Nginx是否支持GNUTLS

2019年10月10日 | 分类: 【技术】

Nginx是否支持GNUTLS?

参考:https://www.osso.nl/blog/git-gnutls-handshake-failed-nginx-ciphers/
参考:http://stackoverflow.com/questions/41189962/gnutls-and-openssl-handshake-in-nginx
参考:http://askubuntu.com/questions/53638/can-i-use-nginx-and-gnutls-together

It is not possible to use GnuTLS with nginx.

Nginx支持TLS协议的SNI扩展(Server Name Indication,简单地说这个扩展使得在同一个IP上可以以不同的证书serv不同的域名)。不过,SNI扩展还必须有客户端的支持,另外本地的OpenSSL必须支持它。

如果启用了SSL支持,nginx便会自动识别OpenSSL并启用SNI。是否启用SNI支持,是在编译时由当时的 ssl.h 决定的(SSL_CTRL_SET_TLSEXT_HOSTNAME),如果编译时使用的OpenSSL库支持SNI,则目标系统的OpenSSL库只要支持它就可以正常使用SNI了。

Nginx在默认情况下是TLS SNI support disabled。

参考:http://www.ttlsa.com/web/multiple-https-host-nginx-with-a-ip-configuration/
注意:这里是通过OpenSSL的SNI支持来实现的,gnutls却不能配合Nginx实现同类功能。

参考:http://askubuntu.com/questions/53638/can-i-use-nginx-and-gnutls-together

It is not possible to use GnuTLS with nginx. Here are some source files having ssl in their names (from the nginx 1.7.7 source), GnuTLS does not seem to be mentioned:

auto/lib/openssl/
src/mail/ngx_mail_ssl_module.h
src/mail/ngx_mail_ssl_module.c
src/http/modules/ngx_http_ssl_module.c
src/http/modules/ngx_http_ssl_module.h
src/event/ngx_event_openssl.h
src/event/ngx_event_openssl.c
src/event/ngx_event_openssl_stapling.c

Neither has GnuTLS been mentioned in the source (grep -rni gnutls . or even grep -rni gnu .). According to Compatibility with the OpenSSL Library, GnuTLS cannot fully replace OpenSSL.

Unless you really need it, use the current version of nginx and OpenSSL. Work has been done for OpenSSL 1.0.1 to support TLS 1.2. See Changes between 1.0.0h and 1.0.1 [14 Mar 2012].

注意:gnutls不能配合nghttp2实现多https均http2的原因也是类似,nghttp2只能配合OpenSSL实现此类功能。

参考:https://amon.org/gnutls-http2

【参考】

理论
https://blog.csdn.net/u011130578/article/details/77979325
https://www.alibabacloud.com/help/zh/faq-detail/43742.htm
https://shansing.com/read/355/
https://wiki.openssl.org/index.php/TLS1.3
https://zh.wikipedia.org/wiki/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%90%8D%E7%A7%B0%E6%8C%87%E7%A4%BA

Apache
http://blog.51cto.com/guoxh/2114630
https://www.wosign.com/faq/multisite-multidomain-https.htm
http://www.linuxdiyf.com/linux/32329.html
http://www.ttlsa.com/web/sni-multi-domain-virtual-host-ssl-tls-authentication/

Nginx
https://zhidao.baidu.com/question/1673406059627368307.html
http://www.cnblogs.com/wjoyxt/p/6134128.html
https://my.oschina.net/careyjike/blog/896507
https://www.restran.net/2017/01/24/nginx-letsencrypt-https/
http://www.ttlsa.com/web/multiple-https-host-nginx-with-a-ip-configuration/
https://www.jianshu.com/p/d40e249774ff
https://segmentfault.com/a/1190000013839445
http://www.voidcn.com/article/p-cuazhgls-np.html
http://ju.outofmemory.cn/entry/308785
https://www.diewufeiyang.com/post/971.html
https://www.tingtao.org/archives/709.html
http://www.voidcn.com/article/p-pdkgnexa-bbe.html
http://linux.it.net.cn/e/server/nginx/2014/1208/9876.html