Nginx
nginx 1.15.10 - TLSv1.3 沒有得到應用,儘管配置
nginx -V nginx version: nginx/1.15.10 built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) built with OpenSSL 1.1.0j 20 Nov 2018 (running with OpenSSL 1.1.1b 26 Feb 2019) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.15.10/debian/debuild-base/nginx-1.15.10=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
我正在嘗試使用來自開發人員的官方倉庫的 nginx 在 Debian Stretch 上啟用 TLSv1.3。到目前為止,沒有骰子 - Firefox 65 和 ssllabs 的測試沒有顯示它支持 TLSv1.3,當我刪除 TLSv1.2 支持時,我在 Firefox 中收到奇怪的“SSL_ERROR_INTERNAL_ERROR_ALERT”致命錯誤。Google搜尋沒有顯示出有希望的線索,並且對每個人都“有效”(真是令人震驚!)。
這是相關的配置片段,都與 SSL/TLS 相關:
listen [::]:443 ssl http2 ipv6only=on; listen 443 ssl http2; server_name mysite.intra; # Use Mozilla's guidelines for SSL/TLS settings # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # NOTE: some settings below might be redundant #ssl on; ssl_certificate /[hidden]; ssl_certificate_key /[hidden]; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_prefer_server_ciphers on; #ssl_protocols TLSv1.3; ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 1.1.1.1 1.0.0.1 8.8.8.8;
這是對 configs 目錄的遞歸搜尋,以查找任何提及 TLS 的內容:
Searching 21 files for "TLS" /mnt/sshfs/mysite/etc/nginx/nginx.conf: 24 default_type application/octet-stream; 25 26: #ssl_protocols TLSv1.2 TLSv1.3; 27 #ssl_prefer_server_ciphers on; 28 /mnt/sshfs/mysite/etc/nginx/sites-available/default: 21 access_log /var/log/nginx/mysite-access.log combined; 22 23: # Use Mozilla's guidelines for SSL/TLS settings 24: # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 25 # NOTE: some settings below might be redundant 26 #ssl on; .. 32 ssl_session_tickets off; 33 ssl_prefer_server_ciphers on; 34: ssl_protocols TLSv1.3 TLSv1.2; 35 ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; 36 ssl_stapling on; /mnt/sshfs/mysite/etc/nginx/sites-enabled/default: 21 access_log /var/log/nginx/mysite-access.log combined; 22 23: # Use Mozilla's guidelines for SSL/TLS settings 24: # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 25 # NOTE: some settings below might be redundant 26 #ssl on; .. 32 ssl_session_tickets off; 33 ssl_prefer_server_ciphers on; 34: ssl_protocols TLSv1.3 TLSv1.2; 35 ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; 36 ssl_stapling on; 10 matches across 3 files
任何人都可以闡明這裡發生的事情嗎?
使用 OpenSSL 1.1.0j 2018 年 11 月 20 日建構(使用 OpenSSL 1.1.1b 2019 年 2 月 26 日執行)
nginx 是針對 OpenSSL 1.1.0 建構的。TLS 1.3 僅在 OpenSSL 1.1.1 中實現。
僅替換系統上的現有庫是不夠的,因為啟用 TLS 1.3 需要一個僅適用於 OpenSSL 1.1.1 的 API。由於您的 nginx 不是針對 OpenSSL 1.1.1 建構的,因此它不是為使用此 API 而建構的,因此無法啟用 TLS 1.3。我希望您在錯誤日誌中有一些消息指出這是配置問題。
要解決此問題,您需要針對 OpenSSL 1.1.1 重建 nginx。有關執行此操作的幫助,請參閱Debian 9 Stretch Nginx with OpenSSL 1.1.1 & TLSv1.3。