Nginx启用OpenSSL TLS1.3 CHACHA20-POLY1305相关
in 笔记 with 0 comment

Nginx启用OpenSSL TLS1.3 CHACHA20-POLY1305相关

in 笔记 with 0 comment

主要记录一下Nginx支持TLS1.3和CHACHA20-POLY1305,部分自带模块省略,结果如图:
TLS1.3
1、更新几个模块:

ZLIB

git clone https://github.com/cloudflare/zlib.git && cd zlib && ./configure && cd ..

Pcre

wget -c https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz && tar xf pcre-8.43.tar.gz && rm -f pcre-8.43.tar.gz && cd pcre-8.43 && ./configure && cd ../ && mv pcre-8.43 pcre

Substitutions Filter,觉得自带不够用的可以装

git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module.git

Pagespeed

wget -c https://github.com/apache/incubator-pagespeed-ngx/archive/v1.13.35.2-stable.zip && unzip v1.13.35.2-stable.zip && rm -f v1.13.35.2-stable.zip && cd incubator-pagespeed-ngx-1.13.35.2-stable
wget -c https://dl.google.com/dl/page-speed/psol/1.13.35.2-x64.tar.gz && tar -xzvf 1.13.35.2-x64.tar.gz && rm -f 1.13.35.2-x64.tar.gz && cd ../ && mv incubator-pagespeed-ngx-1.13.35.2-stable pagespeed

apt install uuid-dev
yum install libuuid-devel

ngx_brotli,可选eustas维护的分支

git clone https://github.com/eustas/ngx_brotli.git
git clone https://github.com/google/ngx_brotli.git
cd ngx_brotli
git submodule update --init && cd ..

配置参数:

brotli on;
brotli_types text/xml text/plain text/css text/x-component application/json text/javascript application/xml application/xml+rss application/font-woff application/vnd.ms-fontobject application/vnd.apple.mpegurl application/javascript application/x-javascript image/svg+xml image/x-icon font/truetype font/opentype;
brotli_static on;
brotli_comp_level 6;
brotli_buffers 16 8k;
brotli_window 512k;
brotli_min_length 20;

fancyindex

git clone http://www.github.com/aperezdc/ngx-fancyindex

同步几个大神做的patch:

git clone -b openssl-patch https://gitlab.com/buik/openssl.git
git clone https://github.com/kn007/patch.git
git clone https://github.com/cloudflare/sslconfig.git
git clone https://github.com/hakasenyang/openssl-patch.git

2、TLS1.3

首先浏览器、Nginx的TLS1.3版本都需要一致。Mac下Chrome 66支持到draft23,对应pre2,但高版本有patch。

wget https://github.com/openssl/openssl/archive/OpenSSL_1_1_1d.tar.gz && tar zxf OpenSSL_1_1_1d.tar.gz && cd openssl-OpenSSL_1_1_1d
patch -p1 < ../openssl-patch/openssl-equal-1.1.1d_ciphers.patch
./config && make -j $(nproc) && cd ..

打补丁:

wget -c https://nginx.org/download/nginx-1.16.1.tar.gz && tar zxf nginx-1.16.1.tar.gz && cd nginx-1.16.1
patch -p1 < ../patch/nginx.patch
patch -p1 < ../patch/fix_nginx_hpack_push_error.patch
patch -p1 < ../patch/nginx_auto_using_PRIORITIZE_CHACHA.patch

修改静态库路径:

vim auto/lib/openssl/conf

找到:

    CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
    CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
    CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
    CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"

修改为:

    CORE_INCS="$CORE_INCS $OPENSSL/include"
    CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
    CORE_LIBS="$CORE_LIBS $OPENSSL/libssl.a"
    CORE_LIBS="$CORE_LIBS $OPENSSL/libcrypto.a"

编译Nginx:

./configure  --prefix=/usr/local/nginx \
--user=www --group=www \
--with-http_ssl_module \
--with-openssl=../openssl-OpenSSL_1_1_1d \
--with-openssl-opt='enable-tls13downgrade enable-ec_nistp_64_gcc_128 enable-weak-ssl-ciphers' \
--with-http_v2_module \
--with-http_spdy_module \
--with-http_v2_hpack_enc \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-zlib=../zlib \
--with-pcre=../pcre --with-pcre-jit \
--add-module=../ngx_brotli \
--add-dynamic-module=../pagespeed \
--add-dynamic-module=../ngx-fancyindex \
--with-stream \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--add-module=../ngx_http_substitutions_filter_module

make -j $(nproc) 
make install

修改配置(略不友好,反正是实验):

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384; 
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:EECDH+ECDSA+AES256;

或:

ssl_ciphers [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|TLS-CHACHA20-POLY1305-SHA256]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;

上面打了等价加密算法组补丁,其实TLS_AES_128_GCM TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256没什么差别:

3、OpenSSL1.1.0/1.0.2增加chacha20支持

wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz && tar zxf openssl-1.1.0h.tar.gz && cd openssl-1.1.0h
patch -p1 < ../openssl/openssl-1.1/OpenSSL1.1h-double-performance-ecdhx-25519.patch
patch -p1 < ../openssl/openssl-1.1/OpenSSL1.1h-chacha-prioritized-by-client-fix.patch
patch -p1 < ../openssl/openssl-1.1/OpenSSL1.1h-equal-preference-cipher-groups.patch
patch -p1 < ../openssl/openssl-1.1/OpenSSL1.1h-improve-ECDSA-sign-30-40%.patch
./config && cd ../nginx-1.15.0

wget -c https://www.openssl.org/source/openssl-1.0.2o.tar.gz && tar zxf openssl-1.0.2o.tar.gz && cd openssl-1.0.2o
patch -p1 < ../sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch
./config && cd ../nginx-1.15.0

wget -c https://nginx.org/download/nginx-1.15.0.tar.gz && tar zxf nginx-1.15.0.tar.gz && cd nginx-1.15.0
patch -p1 < ../patch/nginx.patch
patch -p1 < ../patch/fix_nginx_hpack_push_error.patch

编译参数差不多。

1.1.0:

./configure  --prefix=/usr/local/nginx \
--user=www --group=www \
--with-http_ssl_module \
--with-openssl=../openssl-1.1.0h \
--with-openssl-opt='enable-ec_nistp_64_gcc_128 no-idea no-rc5 no-ssl3 zlib' \
--with-http_v2_module \
--with-http_v2_hpack_enc \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-zlib=../zlib \
--with-pcre=../pcre --with-pcre-jit \
--add-module=../ngx_brotli \
--add-dynamic-module=../pagespeed \
--add-dynamic-module=../ngx-fancyindex \
--with-stream \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_ssl_preread_module \
--add-module=../ngx_http_substitutions_filter_module

1.0.2:

./configure  --prefix=/usr/local/nginx \
--user=www --group=www \
--with-http_ssl_module \
--with-openssl=../openssl-1.0.2o \
--with-http_v2_module \
--with-http_v2_hpack_enc \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-zlib=../zlib \
--with-pcre=../pcre --with-pcre-jit \
--add-module=../ngx_brotli \
--add-dynamic-module=../pagespeed

想编译成动态的改成:--add-dynamic-module=,编译完成需要到nginx.conf添加上诸如load_module modules/ngx_pagespeed.so; load_module "modules/ngx_stream_module.so"; load_module "modules/ngx_http_fancyindex_module.so";

screen make 
make install

修改配置:

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-draft-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA;

1.1.0因为patch了等价加密算法组,先查看一下加密套件:

openssl ciphers -V 'EECDH+AES128' | column -t

可以偷懒这么写:

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers '[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:EECDH+AES128:DHE-RSA-AES128-SHA:EECDH+ECDSA+AES256:EECDH+aRSA+AES256';
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_prefer_server_ciphers on;

参考文章:
https://dcc.cat/nginx.html
https://imququ.com/post/enable-tls-1-3.html

Responses