主页 / user-463719

michacassola's questions

Martin Hope
michacassola
Asked: 2023-02-15 12:38:13 +0800 CST
  • 5

使用 Cloudflare 的“完全”加密模式,可以使用自签名证书作为源到 Cloudflare 的连接:

来源提供的证书不会以任何方式进行验证。它可以是过期的、自签名的,或者甚至没有与请求的主机名匹配的 CN/SAN 条目。

-- https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/

最近,我使用以下命令 (GNU/Linux) 创建的自签名证书停止工作,Cloudflare 抛出526 错误

openssl genpkey -algorithm Ed25519 -out /etc/ssl/qycli.key
openssl req -new -x509 -key /etc/ssl/qycli.key -out /etc/ssl/qycli.crt -days 7300 -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"

使用以下证书和密钥再次连接到 Cloudflare:

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 7300 -out /etc/ssl/qycli.crt -keyout /etc/ssl/qycli.key -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"

我能否以 NGINX 将依次考虑的方式指定多个证书和密钥,一个接一个地保持尽可能高的性能,同时在 Cloudflare 不再认为证书和密钥足够安全时提供回退?

NGINX 文档提到:

从 1.11.0 版本开始,可以多次指定该指令以加载不同类型的证书,例如 RSA 和 ECDSA:

-- https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

以下是否会像我预期的那样工作?

server {
listen              443 ssl;
server_name         example.com;

ssl_certificate     /etc/ssl/qycli.crt; # More performant, less secure ECDSA P-256 certificate
ssl_certificate_key /etc/ssl/qycli.key;

ssl_certificate     /etc/ssl/qycli.2048.crt; # More performant, less secure RSA 2048 fallback certificate
ssl_certificate_key /etc/ssl/qycli.2048.key;

ssl_certificate     /etc/ssl/qycli.384.crt; # Less performant, more secure ECDSA P-384 fallback certificate
ssl_certificate_key /etc/ssl/qycli.384.key;

ssl_certificate     /etc/ssl/qycli.4096.crt; # More performant, less secure RSA 4096 certificate
ssl_certificate_key /etc/ssl/qycli.4096.key;
...
}

使用以下方法制作的证书和密钥:

# ECDSA
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 7300 -out /etc/ssl/qycli.crt -keyout /etc/ssl/qycli.key -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -x509 -nodes -days 7300 -out /etc/ssl/qycli.384.crt -keyout /etc/ssl/qycli.384.key -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"
# RSA
openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/qycli.2048.key -out /etc/ssl/qycli.2048.crt -sha256 -days 7300 -nodes -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"
openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/qycli.4096.key -out /etc/ssl/qycli.4096.crt -sha256 -days 7300 -nodes -subj "/C=AQ/ST=qycli/L=qycli/O=HOSTYON/OU=SysOps/CN=HOSTYON"
nginx