在Nginx上使用GNUTLS?

2016年9月21日 | 分类: 【技术】

参考:https://www.osso.nl/blog/git-gnutls-handshake-failed-nginx-ciphers/
参考:http://stackoverflow.com/questions/41189962/gnutls-and-openssl-handshake-in-nginx
参考:http://askubuntu.com/questions/53638/can-i-use-nginx-and-gnutls-together

It is not possible to use GnuTLS with nginx.

Nginx支持TLS协议的SNI扩展(Server Name Indication,简单地说这个扩展使得在同一个IP上可以以不同的证书serv不同的域名)。不过,SNI扩展还必须有客户端的支持,另外本地的OpenSSL必须支持它。

如果启用了SSL支持,nginx便会自动识别OpenSSL并启用SNI。是否启用SNI支持,是在编译时由当时的 ssl.h 决定的(SSL_CTRL_SET_TLSEXT_HOSTNAME),如果编译时使用的OpenSSL库支持SNI,则目标系统的OpenSSL库只要支持它就可以正常使用SNI了。

Nginx在默认情况下是TLS SNI support disabled。

启用方法:

需要重新编译nginx并启用TLS。步骤如下:

# wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
# tar zxvf openssl-1.0.1e.tar.gz 
# ./configure --prefix=/usr/local/nginx --with-http_ssl_module \
--with-openssl=./openssl-1.0.1e \
--with-openssl-opt="enable-tlsext" 
# make
# make install

查看是否启用:

# /usr/local/nginx/sbin/nginx -V
TLS SNI support enabled

这样就可以在 同一个IP上配置多个HTTPS主机了。

实例如下:

server  {
        listen 443;
        server_name   www.ttlsa.com;
        index index index.htm index.php;
        root  /data/wwwroot/www.ttlsa.com/webroot;
        ssl on;
        ssl_certificate "/usr/local/nginx/conf/ssl/www.ttlsa.com.public.cer";
        ssl_certificate_key "/usr/local/nginx/conf/ssl/www.ttlsa.com.private.key";   
 ......
} 
 
server  {
        listen 443;
        server_name   www.heytool.com;
        index index index.htm index.php;
        root  /data/wwwroot/www.heytool.com/webroot;
        ssl on;
        ssl_certificate "/usr/local/nginx/conf/ssl/www.heytool.com.public.cer";
        ssl_certificate_key "/usr/local/nginx/conf/ssl/www.heytool.com.private.key";   
 ......
}

这样访问每个虚拟主机都正常。

参考:http://www.ttlsa.com/web/multiple-https-host-nginx-with-a-ip-configuration/

注意:这里是通过OpenSSL的SNI支持来实现的,gnutls却不能配合Nginx实现同类功能。

参考:http://askubuntu.com/questions/53638/can-i-use-nginx-and-gnutls-together

It is not possible to use GnuTLS with nginx. Here are some source files having ssl in their names (from the nginx 1.7.7 source), GnuTLS does not seem to be mentioned:

auto/lib/openssl/
src/mail/ngx_mail_ssl_module.h
src/mail/ngx_mail_ssl_module.c
src/http/modules/ngx_http_ssl_module.c
src/http/modules/ngx_http_ssl_module.h
src/event/ngx_event_openssl.h
src/event/ngx_event_openssl.c
src/event/ngx_event_openssl_stapling.c

Neither has GnuTLS been mentioned in the source (grep -rni gnutls . or even grep -rni gnu .). According to Compatibility with the OpenSSL Library, GnuTLS cannot fully replace OpenSSL.

Unless you really need it, use the current version of nginx and OpenSSL. Work has been done for OpenSSL 1.0.1 to support TLS 1.2. See Changes between 1.0.0h and 1.0.1 [14 Mar 2012].

注意:gnutls不能配合nghttp2实现多https均http2的原因也是类似,nghttp2只能配合OpenSSL实现此类功能。

参考:http://amon.org/gnutls-http2