Nginx升级1.15.3使用BoringSSL并开启TLSv1

• 下载所需软件包

nginx-1.14.0.tar.gz   openssl-1.1.0h.tar.gz pcre-8.42.tar.gz
# 网址
http://nginx.org/download/
https://boringssl.googlesource.com/boringssl/
https://www.pcre.org/
# 
wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz

• 解压

tar xvf nginx-1.14.0.tar.gz
tar xvf pcre-8.42.tar.gz

• 首先编译boringssl

# 解压
mkdir -p boringssl-install/boringssl
tar xvf boringssl-master.tar.gz -C boringssl-install/boringssl
cd boringssl-install/boringssl/

# 安装编译所需依赖
# BoringSSL 需要 Golang 支持
apt-get install -y build-essential make cmake golang

mkdir -p build .openssl/lib .openssl/include
ln -sf ~/nginx_upgrade/boringssl-install/boringssl/include/openssl ~/nginx_upgrade/boringssl-install/boringssl/.openssl/include/openssl

最新的boringssl默认只打开了tlsv1.3的final版本，但是多数浏览器只支持draft13 draft28，所以需要打开tlsv13_all

# https://github.com/cloudflare/sslconfig/issues/87
sed -i 's|tls13_rfc = 0|tls13_all = 0|' include/openssl/ssl.h
sed -i 's|  tls13_all,|  tls13_rfc,|' include/openssl/ssl.h
sed -i 's|tls13_variant_t tls13_variant = tls13_rfc;|tls13_variant_t tls13_variant = tls13_all;|g' ssl/internal.h

继续编译

touch .openssl/include/openssl/ssl.h
cmake -B~/nginx_upgrade/boringssl-install/boringssl/build/ -H~/nginx_upgrade/boringssl-install/boringssl/
make -C ~/nginx_upgrade/boringssl-install/boringssl/build
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib/

• 编译nginx

cd ../../nginx-1.15.3
# 使用 --with-openssl 指定 BoringSSL 路径
# prefix conf-path指定了Nginx的安装目录和配置文件
./configure --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --with-openssl=../boringssl-install/boringssl/ --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-http_stub_status_module --with-pcre=../pcre-8.42 --with-mail --with-mail_ssl_module
# 在 configure 后，要先 touch 一下，才能继续 make,以避免再编译boringssl
touch ~/nginx_upgrade/boringssl-install/boringssl/.openssl/include/openssl/ssl.h
make 

• 查看版本信息

# 可以看到BoringSSL
./objs/nginx -V
nginx version: nginx/1.15.3
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled

• 修改密码组,添加tlsv1.3协议

ssl_ciphers "[TLS13-AES-128-GCM-SHA256|TLS13-CHACHA20-POLY1305-SHA256] TLS13-AES-256-GCM-SHA384 [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 DES-CBC3-SHA AES128-SHA256 AES256-SHA256 CAMELLIA AES256-SHA AES CAMELLIA DES-CBC3-SHA ECDHE-ECDSA-AES256-SHA";

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

/etc/init.d/nginx reload

• 平滑升级

mv /usr/sbin/nginx /usr/sbin/nginx.old
cp ./objs/nginx /usr/sbin/
# 验证版本
nginx -v
nginx version: nginx/1.15.3
# 测试配置文件
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
kill -USR2 `cat /run/nginx.pid`
kill  -WINCH `cat /run/nginx.pid.oldbin`
kill -QUIT `cat /run/nginx.pid.oldbin`

• 验证网站使用了tlsv.13

git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
./testssl.sh --full --html https://your_domain

# 包含以下内容的输出说明tlsv1.3成功开启
TLS 1.1    offered
TLS 1.2    offered (OK)
TLS 1.3    offered (OK): draft 28, draft 23, final