我有 Nginx 1.18.0 和 OpenSSL 启用 v1.1.1g。我知道在此版本之前无法启用 TLSv1.3,但即使使用此版本也是不可能的。如果我检查 ssl checkers 网站,它的启用 v1.2 完全没有任何错误,但不是 v1.3
任何想法可能是什么原因造成的?
nginx 配置
server {
listen 443 ssl default_server;
server_name www.website.com;
#### REAL SSL STARTS ####
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/STAR_website_com.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
proxy_ssl_protocols TLSv1.2 TLSv1.3;
### REAL SSL ENDS ####
# proxy_cookie_path / "/; HTTPOnly; Secure";
#
access_log /var/log/nginx/website443.access.log;
#access_log /var/log/nginx/domains/website.com.au.bytes bytes;
error_log /var/log/nginx/domains/website443.com.error.log;
#access_log /var/log/nginx/website.com.au.access.log;
#error_log /var/log/nginx/website.com.au.error.log;
#php-fpm log /usr/log/www.access.log
Nginx -V
[root@test2-au ssl]# nginx -V
nginx version: nginx/1.18.0
custom build maintained on github.com/karljohns0n/nginx-more
built by gcc 8.3.1 20190507 (Red Hat 8.3.1-4) (GCC)
built with **OpenSSL 1.1.1g** 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/cache/client_body --http-proxy-temp-path=/var/lib/nginx/cache/proxy --http-fastcgi-temp-path=/var/lib/nginx/cache/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/cache/uwsgi --http-scgi-temp-path=/var/lib/nginx/cache/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-compat --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_geoip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-http_slice_module --with-stream_ssl_preread_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DTCP_FASTOPEN=23' --with-openssl=modules/openssl-1.1.1g --with-http_v2_hpack_enc --add-dynamic-module=modules/ngx_modsecurity-1.0.1 --add-module=modules/ngx_headers_more-0.33 --add-module=modules/ngx_cache_purge-2.3 --add-module=modules/ngx_module_vts-0.1.18 --add-module=modules/ngx_pagespeed-1.13.35.2-stable --add-module=modules/ngx_brotli-snap20200506 --add-module=modules/ngx_http_geoip2_module-3.3 --add-module=modules/ngx_echo-0.61
打开ssl版本
[root@test2-au ssl]# openssl version
OpenSSL 1.1.1c FIPS 28 May 2019
您使用了错误的指令
当你应该使用