Log for YSITD
nginx version: nginx/1.10.3built with OpenSSL 1.0.2k 26 Jan 2017openssl s_client 得到了
SSL23_GET_SERVER_HELLOFirefox 得到了
SSL_ERROR_NO_CYPHER_OVERLAPChrome 得到了
ERR_SSL_VERSION_OR_CIPHER_MISMATCHnginx proxy 得到了
SSL_do_handshake() failed (SSL: error:14FFF410:SSL routines:SSL_internal:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream我完全沒頭緒怎麼解這問題orz...
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE- ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA25 6:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA38 4:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE -RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AE S256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-A ES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA: EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SH A256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
9f:78:7b:81:64:69:e2:1d:72:b9:d7:e7:c7:cc:83:f5:97:68:
9a:6d:46:3e:42:b7:02:33:ec:f1:97:0e
root@www:/etc/ssl#root@www:/etc/ssl# openssl x509 -noout -text -in www.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:0e:01:fa:35:b6:79:63
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=TW, ST=Taiwan, L=Taoyuan City, O=CSIE in Ming-Chuan University, OU=Networking Information Center, CN=Ballerina Certificate Authority - SHA256
Validity
Not Before: Mar 31 20:15:46 2017 GMT
Not After : Mar 31 20:15:46 2025 GMT
Subject: C=TW, ST=Taiwan, L=Taoyuan City, O=CSIE in Ming-Chuan University, OU=Networking Information Center, CN=10.100.0.2
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:d0:89:4b:76:68:09:df:d0:19:1a:f5:4f:17:
77:a6:48:04:ba:70:2b:76:00:e4:f0:bd:95:34:da:
cc:e7:7f:e0:23:25:28:bb:87:34:ae:82:a2:98:88:
69:66:d2:64:70:c6:e5:bb:bb:64:09:08:5f:a9:a5:
a9:b8:76:3f:e9:7b:45:01:93:99:eb:1c:c3:b5:5a:
2b:db:dc:b2:79:40:50:e1:6c:ff:26:57:86:03:f1:
4b:6b:b2:5c:e6:7a:c7:1c:a9:a4:08:dd:a9:d0:15:
cb:58:13:06:35:4f:c3:eb:98:18:a4:09:cb:f6:4b:
b7:f6:01:a1:a3:e1:62:ef:45:f1:12:0e:2b
Field Type: prime-field
Prime:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff
A:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:fc
B:
51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
d4:6b:50:3f:00
Generator (uncompressed):
04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
Order:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
b7:1e:91:38:64:09
Cofactor: 1 (0x1)
Seed:
d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
aa:a0:da:64:ba
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:41:0b:b6:58:5b:87:df:87:ca:17:18:a8:6f:7e:
96:03:bc:59:57:7c:63:05:13:d6:40:92:d7:de:24:5e:f5:07:
f6:4d:0c:dd:f0:44:dd:98:47:2e:e8:4d:b6:75:fa:cd:89:55:
83:d8:90:21:7e:26:63:47:69:1b:85:3a:86:c0:f1:fd:02:42:
00:a9:22:5a:65:83:af:f7:3e:07:b4:1c:13:50:db:5c:e2:4f:
8a:b2:b7:f0:08:44:55:9b:47:cb:44:f5:15:89:ac:ad:d9:f0:server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 default_server http2 ssl;
listen [::]:443 default_server http2 ssl;
ssl_certificate /etc/ssl/www.crt;
ssl_certificate_key /etc/ssl/www.key;
root /var/www/html;
index index.php index.html index.htm;
server_name _;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}root@www:/etc/ssl# grep ssl /etc/nginx/nginx.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_session_cache shared:ssl_session_cache:10m;我目前的設定是只留
ssl_certificate
ssl_certificate_key
ssl_trusted_certificate
然後 listen 443 http2 跟 listen [::]:443 http2
其他都沒有
給你當參考
ssl_certificate
ssl_certificate_key
ssl_trusted_certificate
然後 listen 443 http2 跟 listen [::]:443 http2
其他都沒有
給你當參考
openssl ecparam -name secp384r1 -genkey -out rootCA.key openssl req -new -x509 -key rootCA.key -sha256 -nodes -out rootCA.pem -days 7305 -config openssl.cnf openssl ecparam -name secp384r1 -genkey -out www.key openssl req -new -key www.key -out www.csr openssl x509 -req -in www.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out www.crt -days 2922 -sha256
這樣試試看?
筆記下我的步驟:
openssl ecparam -name secp384r1 -genkey -param_enc explicit -out rootCA.key openssl req -new -x509 -key rootCA.key -sha256 -nodes -out rootCA.pem -days 7305 -config openssl.cnf openssl ecparam -name secp384r1 -genkey -param_enc explicit -out www.key openssl req -new -key www.key -out www.csr openssl x509 -req -in www.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out www.crt -days 2922 -sha256