SSL/TLS深度解析--在Nginx上部署TLS-創(chuàng)新互聯(lián)

利用 openssl 源代碼安裝 Nginx

[root@localhost software]# tar xf nginx-1.15.5.tar.gz 
[root@localhost software]# cd nginx-1.15.5/
[root@localhost nginx-1.15.5]# groupadd nginx
[root@localhost nginx-1.15.5]# useradd nginx -M -s /sbin/nologin -g nginx
[root@localhost nginx-1.15.5]# mkdir -p /project/nginx1.15.0
[root@localhost nginx-1.15.5]# mkdir -p /project/{logs/nginx,cache/nginx}
[root@localhost nginx-1.15.5]# ll /project/
總用量 0
drwxr-xr-x. 3 root root 19 11月  1 21:48 cache
drwxr-xr-x. 3 root root 19 11月  1 21:48 logs
drwxr-xr-x. 2 root root  6 11月  1 21:48 nginx1.15.0
[root@localhost nginx-1.15.5]# ./configure --prefix=/project/nginx1.15.0 --with-openssl=/opt/software/openssl-1.1.1 --with-openssl-opt="enable-ec_nistp_64_gcc_128" --with-http_ssl_module --user=nginx --group=nginx --error-log-path=/project/logs/nginx/error.log --http-log-path=/project/logs/nginx/access.log --http-client-body-temp-path=/project/cache/nginx/client_temp --http-proxy-temp-path=/project/cache/nginx/proxy_temp --http-fastcgi-temp-path=/project/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/project/cache/nginx/uwsgi_temp --http-scgi-temp-path=/project/cache/nginx/scgi_temp --with-file-aio --with-http_v2_module
[root@localhost nginx-1.15.5]# make -j 2
[root@localhost nginx-1.15.5]# make install
[root@localhost nginx-1.15.5]# make clean
rm -rf Makefile objs
[root@localhost nginx-1.15.5]# cd ..
[root@localhost software]# cd /project/nginx1.15.0/
[root@localhost nginx1.15.0]# sbin/nginx 
[root@localhost nginx1.15.0]# netstat -tulnp |grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:* 
[root@localhost nginx1.15.0]# ps -ef |grep nginx
root       7420      1  0 22:22 ?        00:00:00 nginx: master process sbin/nginx
nginx      7421   7420  0 22:22 ?        00:00:00 nginx: worker process
nginx      7422   7420  0 22:22 ?        00:00:00 nginx: worker process
nginx      7423   7420  0 22:22 ?        00:00:00 nginx: worker process
nginx      7424   7420  0 22:22 ?        00:00:00 nginx: worker process
root       7430   1869  0 22:23 pts/0    00:00:00 grep --color=auto nginx
[root@localhost nginx1.15.0]# mkdir conf/certs
[root@localhost nginx1.15.0]# mkdir html/tls
[root@localhost nginx1.15.0]# echo "Hello TLS" > html/tls/index.html
[root@localhost nginx1.15.0]# cat html/tls/index.html
Hello TLS
[root@localhost nginx1.15.0]# vim conf/nginx.conf
.......
# HTTPS server
    #
    server {
        listen       443 ssl;
        server_name www.linuxplus.com;

        ssl_certificate      certs/rsa_01cert.crt;
        ssl_certificate_key  certs/rsa_2048prikey.pem;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html/tls;
            index  index.html index.htm;
        }
    }
[root@localhost nginx1.15.0]# cd conf/certs/
[root@localhost certs]# openssl genrsa -out rsa_2048prikey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
.....................................................................................+++++
e is 65537 (0x010001)
[root@localhost certs]# ll
總用量 4
-rw-------. 1 root root 1679 10月 28 19:14 rsa_2048prikey.pem
[root@localhost certs]# openssl req -new -key rsa_2048prikey.pem -out rsa_01cert.csr -subj /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.com
[root@localhost certs]# ll
總用量 8
-rw-r--r--. 1 root root 1066 10月 28 19:18 rsa_01cert.csr
-rw-------. 1 root root 1679 10月 28 19:14 rsa_2048prikey.pem
[root@localhost certs]# openssl ca -in rsa_01cert.csr -days 300 -md sha384 -out rsa_01cert.crt -batch -notext
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            3b:f9:bc:72:54:4e:25:a7:07:2d:92:42:06:a7:61:59
        Validity
            Not Before: Oct 28 11:20:49 2022 GMT
            Not After : Aug 24 11:20:49 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShanDong
            localityName              = QingDao
            organizationName          = Devops
            organizationalUnitName    = Devops
            commonName                = www.linuxplus.com
            emailAddress              = admin@linuxplus.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                DB:39:F0:61:40:3D:0B:4A:0A:20:1C:02:AF:3C:49:2B:86:78:22:C6
            X509v3 Authority Key Identifier: 
                keyid:9F:7A:42:AF:E4:36:0D:01:CD:FF:27:57:18:2A:3E:CC:8A:77:C0:D7

Certificate is to be certified until Aug 24 11:20:49 2023 GMT (300 days)

Write out database with 1 new entries
Data Base Updated
[root@localhost certs]# ll
總用量 12
-rw-r--r--. 1 root root 1241 10月 28 19:20 rsa_01cert.crt
-rw-r--r--. 1 root root 1066 10月 28 19:18 rsa_01cert.csr
-rw-------. 1 root root 1679 10月 28 19:14 rsa_2048prikey.pem
[root@localhost certs]# cd ../../sbin/
[root@localhost sbin]# ./nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[root@localhost sbin]# ./nginx -s reload

主要從事網(wǎng)頁(yè)設(shè)計(jì)、PC網(wǎng)站建設(shè)（電腦版網(wǎng)站建設(shè)）、wap網(wǎng)站建設(shè)（手機(jī)版網(wǎng)站建設(shè)）、成都響應(yīng)式網(wǎng)站建設(shè)公司、程序開發(fā)、微網(wǎng)站、成都小程序開發(fā)等，憑借多年來(lái)在互聯(lián)網(wǎng)的打拼，我們?cè)诨ヂ?lián)網(wǎng)網(wǎng)站建設(shè)行業(yè)積累了豐富的網(wǎng)站設(shè)計(jì)制作、成都網(wǎng)站制作、網(wǎng)絡(luò)營(yíng)銷經(jīng)驗(yàn)，集策劃、開發(fā)、設(shè)計(jì)、營(yíng)銷、管理等多方位專業(yè)化運(yùn)作于一體，具備承接不同規(guī)模與類型的建設(shè)項(xiàng)目的能力。

TLS 協(xié)議的配置

Nginx協(xié)議配置有3個(gè)主要的配置項(xiàng)

• ssl_protocols ：用來(lái)指定所開啟協(xié)議的版本,目前1.2是主流而且更高效。不安全的SSLv2 和 SSLv3 都要禁用。
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  目前最新的TLS是1.3版本，不過(guò)目前也沒(méi)有大范圍使用，不過(guò)要支持TLS1.3，要使用openssl的1.1.1系列版本，所以要使用TLS1.3，升級(jí)openssl 并且在編譯安裝nginx的時(shí)候指定。

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

• ssl_prefer_server_ciphers ，在服務(wù)器與客戶端TLS握手時(shí)啟用服務(wù)器算法優(yōu)先，由
  服務(wù)器端選擇算法，這樣可以避免很多客戶端被***或比較老舊而引起的安全問(wèn)題。

ssl_prefer_server_ciphers  on;

• ssl_ciphers ，指定使用的算法套件以及它們的優(yōu)先順序。

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM
-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA 
AES128-SHA AES256-SHA ECDHE-RSA-RC4-SHA RC4-SHA";  #排在前面的優(yōu)先使用

• 通配符證書是證書的CN采用通配形式，即 *.linuxplus.com 這樣的模式。如果確定采用全站https的話，這樣的通配證書是可行的，很多大站點(diǎn)也是這樣做的，例如淘寶。
• 如果多個(gè)不同域名（二級(jí)域名）的站點(diǎn)使用同一個(gè)證書，可以把它們部署在同一個(gè)IP地址上。還是建議使用SNI，使每個(gè)站點(diǎn)有自己?jiǎn)为?dú)的證書。

配置雙證書

[root@localhost certs]# openssl ecparam -genkey -name prime256v1 -out ecdsa_01prikey.pem
[root@localhost certs]# openssl req -new -key ecdsa_01prikey.pem -out ecc01.csr -subj /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.com
[root@localhost certs]# openssl ca -in ecc01.csr -days 365 -out ecc_01cert.crt -batch -notext                                    Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fc
        Validity
            Not Before: Nov 10 14:32:15 2018 GMT
            Not After : Nov 10 14:32:15 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShanDong
            localityName              = QingDao
            organizationName          = Devops
            organizationalUnitName    = Devops
            commonName                = www.linuxplus.com
            emailAddress              = admin@linuxplus.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                67:7B:E7:71:A6:D5:63:C7:C3:E7:6F:E4:40:B4:06:1C:D5:B6:84:58
            X509v3 Authority Key Identifier: 
                keyid:7A:15:85:5F:24:70:45:4C:86:C3:FD:AA:9A:88:3E:5B:E6:63:70:56

Certificate is to be certified until Nov 10 14:32:15 2019 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# cd /project/nginx1.15.0/conf/
[root@localhost conf]# vim nginx.conf
......
        ssl_certificate      certs/ecc_01cert.crt;
        ssl_certificate_key  certs/ecdsa_01prikey.pem;

        ssl_certificate      certs/rsa_01cert.crt;
        ssl_certificate_key  certs/rsa_2048prikey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
[root@localhost conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[root@localhost conf]# ../sbin/nginx -s reload

客戶端身份驗(yàn)證

客戶端驗(yàn)證，是為了實(shí)現(xiàn)只有有證書的客戶端才能訪問(wèn)那個(gè)站點(diǎn)或服務(wù)，證書由站點(diǎn)管理和頒發(fā)

[root@www certs]# openssl genrsa -out client01.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................................................................+++++
........................+++++
e is 65537 (0x010001)
[root@www certs]# openssl req -new -key client01.key -out client01.csr -subj /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com 
[root@www certs]# openssl ca -in client01.csr -md sha384 -out client01_cert.crt -batch -notext
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fd
        Validity
            Not Before: Nov 11 06:06:53 2018 GMT
            Not After : Nov 11 06:06:53 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShanXi
            localityName              = XiAn
            organizationName          = Devops01
            organizationalUnitName    = Devops01
            commonName                = www.linuxplus.com
            emailAddress              = adm@linuxplus.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                AC:6C:C1:A7:5A:C5:91:BD:97:3C:4A:2D:CA:03:53:91:38:E9:3B:E6
            X509v3 Authority Key Identifier: 
                keyid:7A:15:85:5F:24:70:45:4C:86:C3:FD:AA:9A:88:3E:5B:E6:63:70:56

Certificate is to be certified until Nov 11 06:06:53 2019 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
[root@www certs]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client01_cert.crt -inkey client01.key -out client01.p12
[root@www ~]# cd /project/nginx1.15.0/conf/
[root@www conf]# vim nginx.conf
ssl_certificate      certs/ecc_01cert.crt;
        ssl_certificate_key  certs/ecdsa_01prikey.pem;

        ssl_certificate      certs/rsa_01cert.crt;
        ssl_certificate_key  certs/rsa_2048prikey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # 開啟客戶端身份驗(yàn)證
        ssl_verify_client on;
        # 指定客戶端證書到根證書的深度
        # ssl_verify_depth 2;
        # 指定簽發(fā)客戶端證書的CA證書
        ssl_client_certificate /usr/local/openssl/CA/root_cacert_ecc.pem;
        # 完整證書鏈中需要包含的其他CA證書
        # ssl_trusted_certificate rootca.crt;
        # 證書吊銷列表，有更新時(shí)Nginx需要重新加載
        ssl_crl /usr/local/openssl/CA/crl.pem;
#on:是開啟只接有客戶端證書的請(qǐng)求。如果請(qǐng)求未包含證書或者證書校驗(yàn)失敗，nginx會(huì)返回一個(gè)400錯(cuò)誤響應(yīng)。
#off:是關(guān)閉
#optional:不會(huì)強(qiáng)制阻斷訪問(wèn),不返回400?？稍?$ssl_client_verify 變量中查看各種狀態(tài)， NONE表示沒(méi)有證書， FAILED表示證書未通過(guò)驗(yàn)證， SUCCESS 表示證書有效。
[root@www conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[root@www conf]# ../sbin/nginx -s reload

• 沒(méi)有導(dǎo)入證書
  

• Firefox 導(dǎo)入證書
  
  
  
  
  
  
  
  

• 360瀏覽器導(dǎo)入證書
  
  
  
  
  
  
  
  
  
  

[root@www certs]# openssl ca -in rsa_01cert.csr -days 300 -md sha384 -out rsa_01cert.crt -batch -notext^C
[root@www certs]# openssl req -new -key client02.key -out client02.csr -subj /C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com
[root@www certs]# openssl ca -in client02.csr -md sha384 -out client02_cert.crt -batch -notext  
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fe
        Validity
            Not Before: Nov 11 14:00:18 2018 GMT
            Not After : Nov 11 14:00:18 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShanXi
            localityName              = XiAn
            organizationName          = Devops02
            organizationalUnitName    = Devops02
            commonName                = www.linuxplus.com
            emailAddress              = adm@linuxplus.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                6D:D2:63:9D:21:B1:82:4A:0F:19:B8:76:0F:B5:EA:E8:F0:F6:A3:6F
            X509v3 Authority Key Identifier: 
                keyid:7A:15:85:5F:24:70:45:4C:86:C3:FD:AA:9A:88:3E:5B:E6:63:70:56

Certificate is to be certified until Nov 11 14:00:18 2019 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
[root@www certs]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client02_cert.crt -inkey client02.key -out client02.p12
#吊銷證書
[root@www certs]# openssl x509 -in client01_cert.crt -serial -noout
serial=92F43BDFF9AC3B5CAA3189D661C69AFD
[root@www certs]# openssl ca -revoke /usr/local/openssl/CA/newcerts/92F43BDFF9AC3B5CAA3189D661C69AFD.pem 
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Revoking Certificate 92F43BDFF9AC3B5CAA3189D661C69AFD.
Data Base Updated
[root@www certs]# openssl ca -gencrl -out /usr/local/openssl/CA/crl.pem 
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
[root@www certs]# openssl crl -in /usr/local/openssl/CA/crl.pem  -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, ST = BeiJing, L = BeiJing, O = CAdevops, OU = CAdevops, CN = root_ca, emailAddress = admin@linuxplus.com
        Last Update: Nov 11 14:33:36 2018 GMT
        Next Update: Dec 11 14:33:36 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1048577
Revoked Certificates:
    Serial Number: 92F43BDFF9AC3B5CAA3189D661C69AFD
        Revocation Date: Nov 11 14:26:37 2018 GMT
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:e3:76:00:d4:07:22:2a:7f:43:1f:aa:8c:f5:
         be:c7:f7:a9:bd:1f:fb:65:f0:0b:d8:0c:a0:15:7c:f3:37:5d:
         63:02:20:08:d6:b8:4b:6b:3f:d2:7d:89:5f:2d:88:b5:ee:18:
         cd:81:6d:fe:80:4f:0c:ef:78:b8:81:c1:dc:ca:85:a3:9b
-----BEGIN X509 CRL-----
MIIBTjCB9QIBATAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCQ04xEDAOBgNVBAgM
B0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxETAPBgNVBAoMCENBZGV2b3BzMREw
DwYDVQQLDAhDQWRldm9wczEQMA4GA1UEAwwHcm9vdF9jYTEiMCAGCSqGSIb3DQEJ
ARYTYWRtaW5AbGludXhwbHVzLmNvbRcNMTgxMTExMTQzMzM2WhcNMTgxMjExMTQz
MzM2WjAkMCICEQCS9Dvf+aw7XKoxidZhxpr9Fw0xODExMTExNDI2MzdaoBAwDjAM
BgNVHRQEBQIDEAABMAoGCCqGSM49BAMCA0gAMEUCIQDjdgDUByIqf0Mfqoz1vsf3
qb0f+2XwC9gMoBV88zddYwIgCNa4S2s/0n2JXy2Ite4YzYFt/oBPDO94uIHB3MqF
o5s=
-----END X509 CRL-----

[root@www conf]# vim nginx.conf
log_format  tls "$ssl_client_verify $pid $scheme $server_name $time_local  $remote_addr $connection $connection_requests  $ssl_protocol  $ssl_cipher   $ssl_session_id $ssl_session_reused $ssl_curves";
access_log  /project/logs/nginx/access.log  tls;

#$scheme：使用哪種協(xié)議
#$connection：TCP連接序號(hào)
#$connection_requests：表示在一個(gè)連接（長(zhǎng)連接）里面有多少次請(qǐng)求

[root@www logs]# tail -f access.log 
SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:03 +0800  172.16.216.181 315 1  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   - . X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101
SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:03 +0800  172.16.216.181 315 2  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   - . X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101
SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:28 +0800  172.16.216.181 315 3  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   - . X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101
SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:28 +0800  172.16.216.181 315 4  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   - . X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101
........
#SUCCESS：表示成功
#20481：Nginx的PID
#ECDHE-ECDSA-AES128-GCM-SHA256：密鑰套件

會(huì)話緩存

• 獨(dú)立會(huì)話緩存

[root@www nginx1.15.0]# vim conf/nginx.conf
ssl_session_tickets  off;
ssl_session_cache    shared:SSL:1m;    #分配1MB的共享內(nèi)存緩存，使用1 MB的內(nèi)存可以緩存大約4000個(gè)會(huì)話
ssl_session_timeout  5m;               #設(shè)置會(huì)話緩存過(guò)期時(shí)間，默認(rèn)的會(huì)話緩存過(guò)期時(shí)間只有5分鐘

SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:22 +0800  172.16.216.181 331 1  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r -
SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:22 +0800  172.16.216.181 331 2  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r -
SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 +0800  172.16.216.181 331 3  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r -
SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 +0800  172.16.216.181 331 4  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r -
SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 +0800  172.16.216.181 331 5  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r -
SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 +0800  172.16.216.181 331 6  TLSv1.2  ECDHE-ECDSA-AES128-GCM-SHA256   20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r -

#r 則表示被重用，如果是.表示沒(méi)有重用

• 配置項(xiàng)使用格式：

  ssl_session_cache  off | none | [builtin[:size]] [shared:name:size]

  默認(rèn)選項(xiàng)是 none；
  off ：禁用緩存 。
  none：禁用緩存，但是通知客戶端可以重用會(huì)話（session），但是并不實(shí)際存儲(chǔ)。
  builtin：內(nèi)建，這個(gè)緩存只能被一個(gè)worker進(jìn)程使用（nginx可以有過(guò)個(gè)worker進(jìn)程），與builtin 配合的單位參數(shù)是個(gè)數(shù) builtin:100 表示緩存100個(gè)session；如果沒(méi)有寫明數(shù)量 那么默認(rèn)是20480個(gè)session。使用builtin會(huì)引起一些內(nèi)存碎片。
  shared：共享， shared:xx_name:xxM;，在多個(gè)worker進(jìn)程中共享session，單位是M（兆字節(jié)），1M可以存放大概4000個(gè)session，共享的緩存可以有1個(gè)名稱，名稱一樣的緩存可以在多個(gè) nginx 上配置的 server 塊上共享使用。
  還可以混合使用 builtin 和 shared
  ssl_session_cache builtin:1000 shared:SSL:10m; 只用共享緩存而不用內(nèi)置緩存應(yīng)該更有效率。根據(jù)項(xiàng)目情況來(lái)決定。

• 分布式會(huì)話票證

[root@www nginx1.15.0]# cd conf/certs/
[root@www certs]# openssl rand -out ticket48.key 48
[root@www certs]# openssl rand -out ticket80.key 80 
[root@www certs]# ll -l ticket48.key
-rw-r--r--. 1 root root 48 11月 24 14:23 ticket48.key
[root@www certs]# ll -l ticket80.key               
-rw-r--r--. 1 root root 80 11月 24 14:31 ticket80.key
[root@www certs]# cd ../..
[root@www nginx1.15.0]# vim conf/nginx.conf
ssl_session_tickets on;
ssl_session_ticket_key certs/ticket48.key;    #設(shè)置新密鑰，用于新票證的加解密
ssl_session_ticket_key certs/ticket80.key;    #保留前一個(gè)密鑰用于老票證的解密
[root@www nginx1.15.0]# sbin/nginx -s reload
[root@www nginx1.15.0]# openssl s_client -connect 172.16.216.188:443
.......
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 0734C4A2519DD91A6B03BA6E1A572FA2E8DAB69CC23A41A249E4219B6B16934E
    Session-ID-ctx: 
    Master-Key: AC6A686B930A886990E031117F1032F5829C57EAFA2C363D9917973E401FE420D5F566BA5F5CD5ED2E922F5E6E6E1F1B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 95 0a 94 18 66 9c fa fb-bb e7 79 81 19 46 a5 77   ....f.....y..F.w
    0010 - ec a8 37 e6 6e a2 34 0d-4e 2b e2 ce 58 3c a8 23   ..7.n.4.N+..X<.#
    0020 - 8f 73 59 fd 30 0a bf 37-e2 47 6d 9e 10 76 1a 90   .sY.0..7.Gm..v..
    0030 - f5 5d 7c 8c e0 32 a5 d4-3a a5 c5 e9 dc 62 e5 eb   .]|..2..:....b..
    0040 - fc 7d c0 98 df dd 76 4c-29 d6 51 79 d9 6a c2 f7   .}....vL).Qy.j..
    0050 - e2 a5 ec a3 46 d1 27 3c-75 12 38 18 ec 20 b1 18   ....F.'<u.8.. ..
    0060 - 41 13 be 58 45 96 a5 1f-7a 90 aa a1 73 17 8b 27   A..XE...z...s..'
    0070 - 89 7b 63 2a 2f ad 61 53-3d d8 4e 13 c6 41 97 1f   .{c*/.aS=.N..A..
    0080 - ec 75 d7 bf 7f 96 29 4d-cf f6 3e 0d 23 35 fc 9a   .u....)M..>.#5..
    0090 - 57 98 2a 81 2c e7 b0 e1-27 33 aa d7 fb 13 01 c3  w.*.,...'3......
    00a0 - 91 86 f5 63 5c b5 be 1a-58 a5 99 61 1a 82 36 de   ...c\...X..a..6.
......

使用兩個(gè)密鑰輪轉(zhuǎn)的方式，在密鑰更新時(shí)服務(wù)器就不會(huì)丟棄更新前建立的會(huì)話。
在集群中實(shí)施會(huì)話票證密鑰的輪替是不可靠的，因?yàn)闊o(wú)法完美的實(shí)現(xiàn)新的密鑰在同一個(gè)時(shí)刻被所有節(jié)點(diǎn)同時(shí)更新。如果某個(gè)節(jié)點(diǎn)在其他節(jié)點(diǎn)前使用了新密鑰，并給某個(gè)客戶端生成了票據(jù)，隨后客戶端再次發(fā)送過(guò)來(lái)的請(qǐng)求被分配到其他節(jié)點(diǎn)處理，而其他節(jié)點(diǎn)可能無(wú)法解密數(shù)據(jù)（集群未采取流量保持機(jī)制），而導(dǎo)致SSL重新握手，這樣會(huì)造成性能下降，甚至?xí)霈F(xiàn)一個(gè)瓶頸期；歸根結(jié)底是各個(gè)節(jié)點(diǎn)在重新加載配置的時(shí)候會(huì)不可避免的存在時(shí)間差。如果選擇使用會(huì)話票證，不要過(guò)于頻繁的更新密鑰，盡量在設(shè)計(jì)上會(huì)使用流量保持，把同一個(gè)用戶分發(fā)到相同節(jié)點(diǎn)。
如果要完美地實(shí)現(xiàn)集群的會(huì)話票證密鑰輪轉(zhuǎn)，并且不介意操作兩次集群配置，可以按以下步驟操作。
(1) 生成一個(gè)新密鑰。
(2) 將新的密鑰替換掉只用于解密的老密鑰，重啟各個(gè)節(jié)點(diǎn)；加載配置，使所有節(jié)點(diǎn)都只使用新密鑰。
(3) 將兩個(gè)密鑰交換位置，新密鑰作為加解密的密鑰，之前的密鑰作為只解密的老密鑰。
可以從容的依次重啟各個(gè)節(jié)點(diǎn)，因?yàn)樗泄?jié)點(diǎn)在第一次配置中已經(jīng)加載了新密鑰，所以可以正常解密由新密鑰加密的票據(jù)，不會(huì)有任何時(shí)間差帶來(lái)的問(wèn)題。

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)scvps.cn，海內(nèi)外云服務(wù)器15元起步，三天無(wú)理由+7*72小時(shí)售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國(guó)服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡(jiǎn)單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢(shì)，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場(chǎng)景需求。

分享名稱：SSL/TLS深度解析--在Nginx上部署TLS-創(chuàng)新互聯(lián)
分享URL：http://bm7419.com/article42/goeec.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供服務(wù)器托管、建站公司、網(wǎng)站營(yíng)銷、網(wǎng)站內(nèi)鏈、手機(jī)網(wǎng)站建設(shè)、響應(yīng)式網(wǎng)站

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來(lái)源： 創(chuàng)新互聯(lián)