zxm256 / nginx-with-gmsslv3 Goto Github PK
View Code? Open in Web Editor NEWAn modified Nginx with GmSSL
An modified Nginx with GmSSL
root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# gmssl tls13_client -host 192.168.10.23 -port 4443 -cacert /certs/cacert.pem
generate handshake secrets
recv {EncryptedExtensions}
Connection established
root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# gmssl tls13_client -host 192.168.10.23 -port 4443
generate handshake secrets
recv {EncryptedExtensions}
Connection established
每次通过浏览器访问https都会在error.log刷新日志:
root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# tail -n 50 /usr/local/nginx/logs/error.log
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:1404:ngx_ssl_shutdown():
src/event/ngx_event_gmssl.c:1404:ngx_ssl_shutdown():
@zxm256
输入命令 :sudo /usr/local/nginx/sbin/nginx
显示日志:
root@iZ2ze36c0org6dywmc6gx0Z:~/Nginx-with-GmSSLv3/tools# sudo /usr/local/nginx/sbin/nginx
src/event/ngx_event_gmssl.c:60:ngx_ssl_init():
src/event/ngx_event_gmssl.c:68:ngx_ssl_create():
src/event/ngx_event_gmssl.c:82:ngx_ssl_certificates():
src/event/ngx_event_gmssl.c:104:ngx_ssl_certificate():
src/event/ngx_event_gmssl.c: 109: ngx_ssl_certificate: /root/Nginx-with-GmSSLv3/tools/certs.pem
src/event/ngx_event_gmssl.c: 111: ngx_ssl_certificate: /root/Nginx-with-GmSSLv3/tools/signkey.pem
src/event/ngx_event_gmssl.c:133:ngx_ssl_ciphers():
src/event/ngx_event_gmssl.c:412:ngx_ssl_ecdh_curve():
src/event/ngx_event_gmssl.c:1473:ngx_ssl_session_cache():
src/event/ngx_event_gmssl.c:1542:ngx_ssl_session_ticket_keys():
src/event/ngx_event_gmssl.c:429:ngx_ssl_early_data():
src/event/ngx_event_gmssl.c:445:ngx_ssl_conf_commands():
src/event/ngx_event_gmssl.c:1487:ngx_ssl_session_cache_init():
修改了个寂寞,
参考https://www.gmssl.cn/gmssl/index.jsp?go=CA 部署nginx1.18,使用https://www.gmssl.cn/gmssl/index.jsp?go=CA 生成证书,测试通过(rsa和sm2自适应)
配置文件:
server {
listen 0.0.0.0:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
ssl_verify_client off;
ssl_certificate /usr/local/nginx/conf/ssl/server.crt; ## rsa证书
ssl_certificate_key /usr/local/nginx/conf/ssl/server.key; ## rsa证书
ssl_certificate /usr/local/nginx/conf/ssl/sm2.liuliang.com.sig.crt.pem; ## sm2证书
ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.liuliang.com.sig.key.pem; ## sm2证书
ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.liuliang.com.enc.key.pem; ## sm2证书
ssl_certificate /usr/local/nginx/conf/ssl/sm2.liuliang.com.enc.crt.pem; ## sm2证书
location / {
root html;
index index.html index.htm;
}
}
同样的配置和证书 部署Nginx-with-GmSSLv3 无法访问,不论是国密浏览器还是火狐谷歌之类。rsa证书也不能访问
另外证书生成脚本里生成的证书,指定-key_usage digitalSignature, 是不是应该加上-key_usage digitalSignature -key_usage keyEncipherment -key_usage dataEncipherment -key_usage keyAgreement
gmssl tls13_client -host 127.0.0.1 -port 443
generate handshake secrets
recv {EncryptedExtensions}
Connection established
以上 gmssl成功
但是浏览器依旧不能联通
提示以下信息 使用的是gmssl.org提供的 mac版 国密chrome 我需要配置什么吗
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
reqgen子命令不支持-days选项,提示reqgen: illegal option '-days'
命令行测试了一下这个命令,的确如此:
$ gmssl reqgen -help
usage: gmssl reqgen [-C str] [-ST str] [-L str] [-O str] [-OU str] -CN str -key pem -pass pass [-sm2_id str | -sm2_id_hex hex] [-out pem]
请问-days
选项对reqgen命令有影响吗?
gmssl版本:
$ gmssl version
GmSSL 3.1.1 Dev
nginx error.log如下:
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sat Aug 27 12:12:39 2050
random: 00337A8E9B06EB9AF1F80D4E24A62214F5C20D02C0074D7F01F8E4BB
SessionID: (null)
CipherSuites
(null) (0x8a8a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)
/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Tue Apr 17 20:10:18 2057
random: 6BF8416B3F84A7BE6F55D3F304B56E0AE2E544F90338EBD6AB98FC4A
SessionID: (null)
CipherSuites
(null) (0xbaba)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)
/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sun Mar 8 14:29:40 1987
random: 188B18A5E0F0D5832EF74D7B95D746E735EEE1150D3E7E92705C5D95
SessionID: (null)
CipherSuites
(null) (0x5a5a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)
/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Thu Apr 8 20:28:05 2021
random: 29783727DFE13F42F2E6CD6F49B00D79BCCDCF735C4AE937DE1263C5
SessionID: (null)
CipherSuites
(null) (0x6a6a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)
/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Mon May 28 14:50:10 2007
random: EB56618C91FE1BF72AEA09E567CCD5F85FDEBC382D8D05E6DB36F7EA
SessionID: (null)
CipherSuites
(null) (0x2a2a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)
/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sun Jun 7 03:57:44 1992
random: BA3F1480378BE7A589E1515DEA733B302B1157C4060B4E13CC5D7CFD
SessionID: (null)
CipherSuites
(null) (0x3a3a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)
/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
使用tools下面的reqsign_ext.sh生成服务器证书后,启动nginx报错
nginx: [emerg] SSL_CTX_use_certificate("/etc/nginx/certs/certs.pem") failed (SSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)
请问怎么解决?
gmssl 3.0更改了命令行模式,和openssl以及之前的区分开,但是命令还有问题,具体如下:
执行该生成证书脚本,有如下错误提示:
certgen: '-key_usage' option required
reqsign: parse CA certificate failure
经查看,生成的证书内容都是空的,问题出在根证书生成失败,需要一个 “密钥用途的关键字”。
手动加上关键字后:
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN CA -days 365 -key cakey.pem -pass 123456 -out cacert.pem -key_usage digitalSignature
报错:
/home/GmSSL-develop/src/asn1.c:458:asn1_integer_to_der_ex():
/home/GmSSL-develop/src/x509_ext.c:671:x509_authority_key_identifier_to_der():
/home/GmSSL-develop/src/x509_ext.c:113:x509_exts_add_authority_key_identifier():
/home/GmSSL-develop/src/x509_ext.c:131:x509_exts_add_default_authority_key_identifier():
certgen: inner error
希望您解决一下,生成证书需要传入什么参数呢,还是说是由于关老师的GMSSL有问题
执行后最终生成的cacert.pem内容为空
执行结果如下:
使用docker启动该服务(编译会失败)
后续执行测试程序时报错, 端口改4443同样报错
$ ./tls12_client.sh -host 127.0.0.1 -port 443 -cacert cacert.pem
/home/mm/GmSSL/src/x509_cer.c:1694:x509_certs_new_from_file():
/home/mm/GmSSL/src/tls.c:2091:tls_ctx_set_ca_certificates():
tls12_client: context init error
端口没有占用
错误信息如下
tls_record_do_recv: Connection reset by peer
/opt/install/GmSSL/src/tls.c:1492:tls_record_do_recv():
/opt/install/GmSSL/src/tls.c:1533:tls_record_recv():
/opt/install/GmSSL/src/tls13.c:1528:tls13_do_connect():
根据 issue-1304449702 可以编译,http 部分运行正常。(部分错误,使用 C99 模式)
#6 (comment)
但是我需要 TLS + TCP ,我添加了 --with-stream --with-stream_ssl_module, 编译就无法通过。
众多编译错误
只有签名证书?
我的邮箱是[email protected],盼回复
nginx: error while loading shared libraries: libgmssl.so.3: cannot open shared object file: No such file or directory
已安装了GmSSL 3.0.0 Beta
[root@localhost Nginx-with-GmSSLv3]# gmssl version
到安装编译安装Nginx-with-GmSSLv3的configure这步,提示
checking for GmSSL library ... not found
./configure: error: SSL modules require the GmSSL TLS library.
在编译安装GmSSL3.0
原本需要执行的命令如下,但由于GmSSL更新了版本,而本项目没有更新,所以后续在构建本项目时会报错
gmssl@ubuntu:~/nginx_doc$ cd GmSSL/
gmssl@ubuntu:~/nginx_doc/GmSSL$ mkdir build
gmssl@ubuntu:~/nginx_doc/GmSSL$ cd build/
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ cmake ..
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ make
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ sudo make install
解决方案如下:
gmssl@ubuntu:~/nginx_doc$ git clone https://github.com/guanzhi/GmSSL.git
gmssl@ubuntu:~/nginx_doc$ cd GmSSL/
// 加了以下步骤,将GmSSL版本回滚
gmssl@ubuntu:~/nginx_doc/GmSSL$ git reset --hard 1c02e18fcdf63ced3b728a1962047d8c292f47ed
gmssl@ubuntu:~/nginx_doc/GmSSL$ mkdir build
gmssl@ubuntu:~/nginx_doc/GmSSL$ cd build/
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ cmake ..
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ make
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ sudo make install
实测可正常make该项目
此nginx如何配置国密的双证书
用docker镜像创建的浏览器无法访问,打不开页面,用代码编译按照项目中的编译步骤,结果执行make的时候报错了,错误类似下面这样
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2002:6: note: expected ‘const uint64_t ()[2][2][8]’ but argument is of type ‘uint64_t ()[2][2][8]’
void sm9_final_exponent(sm9_fp12_t r, const sm9_fp12_t f)
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c: In function ‘sm9_fn_from_hash’:
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:11: error: redeclaration of ‘i’ with no linkage
for (int i = 0; i < 10; i++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2217:6: note: previous declaration of ‘i’ was here
int i, j;
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:2: error: ‘for’ loop initial declarations are only allowed in C99 mode
for (int i = 0; i < 10; i++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:2: note: use option -std=c99 or -std=gnu99 to compile your code
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2221:3: error: ‘for’ loop initial declarations are only allowed in C99 mode
for (int j = 0; j < 4; j++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c: In function ‘sm9_twist_point_to_uncompressed_octets’:
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2339:2: warning: passing argument 1 of ‘sm9_fp2_to_bytes’ from incompatible pointer type [enabled by default]
sm9_fp2_to_bytes(x, octets + 1);
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:479:6: note: expected ‘const uint64_t ()[8]’ but argument is of type ‘uint64_t ()[8]’
void sm9_fp2_to_bytes(const sm9_fp2_t a, uint8_t buf[64])
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2340:2: warning: passing argument 1 of ‘sm9_fp2_to_bytes’ from incompatible pointer type [enabled by default]
sm9_fp2_to_bytes(y, octets + 32 * 2 + 1);
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:479:6: note: expected ‘const uint64_t ()[8]’ but argument is of type ‘uint64_t ()[8]’
void sm9_fp2_to_bytes(const sm9_fp2_t a, uint8_t buf[64])
^
make[2]: *** [CMakeFiles/gmssl.dir/src/sm9_alg.c.o] Error 1
make[1]: *** [CMakeFiles/gmssl.dir/all] Error 2
make: *** [all] Error 2
其他的协议grpc和ftp这些是否可以使用?
如上的代码片段是个永真式呀,也就是转发过程完全不能配https,无论是否国密
location / { proxy_pass https://upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log /usr/local/nginx/logs/host-access1.log main; proxy_ssl_certificate /etc/tls/kona/client.pem; proxy_ssl_certificate_key /etc/tls/kona/client.key; proxy_ssl_trusted_certificate /etc/tls/kona/server.pem; proxy_ssl_verify off; proxy_ssl_verify_depth 2; }
实用性值得商榷
auto/lib/make中定义了关于gmssl的make脚本
if [ $GMSSL != NONE -a $GMSSL != NO -a $GMSSL != YES ]; then
. auto/lib/gmssl/make
但是实际上不存在这个文件,会报此
creating objs/Makefile
auto/lib/make: line 11: auto/lib/gmssl/make: No such file or directory
src/event/ngx_event_gmssl.c:499:5: error: implicit declaration of function ‘tls_set_fd’ [-Werror=implicit-function-declaration]
if (tls_set_fd(sc->connection, c->fd) == 0) {
我看了配置是反向代理。
实际上我是想通过 NGINX国密加密后 访问外部的服务器。
因为程序语言不支持,这个有办法吗?
ngx_event_gmssl.c中的tls_recv和tls_send函数输入参数不对,请问如何解决呢
按照教程完成了编译安装,并成功启动了nginx,但启动nginx后无法访问https接口,运行
gmssl tls13_client -host 127.0.0.1 -port 443
命令会提示:Connection reset by peer
尝试
curl https://127.0.0.1/
也会报错,提示:连接被重置
有人遇到过这个问题吗,应该怎么解决啊?
thanks.
I want a stream tcp port ssl, but fail with
nginx: [emerg] unknown directive "stream" in /usr/local/nginx/conf/nginx.conf:121
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
sendfile on;
keepalive_timeout 65;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
server {
listen 443 ssl;
default_type text/html ;
client_max_body_size 1000000M;
client_body_buffer_size 3000M;
ssl_certificate /usr/local/nginx/conf/ssl/certs.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/signkey.pem;
ssl_session_timeout 5m;
location / {
return 200;
}
}
}
按照文档部署完,国密浏览器报ERR_SSL_VERSION_OR_CIPHER_MISMATCH,wireshark抓包也看不到server hello协商加密套件。
大量错误日志
这个例子是nginx1.21,如何使用gmssl3.0+NGINX1.25?应该如何更新nginx的代码呢
Nginx-with-GmSSLv3/GmSSL/src/tls12.c:278:tls12_do_connect():
Nginx-with-GmSSLv3/GmSSL/src/tls.c:343:tls_cbc_decrypt(): invalid tls cbc ciphertext length 326
Nginx-with-GmSSLv3/GmSSL/src/tls.c:1738:tls_do_recv():
Nginx-with-GmSSLv3/GmSSL/src/tls.c:1759:tls_recv():
这个版本nginx支持四层的国密证书吗,我看是代理https,有没有四层的国密代理
gmssl应该是不支持异步处理的,gmssl-withe-gmsslv3能很好的work吗?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.