openssl 1.0.2以上的版本开始支持 tls1.2,本文介绍如何编译。

下载nginx/openssl

nginx: http://nginx.org/download/

openssl: https://www.openssl.org/source/

安装openssl

# tar zxvf openssl-1.0.2l.tar.gz
# mkdir /usr/local/openssl12
# cd openssl-1.0.2l/
# ./config --prefix=/usr/local/openssl12/
# make && make install

安装nginx

安装依赖包

# yum install gcc-c++ readline-devel zlib-devel libffi-devel \
openssl-devel make autoconf automake libtool bison libxml2-devel \
libxslt-devel libyaml-devel pcre pcre-devel gd gd-devel perl-devel \
perl-ExtUtils-Embed GeoIP-devel
# tar zxvf nginx-1.10.2.tar.gz
# cd nginx-1.10.2/
# vim auto/lib/openssl/conf #找到以下内容把.openssl去掉
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
# ./configure --prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/subsys/nginx \
--user=nginx --group=nginx --with-file-aio --with-ipv6 \
--with-http_ssl_module --with-http_v2_module --with-http_realip_module \
--with-http_addition_module --with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic \
--with-http_sub_module --with-http_dav_module --with-http_flv_module \
--with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module \
--with-http_random_index_module --with-http_secure_link_module \
--with-http_degradation_module --with-http_slice_module --with-http_stub_status_module \
--with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre \
--with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector \
--param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=' -Wl,-E' \
--with-openssl=/usr/local/openssl12
# make && make install

以上是真实的服务器上安装的。以下是在阿里云上面安装的。

./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx \
--group=nginx --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module \
--with-http_addition_module --with-http_image_filter_module=dynamic --with-http_sub_module \
--with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module \
--with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module \
--with-http_degradation_module --with-http_slice_module --with-http_stub_status_module \
--with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre \
--with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-openssl=/usr/local/openssl12

因为nginx都是事先用yum安装好的,手动编译安装的时候,用了nginx -V的参数。阿里云,安装的时候要注意,有很多包都没有,安装的时候报了很多错,查找一下,如果有不需要的模块,在编译参数中就去掉,如果有缺失的就安装一下。如果安装成功后,nginx还是报错。就找一下以下目录。

# /usr/share/nginx/modules #把报错的模块删除,要先备份

配置nginx

ssl on;
ssl_certificate /etc/nginx/mall.pem;
ssl_certificate_key /etc/nginx/mall.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1.2; #注意这个1.2
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;

下载nmap测试tls

# yum install nmap
# nmap --script ssl-enum-ciphers -p 443 <ip>

完毕。