP_FASTOPEN=23' --with-openssl=modules/openssl-1.1.1g --with-http_v2_hpack_enc --add-dynamic-module=modules/ngx_modsecurity-1.0.1 --add-module=modules/ngx_headers_more-0.33 --add-module=modules/ngx_cache_purge-2.3 --add-module=modules/ngx_module_vts-0.1.18 --add-module=modules/ngx_pagespeed-1.13.35.2-stable --add-module=modules/ngx_brotli-snap20200506 --add-module=modules/ngx_http_geoip2_module-3.3 --add-module=modules/ngx_echo-0.61
打開ssl版本
[root@test2-au ssl]# openssl version OpenSSL 1.1.1c FIPS 28 May 2019
您使用了錯誤的指令
啟用對代理 HTTPS 伺服器的請求的指定協議。
當你應該使用
啟用指定的協議。