{"id":7774,"date":"2018-11-23T12:05:04","date_gmt":"2018-11-23T04:05:04","guid":{"rendered":"http:\/\/rmohan.com\/?p=7774"},"modified":"2018-11-23T12:05:04","modified_gmt":"2018-11-23T04:05:04","slug":"ssl-and-tls-1-3-on-nginx","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=7774","title":{"rendered":"SSL and TLS 1.3 on Nginx"},"content":{"rendered":"<p>I have heard that there is TLS1.3,<\/p>\n<p>I have been tickle, I want to toss and try. In the past, there were not many browsers supported,<br \/>\nand there were not many people on the Internet who tried it. There are some large website sites that have already got TLS1.3,<br \/>\nand many bloggers have upgraded their blogs to TLS1.3, leaving valuable experience. I can&#8217;t help it anymore.<br \/>\nLet&#8217;s take a look at it today. Openssl 1.1.1 LTS has been released, update the official version of TLS1.3.<\/p>\n<p>Software version<br \/>\n?Nginx: nginx-1.15.4<br \/>\n?OpenSSL: openssl-1.1.1(LTS)<\/p>\n<p>Tutorial<\/p>\n<p>Installation dependency<\/p>\n<p>Sudo apt update<br \/>\nsudo apt install -y build-essential libpcre3 libpcre3-dev zlib1g-dev liblua5.1-dev libluajit-5.1-dev libgeoip-dev google-perftools libgoogle-perftools-dev<\/p>\n<p>Download and unzip the required software<\/p>\n<p>Wget https:\/\/nginx.org\/download\/nginx-1.15.4.tar.gz<br \/>\ntar zxf nginx-1.15.4.tar.gz<br \/>\nwget https:\/\/www.openssl.org\/source\/openssl-1.1.1. tar.gz<br \/>\ntar zxf OpenSSL-1.1.1.tar.gz<\/p>\n<p>OpenSSL patching<\/p>\n<p>Pushd openssl-1.1.1 #?TLS1.3 Draft 23, 26, 28, Final patch<br \/>\ncurl https:\/\/raw.githubusercontent.com\/hakasenyang\/openssl-patch\/master\/openssl-equal-1.1.1_ciphers.patch | patch -p1<br \/>\n#?ign Strict-SNI log patch<br \/>\ncurl https:\/\/raw.githubusercontent.com\/hakasenyang\/openssl-patch\/master\/openssl-ignore_log_strict-sni.patch | patch -p1<br \/>\npopd<\/p>\n<p>Nginx patch<\/p>\n<p>Pushd nginx-1.15.4<br \/>\n#?SPDY, HTTP2 HPACK, Dynamic TLS Record, Fix Http2 Push Error, PRIORITIZE_CHACHA patch<br \/>\ncurl https:\/\/raw.githubusercontent.com\/kn007\/patch\/43f2d869b209756b442cfbfa861d653d993f16fe\/nginx.patch | patch -p1<br \/>\ncurl https :\/\/raw.githubusercontent.com\/kn007\/patch\/c59592bc1269ba666b3bb471243c5212b50fd608\/nginx_auto_using_PRIORITIZE_CHACHA.patch | patch -p1<br \/>\n#? Strict-SNI patch<br \/>\ncurl https:\/\/raw.githubusercontent.com\/hakasenyang\/openssl-patch\/master\/nginx_strict-sni .patch | patch -p1<br \/>\npopd<\/p>\n<p>Compile and install Nginx<\/p>\n<p>If you have compiled and installed Nginx, you can enter nginx -V to view the previous configure configuration. Compile with the required parameters later.<\/p>\n<p>Key parameters:<br \/>\n? Add &#8211;with-openssl=..\/openssl-1.1.1 to specify the OpenSSL path<br \/>\n?HTTP2 HPACK needs to add the &#8211;with-http_v2_hpack_enc parameter.<br \/>\n?SPDY needs to be added &#8211;with-http_spdy_module<\/p>\n<p>Note that the &#8211;with-openssl parameter is changed to its own OpenSSL folder address.<\/p>\n<p>My full configure command is as follows, please analogy.<\/p>\n<p>Cd nginx-1.15.4<\/p>\n<p>.\/configure \\<br \/>\n&#8211;user=www \\<br \/>\n&#8211;group=www \\<br \/>\n&#8211;prefix=\/usr\/local\/nginx \\<br \/>\n&#8211;with-http_stub_status_module \\<br \/>\n&#8211;with-threads \\<br \/>\n&#8211;with-file-aio \\<br \/>\n&#8211;with -pcre-jit \\<br \/>\n&#8211;with-http_ssl_module \\<br \/>\n&#8211;with-http_v2_module \\<br \/>\n&#8211;with-http_gzip_static_module \\<br \/>\n&#8211;with-http_sub_module \\<br \/>\n&#8211;with-http_flv_module \\<br \/>\n&#8211;with-http_mp4_module \\<br \/>\n&#8211;with-http_gunzip_module \\<br \/>\n&#8211;with -http_realip_module \\<br \/>\n&#8211;with-http_addition_module \\<br \/>\n&#8211;with-stream \\<br \/>\n&#8211;with-stream_ssl_module \\<br \/>\n&#8211;with-stream_ssl_preread_module \\<br \/>\n&#8211;with-stream_realip_module \\<br \/>\n&#8211;with-http_slice_module \\<br \/>\n&#8211;with-http_geoip_module \\<br \/>\n&#8211;with-google_perftools_module \\<br \/>\n&#8211;with-openssl=..\/openssl-1.1.1 \\<br \/>\n&#8211;with-http_v2_hpack_enc \\<br \/>\n&#8211;with-http_spdy_module<\/p>\n<p>After configure is complete, enter the following statement to start compiling.<\/p>\n<p>Make<\/p>\n<p>After the compilation is completed, if no error is reported, enter the following to install.<\/p>\n<p>Make install<\/p>\n<p>Configuring Nginx Web Hosting<\/p>\n<p>Add the following to the appropriate location in your conf file to replace the original content. I removed TLS1 and TLS1.1 due to security upgrade considerations. In addition, the new cipher suite for TLS 1.3 can only be used in TLS 1.3, and the old cipher suite cannot be used for TLS 1.3. It seems that all virtual hosts must be configured to use TLS1.3.<\/p>\n<p>Ssl_early_data on;<br \/>\nssl_protocols TLSv1.2 TLSv1.3;<br \/>\nssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+ AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+ SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;<br \/>\nssl_ecdh_curve X25519:P-256:P-384;<br \/>\nssl_prefer_server_ciphers on;<\/p>\n<p>Finally, use nginx -t to test the correctness of the nginx configuration.<\/p>\n<p>success<\/p>\n<p>Restart Nginx and you will find that your website is already connected to TLS1.3.<\/p>\n<p>rminal window and follow these steps:<\/p>\n<p>1. Generate the private key using the command sudo openssl genrsa -out ca.key 2048<\/p>\n<p>2. Generate a CSR using the command sudo openssl req -new -key ca.key -out ca.csr<\/p>\n<p>3. Use the command sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt to generate a self-signed key<\/p>\n<p>Now we need to copy the newly generated file to the correct location with the following command:<\/p>\n<p>sudo cp ca.crt \/etc\/ssl\/certs\/<br \/>\nsudo cp ca.key \/etc\/ssl\/private\/<br \/>\nsudo cp ca.csr \/etc\/ssl\/private\/<\/p>\n<p>Create an Nginx configuration<\/p>\n<p>Remember, we want to enable SSL via TLS support. To do this, we must create a new Nginx configuration file with the following command:<\/p>\n<p>Sudo nano \/etc\/nginx\/conf.d\/ssl.conf<\/p>\n<p>In the file, paste the following:<\/p>\n<p>Server {<\/p>\n<p>Location \/ {<br \/>\nroot \/usr\/share\/nginx\/html;<br \/>\nindex index.html index.htm;<br \/>\n}<\/p>\n<p>Listen 443 ssl;<br \/>\nserver_name www.example.com;<br \/>\nssl_certificate \/etc\/ssl\/certs\/ca.crt;<br \/>\nssl_certificate_key \/etc\/ssl\/private\/ca.key;<br \/>\nssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;<br \/>\nssl_ciphers TLS- CHACHA20-POLY1305-SHA256: TLS-AES-256-GCM-SHA384: TLS-AES-128-GCM-SHA256: HIGH: !aNULL:!MD5;<\/p>\n<p>}<\/p>\n<p>Note: Be sure to change the root location to reflect your Nginx installation. However, if you follow the steps to build a Nginx that supports TLS, the above configuration should work.<\/p>\n<p>Save and close the file. Test the new Nginx configuration file with the following command:<\/p>\n<p>Sudo nginx -t<\/p>\n<p>You should see the test passed.<\/p>\n<p>Restart and test<\/p>\n<p>Now we need to restart NGINX. Use the following command to do this:<\/p>\n<p>Sudo systemctl restart nginx<\/p>\n<p>Point your browser to https:\/\/SERVER_IP and you should see the NGINX welcome screen.<br \/>\nTo ensure that your site is delivered with TLS 1.3 enabled, you can use the browser&#8217;s built-in tools.<br \/>\nFor example, in Firefox, open the page and click the security button (the lock icon to the left of the address bar).<br \/>\nClick the right arrow associated with the page, then click More Info.<br \/>\nIn the results window (Figure B), you should see the connection using TLS 1.3 encryption.<\/p>\n<p>This is all about enabling SSL and TLS on the Nginx website.<br \/>\nRemember that you should use an SSL certificate from a reputable certification authority.<br \/>\nHowever, it is always a good idea to use a self-signed certificate for testing purposes.<br \/>\nOnce you have confidence in this process, please purchase a certificate and deploy it to your Nginx site.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have heard that there is TLS1.3,<\/p>\n<p>I have been tickle, I want to toss and try. In the past, there were not many browsers supported, and there were not many people on the Internet who tried it. There are some large website sites that have already got TLS1.3, and many bloggers have upgraded their [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7774"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7774"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7774\/revisions"}],"predecessor-version":[{"id":7775,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7774\/revisions\/7775"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}