- 下载所需软件包
nginx-1.14.0.tar.gz openssl-1.1.0h.tar.gz pcre-8.42.tar.gz
# 网址
http://nginx.org/download/
https://boringssl.googlesource.com/boringssl/
https://www.pcre.org/
#
wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz
- 解压
tar xvf nginx-1.14.0.tar.gz
tar xvf pcre-8.42.tar.gz
- 首先编译boringssl
# 解压
mkdir -p boringssl-install/boringssl
tar xvf boringssl-master.tar.gz -C boringssl-install/boringssl
cd boringssl-install/boringssl/
# 安装编译所需依赖
# BoringSSL 需要 Golang 支持
apt-get install -y build-essential make cmake golang
mkdir -p build .openssl/lib .openssl/include
ln -sf ~/nginx_upgrade/boringssl-install/boringssl/include/openssl ~/nginx_upgrade/boringssl-install/boringssl/.openssl/include/openssl
最新的boringssl默认只打开了tlsv1.3的final版本,但是多数浏览器只支持draft13 draft28,所以需要打开tlsv13_all
# https://github.com/cloudflare/sslconfig/issues/87
sed -i 's|tls13_rfc = 0|tls13_all = 0|' include/openssl/ssl.h
sed -i 's| tls13_all,| tls13_rfc,|' include/openssl/ssl.h
sed -i 's|tls13_variant_t tls13_variant = tls13_rfc;|tls13_variant_t tls13_variant = tls13_all;|g' ssl/internal.h
继续编译
touch .openssl/include/openssl/ssl.h
cmake -B~/nginx_upgrade/boringssl-install/boringssl/build/ -H~/nginx_upgrade/boringssl-install/boringssl/
make -C ~/nginx_upgrade/boringssl-install/boringssl/build
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib/
- 编译nginx
cd ../../nginx-1.15.3
# 使用 --with-openssl 指定 BoringSSL 路径
# prefix conf-path指定了Nginx的安装目录和配置文件
./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --with-openssl=../boringssl-install/boringssl/ --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-http_stub_status_module --with-pcre=../pcre-8.42 --with-mail --with-mail_ssl_module
# 在 configure 后,要先 touch 一下,才能继续 make,以避免再编译boringssl
touch ~/nginx_upgrade/boringssl-install/boringssl/.openssl/include/openssl/ssl.h
make
- 查看版本信息
# 可以看到BoringSSL
./objs/nginx -V
nginx version: nginx/1.15.3
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
- 修改密码组,添加tlsv1.3协议
ssl_ciphers "[TLS13-AES-128-GCM-SHA256|TLS13-CHACHA20-POLY1305-SHA256] TLS13-AES-256-GCM-SHA384 [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 DES-CBC3-SHA AES128-SHA256 AES256-SHA256 CAMELLIA AES256-SHA AES CAMELLIA DES-CBC3-SHA ECDHE-ECDSA-AES256-SHA";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
/etc/init.d/nginx reload
- 平滑升级
mv /usr/sbin/nginx /usr/sbin/nginx.old
cp ./objs/nginx /usr/sbin/
# 验证版本
nginx -v
nginx version: nginx/1.15.3
# 测试配置文件
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
kill -USR2 `cat /run/nginx.pid`
kill -WINCH `cat /run/nginx.pid.oldbin`
kill -QUIT `cat /run/nginx.pid.oldbin`
- 验证网站使用了tlsv.13
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh --full --html https://your_domain
# 包含以下内容的输出说明tlsv1.3成功开启
TLS 1.1 offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): draft 28, draft 23, final