下载nginx源码(无需修改nginx代码),将下载的nginx安装包和附件内容放置在同一个目录下。
编译gmssl静态库的Linux版本
root@localhost:~# cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
root@localhost:~# uname -a
Linux localhost 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx.conf配置文件添加国密套件方式
server {
listen 4433 ssl;
server_name localhost;
ssl_certificate SS.pem;
ssl_certificate_key SS.pem;
ssl_certificate SE.pem;
ssl_certificate_key SE.pem;
ssl_ciphers "SM2-WITH-SMS4-SM3";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
编译nginx的脚本内容:
脚本参考来源(https://gist.github.com/neilstuartcraig/4b8f06a4d4374c379bc0f44923a11fa4)
#!/bin/bash
# nginx 版本
LATESTNGINX="1.20.1"
BUILDROOT="/tmp/gmssl-nginx"
# mkdir GmSSL libs and include file
mkdir -p "$BUILDROOT/gmssl/.openssl/lib"
mkdir -p "$BUILDROOT/gmssl/.openssl/include"
# Copy the gmssl crypto libraries to libs so nginx can find them
cp "./libcrypto.a" "$BUILDROOT/gmssl/.openssl/lib"
cp "./libssl.a" "$BUILDROOT/gmssl/.openssl/lib"
cp "./include" "$BUILDROOT/gmssl/.openssl/" -R
# Prep nginx
mkdir $BUILDROOT/nginx
cp "./nginx-$LATESTNGINX.tar.gz" "$BUILDROOT/nginx" -R
cd "$BUILDROOT/nginx"
tar xzf "nginx-$LATESTNGINX.tar.gz"
cd "$BUILDROOT/nginx/nginx-$LATESTNGINX"
# Run the config with default options and append any additional options specified by the above section
sudo ./configure --prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx \
--user=www-data \
--group=www-data \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_slice_module \
--with-http_stub_status_module \
--without-select_module \
--without-poll_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--with-openssl="$BUILDROOT/gmssl" \
--with-cc-opt="-g -O2 -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -I $BUILDROOT/gmssl/.openssl/include/" \
--with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro -L $BUILDROOT/gmssl/.openssl/lib/" \
# Fix "Error 127" during build
touch "$BUILDROOT/gmssl/.openssl/include/openssl/ssl.h"
# Build nginx
sudo make
sudo make install
编译完成后按照nginx.conf配置完成,并启动nginx服务,使用国密浏览器访问访问正常。
使用openssl测试结果:
#openssl s_client -smtls -msg -debug -connect IP:PORT -CAfile CA.pem
subject=C = CN, ST = BJ, L = Beijing, O = Beijing SM2Test, OU = SM2Test, CN = 192.168.2.30
issuer=C = CN, ST = BJ, L = Beijing, O = Beijing SM2Test, OU = SM2Test, CN = Test CA (SM2)
---
No client certificate CA names sent
Peer signing digest: SM3
Peer signature type:
---
SSL handshake has read 1357 bytes and written 321 bytes
Verification: OK
---
New, SMTLSv1.1, Cipher is SM2-SM4-CBC-SM3
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SMTLSv1.1
Cipher : SM2-SM4-CBC-SM3
Session-ID: 0A7324C3B8A9001724FAA476E527A77110A49CFAE685B82AA4F43E631742C7BC
Session-ID-ctx:
Master-Key: 058C989EC1469B2A25ED7DCE833DA00092B129BEF32C35DC798E36DFF68D0B5C46A698894540BB87D499E43863D83620
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1624771840
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
测试中国银行的国密网站:
#openssl s_client -smtls -msg -debug -connect ebssec.boc.cn:443 -CAfile sm2.pem
subject=C = CN, ST = \E5\8C\97\E4\BA\AC, L = \E5\8C\97\E4\BA\AC, O = \E4\B8\AD\E5\9B\BD\E9\93\B6\E8\A1\8C\E8\82\A1\E4\BB\BD\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8, OU = Local RA, OU = SSL, CN = ebssec.boc.cn
issuer=C = CN, O = CFCA SM2 OCA1
---
No client certificate CA names sent
Peer signing digest: SM3
Peer signature type:
---
SSL handshake has read 1911 bytes and written 343 bytes
Verification: OK
---
New, SMTLSv1.1, Cipher is SM2-SM4-CBC-SM3
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SMTLSv1.1
Cipher : SM2-SM4-CBC-SM3
Session-ID: 0177DEC11D3CDC0EAA98CDB2D38DDD064AFF6604B5F11D08FAD262C998C6B1A0
Session-ID-ctx:
Master-Key: 71904E089423552088C60FFF70DC0D85D37C207B1B24678F3F3EE8C8CAFEAA2262AD961A44B2A707B567B658055F0384
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ba 97 fa fc 89 61 f1 00-1c a2 5f 5c be ed 58 87 .....a...._\..X.
0010 - 4f ef 96 2b 23 ef 67 39-b7 25 27 52 44 3d 09 33 O..+#.g9.%'RD=.3
0020 - 06 07 09 9b b1 02 b7 ee-91 3d 77 ce 61 bf ff f2 .........=w.a...
0030 - 85 09 41 c4 45 56 10 69-f0 ed f9 ca b8 7d 37 79 ..A.EV.i.....}7y
0040 - 62 8a 8e f1 3b b7 3b a3-1f 74 cb c4 bd d1 39 8d b...;.;..t....9.
0050 - 5f 96 3f 4a e1 03 8f 8f-b6 8a 42 a5 73 4b e0 39 _.?J......B.sK.9
0060 - 2a 85 3d 4b a0 cf 6a cd-32 8a 91 9f 9e 1b 61 40 *.=K..j.2.....a@
0070 - a6 84 a5 8e 4c c2 01 9f-dc 67 b8 a2 4e 4d c8 48 ....L....g..NM.H
0080 - c2 6f d2 cd b6 8c 6f 54-c2 f3 a1 c7 e2 ae fc de .o....oT........
0090 - c4 6c 8f 4e f9 7e 63 97-f1 23 a9 c0 72 be a9 fd .l.N.~c..#..r...
00a0 - d9 ce f2 b4 ca 06 00 d9-d0 51 3e aa 11 24 67 bb .........Q>..$g.
00b0 - ba 58 3e 1c 7c 7c a1 1b-0f 1c 1e 61 25 a3 a1 f9 .X>.||.....a%...
Start Time: 1624772558
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no