Nginx增加ChaCha20-Poly1305加密套件
本文介绍如何让 OpenSSL 支持 ChaCha20-Poly1305,同时这篇教程也教会你如何更新nginx的 OpenSSL。
升级openssl到1.1.1支持 ChaCha20-Poly1305
openssl自从1.10版本开始内置支持ChaCha20-Poly1305(RFC 7539)。更新 OpenSSL 为最新的版本,就可以支持chacha,无需额外设置。
下载源码开始编译:
|
1 2 3 4 |
cd /usr/local/src wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz tar -zxvf openssl-1.1.1g.tar.gz cd openssl-1.1.1g |
我们可以开始编译 OpenSSL
|
1 2 3 4 |
./Configure linux-x86_64 make make test make install |
完成编译之后,检查发现 $PATH 依然是旧版本,我们需要修复这个问题
|
1 2 3 4 5 6 7 8 9 10 |
openssl version OpenSSL 1.0.2g 1 Mar 2016 mv /usr/bin/openssl /usr/bin/openssl.bak mv /usr/include/openssl /usr/include/openssl.bak ln -s /usr/local/bin/openssl /usr/bin/openssl ln -s /usr/local/include/openssl /usr/include/openssl echo "/usr/local/lib64" >> /etc/ld.so.conf ldconfig openssl version OpenSSL 1.1.1g 21 Apr 2020 |
检查是否包含了CHACHA20
|
1 2 |
openssl ciphers | grep chacha -i TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSKCHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA |
至此,已经给服务器安装最新的 OpenSSL 并且支持 ChaCha20-Poly1305 。
Nginx编译新的版本并配置新的加密套件
重新编译安装nginx,参考这里重新编译安装nginx。
最后,我们还需要给使用SSL连接的Nginx站点配置支持ChaCha20-Poly1305加密套件,这样才能真正实现我们的目的。
修改站点配置文件,把”ssl_ciphers”修改为如下内容:
|
1 2 |
ssl_prefer_server_ciphers on; ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5"; |
FAQ:
1.make 编译 openssl 报错:
|
1 2 3 4 5 6 |
./libcrypto.so: undefined reference to `engine_load_afalg_int' ./libcrypto.so: undefined reference to `engine_load_padlock_int' collect2: error: ld returned 1 exit status make[1]: *** [apps/openssl] Error 1 make[1]: Leaving directory `/usr/local/src/openssl-1.1.1g' make: *** [all] 错误 2 |
先清理编译,然后 configure 时指明编译平台:
|
1 2 |
make clean ./Configure linux-x86_64 |
2. make test 报错 Non-zero exit status: 2 Parse errors: No plan found in TAP outputFiles=155,
安装依赖库
|
1 |
yum install libtool perl-core zlib-devel -y |