Coder Social home page Coder Social logo

nginx-with-gmsslv3's Introduction

Nginx-with-GmSSLv3

CI Push To Dockerhub

介绍

GmSSL 3.0是GmSSL的一个大版本更新,采用了新设计的架构和API,因此无法像之前的版本兼容那些依赖OpenSSL API的应用。为了验证和证明GmSSL 3.0的可用性,有必要让GmSSL 3.0可以兼容最重要的应用类型,即HTTPS服务器。我们选择在Nginx上添加对GmSSL 3.0的支持。因此这个项目对于GmSSL 3.0有非常重要的作用。

本项目基于 Nginx 1.21.0修改。

简单上手

本项目可通过Docker直接使用

doker启动的命令如下:

docker run -v $PATH_TO_CERTS:/certs -p 4443:443 -d zhaoxiaomeng/nginx_with_gmsslv3

注意,

  • Nginx-with-GmSSLv3默认使用的私钥名为signkey.pem 默认使用的证书名为certs.pem

如果没有证书和私钥的话,可以通过以下步骤生成:

编译安装

下载Nginx-with-GmSSLv3源代码

gmssl@ubuntu:~/nginx_doc$ git clone https://github.com/zhaoxiaomeng/Nginx-with-GmSSLv3.git

编译安装Nginx-with-GmSSLv3

本项目依赖GmSSL3.0,请提前安装GMSSL3.0,或者通过--with-gmssl指定GmSSL源代码目录

全局安装GmSSL3.0

建议使用本项目调试通过的GmSSL子模块版本:

gmssl@ubuntu:~/nginx_doc$ cd Nginx-with-GmSSLv3
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ git submodule init
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ git submodule update
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ cd GmSSL/
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3/GmSSL$ mkdir build
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3/GmSSL$ cd build/
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3/GmSSL/build$ cmake ..
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3/GmSSL/build$ make
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3/GmSSL/build$ sudo make install

使用--with-gmssl指定GmSSL3.0源代码目录

建议使用本项目的GmSSL子模块,编译安装的方法如下:

gmssl@ubuntu:~/nginx_doc$ cd Nginx-with-GmSSLv3
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ git submodule init
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ git submodule update
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ cp auto/configure .
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ ./configure --with-http_ssl_module --without-http_upstream_zone_module --with-gmssl=./GmSSL/  --with-debug
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ make
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ sudo make install

Nginx会默认安装到usr/local/nginx

注意,编译过程中可能存在以下几个问题

  1. 提示没有pcre

    sudo apt-get install libpcre3 libpcre3-dev

  2. 提示没有gzip

    sudo apt-get install zlib1g zlib1g-dev

配置与运行

数字证书的生成与配置

为了使用国密ssl协议,需要使用GmSSL3.0生成国密数字证书,我们将相关证书生成程序放在了tools目录下,可以运行以下脚本生成证书和私钥

gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ cd tools/
gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3/tools$ ./reqsign_ext.sh

以上命令将会在tools目录下生成一系列文件,包括:

  • 根CA私钥 rootcakey.pem
  • 根CA证书 rootcacert.pem
  • CA私钥 cakey.pem
  • CA证书请求 careq.pem
  • CA证书 cacert.pem
  • 签名私钥 signkey.pem
  • 签名证书请求 signreq.pem
  • 签名证书 signcert.pem
  • 服务端证书 certs.pem
  • 客户端私钥 enckey.pem
  • 客户端书请求 encreq.pem
  • 客户端证书 enccert.pem

Nginx配置文件修改

修改配置文件/usr/local/nginx/conf/nginx.conf,取消HTTPS Server的注释,并修改ssl_certificat和ssl_certificate_key为上一部分生成的签名证书和签名私钥,如下所示:

    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /home/gmssl/nginx_doc/Nginx-with-GmSSLv3/tools/certs.pem;
        ssl_certificate_key  /home/gmssl/nginx_doc/Nginx-with-GmSSLv3/tools/signkey.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

在HTTPS server部分可以增加 ssl_verify_client off;来显式的避免客户端证书验证,如下所示:

    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /home/gmssl/nginx_doc/Nginx-with-GmSSLv3/tools/certs.pem;
        ssl_certificate_key  /home/gmssl/nginx_doc/Nginx-with-GmSSLv3/tools/signkey.pem;
        ssl_verify_client off;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

运行 Nginx-with-GmSSLv3

gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3$ sudo /usr/local/nginx/sbin/nginx

在执行以上命令时有可能报错,提示端口已经被占用了,因此需要修改/usr/local/nginx/conf/nginx.conf中的配置端口号。

测试Nginx

GmSSL3.0安装后有测试国密SSL协议的功能,在命令行中执行以下命令:

gmssl@ubuntu:~/nginx_doc/Nginx-with-GmSSLv3/tools$ gmssl tls13_client -host 127.0.0.1 -port 443

其中cacert.pem为上面生成的CA证书的位置。

如果命令执行成功,表明Nginx安装配置成功。

调试与输出

调试Nginx

为了让Ngnix更容易调试,在/usr/local/nginx/conf/nginx.conf 中增加

daemon off;
master_process off;

这样nginx总是在前台以独立进程启动。否则nginx会启动多个进程,如果杀进程的时候没有先杀root进程,那么还会生成新的子进程。

查看输出

虽然部分初始化阶段的stderr输出直接输出到屏幕上,但是随着Nginx彻底启动之后,错误信息被输出到Nginx的错误日志上了,也就是

/usr/local/nginx/logs/error.log

有可能随着安装的不同而不同。在调试中可以通过error.log查看错误信息。

nginx-with-gmsslv3's People

Contributors

dhb52 avatar meredith233 avatar zxm256 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

22826165 apt-getyou twrightjay hailong200166 wz472766136 jo4fark ezembedded yangatc sanholy moyu3390 5ant muliu yiyepianzhouyu xiaoxinxin233333 rhmpzyyx asura88 xxxang3 tommy8421 ccnano dhb52 huanghengmin hj8088 taowuwen bingooyong tobysunx tortoiselj rocflycoder chongtongtech ylbp dadazhi xiaoguan521 lqvincent ryanclq heycyril fengyapeng taiji1985 chlswlkr

nginx-with-gmsslv3's Issues

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

worker_processes 1;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
sendfile on;
keepalive_timeout 65;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

server {
    listen       443 ssl;
    default_type text/html ;
    client_max_body_size 1000000M;
    client_body_buffer_size 3000M;
    ssl_certificate /usr/local/nginx/conf/ssl/certs.pem;
    ssl_certificate_key /usr/local/nginx/conf/ssl/signkey.pem;
    ssl_session_timeout    5m;
    location / {
        return 200;
    }
}

}

按照文档部署完,国密浏览器报ERR_SSL_VERSION_OR_CIPHER_MISMATCH,wireshark抓包也看不到server hello协商加密套件。
大量错误日志
图片

编译报错

src/event/ngx_event_gmssl.c:499:5: error: implicit declaration of function ‘tls_set_fd’ [-Werror=implicit-function-declaration]
if (tls_set_fd(sc->connection, c->fd) == 0) {

执行tools目录下的reqsign_ex.sh出错

reqgen子命令不支持-days选项,提示reqgen: illegal option '-days'

命令行测试了一下这个命令,的确如此:

$ gmssl reqgen -help
usage: gmssl reqgen [-C str] [-ST str] [-L str] [-O str] [-OU str] -CN str -key pem -pass pass [-sm2_id str | -sm2_id_hex hex] [-out pem]

请问-days选项对reqgen命令有影响吗?

gmssl版本:

$ gmssl version
GmSSL 3.1.1 Dev

编译stream_ssl_module 报错

编译带上--with-stream_ssl_module 发现了报错
gmssl2.5.4 还是没有问题的
看介绍 gmssl3.0 和openssl 的一些实现,移除了很多兼容性,
是否有详细一点的差异介绍
image

不能通过国密浏览器访问

  1. 通过docker部署,并使用reqsign_ext.sh生成证书和密钥之后,可以通过服务器正常访问
root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# gmssl tls13_client -host 192.168.10.23 -port 4443 -cacert /certs/cacert.pem 
generate handshake secrets
recv {EncryptedExtensions}
Connection established

root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# gmssl tls13_client -host 192.168.10.23 -port 4443                           
generate handshake secrets
recv {EncryptedExtensions}
Connection established
  1. 我试了以下国密浏览器都不能正常访问:
  • 奇安信国密浏览器
  • 密信浏览器
  • 360国密浏览器
  • Samarium浏览器

效果都是如此:
image

每次通过浏览器访问https都会在error.log刷新日志:

root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# tail -n 50 /usr/local/nginx/logs/error.log
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:1404:ngx_ssl_shutdown():
src/event/ngx_event_gmssl.c:1404:ngx_ssl_shutdown():

输入启动nginx的命令后 : sudo /usr/local/nginx/sbin/nginx ,这样是代表成功了吗?

@zxm256
输入命令 :sudo /usr/local/nginx/sbin/nginx

显示日志:
root@iZ2ze36c0org6dywmc6gx0Z:~/Nginx-with-GmSSLv3/tools# sudo /usr/local/nginx/sbin/nginx
src/event/ngx_event_gmssl.c:60:ngx_ssl_init():
src/event/ngx_event_gmssl.c:68:ngx_ssl_create():
src/event/ngx_event_gmssl.c:82:ngx_ssl_certificates():
src/event/ngx_event_gmssl.c:104:ngx_ssl_certificate():
src/event/ngx_event_gmssl.c: 109: ngx_ssl_certificate: /root/Nginx-with-GmSSLv3/tools/certs.pem
src/event/ngx_event_gmssl.c: 111: ngx_ssl_certificate: /root/Nginx-with-GmSSLv3/tools/signkey.pem
src/event/ngx_event_gmssl.c:133:ngx_ssl_ciphers():
src/event/ngx_event_gmssl.c:412:ngx_ssl_ecdh_curve():
src/event/ngx_event_gmssl.c:1473:ngx_ssl_session_cache():
src/event/ngx_event_gmssl.c:1542:ngx_ssl_session_ticket_keys():
src/event/ngx_event_gmssl.c:429:ngx_ssl_early_data():
src/event/ngx_event_gmssl.c:445:ngx_ssl_conf_commands():
src/event/ngx_event_gmssl.c:1487:ngx_ssl_session_cache_init():

不支持tls1.2?

Nginx-with-GmSSLv3/GmSSL/src/tls12.c:278:tls12_do_connect():
Nginx-with-GmSSLv3/GmSSL/src/tls.c:343:tls_cbc_decrypt(): invalid tls cbc ciphertext length 326
Nginx-with-GmSSLv3/GmSSL/src/tls.c:1738:tls_do_recv():
Nginx-with-GmSSLv3/GmSSL/src/tls.c:1759:tls_recv():

reqsign_ext.sh脚本有问题

gmssl 3.0更改了命令行模式,和openssl以及之前的区分开,但是命令还有问题,具体如下:
执行该生成证书脚本,有如下错误提示:

certgen: '-key_usage' option required
reqsign: parse CA certificate failure

经查看,生成的证书内容都是空的,问题出在根证书生成失败,需要一个 “密钥用途的关键字”。
手动加上关键字后:

gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN CA -days 365 -key cakey.pem -pass 123456 -out cacert.pem -key_usage digitalSignature

报错:

/home/GmSSL-develop/src/asn1.c:458:asn1_integer_to_der_ex():
/home/GmSSL-develop/src/x509_ext.c:671:x509_authority_key_identifier_to_der():
/home/GmSSL-develop/src/x509_ext.c:113:x509_exts_add_authority_key_identifier():
/home/GmSSL-develop/src/x509_ext.c:131:x509_exts_add_default_authority_key_identifier():
certgen: inner error

希望您解决一下,生成证书需要传入什么参数呢,还是说是由于关老师的GMSSL有问题

启动nginx后只能访问80端口,无法访问443端口

按照教程完成了编译安装,并成功启动了nginx,但启动nginx后无法访问https接口,运行

gmssl tls13_client -host 127.0.0.1 -port 443

命令会提示:Connection reset by peer
尝试

curl https://127.0.0.1/

也会报错,提示:连接被重置
有人遇到过这个问题吗,应该怎么解决啊?

proxy_pass不支持https

Nginx-with-GmSSLv3/src/event/ngx_event_gmssl.c

Line 504 in 29c93b4

if (flags & NGX_SSL_CLIENT) {

如上的代码片段是个永真式呀,也就是转发过程完全不能配https,无论是否国密
location / { proxy_pass https://upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log /usr/local/nginx/logs/host-access1.log main; proxy_ssl_certificate /etc/tls/kona/client.pem; proxy_ssl_certificate_key /etc/tls/kona/client.key; proxy_ssl_trusted_certificate /etc/tls/kona/server.pem; proxy_ssl_verify off; proxy_ssl_verify_depth 2; }
实用性值得商榷

docker里面用脚本reqsign_ext.sh生成证书,国密浏览器打开页面失败

nginx error.log如下:
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sat Aug 27 12:12:39 2050
random: 00337A8E9B06EB9AF1F80D4E24A62214F5C20D02C0074D7F01F8E4BB
SessionID: (null)
CipherSuites
(null) (0x8a8a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Tue Apr 17 20:10:18 2057
random: 6BF8416B3F84A7BE6F55D3F304B56E0AE2E544F90338EBD6AB98FC4A
SessionID: (null)
CipherSuites
(null) (0xbaba)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sun Mar 8 14:29:40 1987
random: 188B18A5E0F0D5832EF74D7B95D746E735EEE1150D3E7E92705C5D95
SessionID: (null)
CipherSuites
(null) (0x5a5a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Thu Apr 8 20:28:05 2021
random: 29783727DFE13F42F2E6CD6F49B00D79BCCDCF735C4AE937DE1263C5
SessionID: (null)
CipherSuites
(null) (0x6a6a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Mon May 28 14:50:10 2007
random: EB56618C91FE1BF72AEA09E567CCD5F85FDEBC382D8D05E6DB36F7EA
SessionID: (null)
CipherSuites
(null) (0x2a2a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sun Jun 7 03:57:44 1992
random: BA3F1480378BE7A589E1515DEA733B302B1157C4060B4E13CC5D7CFD
SessionID: (null)
CipherSuites
(null) (0x3a3a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():

按照项目文档中的步骤编译报错

image
用docker镜像创建的浏览器无法访问,打不开页面,用代码编译按照项目中的编译步骤,结果执行make的时候报错了,错误类似下面这样
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2002:6: note: expected ‘const uint64_t ()[2][2][8]’ but argument is of type ‘uint64_t ()[2][2][8]’
void sm9_final_exponent(sm9_fp12_t r, const sm9_fp12_t f)
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c: In function ‘sm9_fn_from_hash’:
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:11: error: redeclaration of ‘i’ with no linkage
for (int i = 0; i < 10; i++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2217:6: note: previous declaration of ‘i’ was here
int i, j;
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:2: error: ‘for’ loop initial declarations are only allowed in C99 mode
for (int i = 0; i < 10; i++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:2: note: use option -std=c99 or -std=gnu99 to compile your code
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2221:3: error: ‘for’ loop initial declarations are only allowed in C99 mode
for (int j = 0; j < 4; j++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c: In function ‘sm9_twist_point_to_uncompressed_octets’:
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2339:2: warning: passing argument 1 of ‘sm9_fp2_to_bytes’ from incompatible pointer type [enabled by default]
sm9_fp2_to_bytes(x, octets + 1);
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:479:6: note: expected ‘const uint64_t ()[8]’ but argument is of type ‘uint64_t ()[8]’
void sm9_fp2_to_bytes(const sm9_fp2_t a, uint8_t buf[64])
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2340:2: warning: passing argument 1 of ‘sm9_fp2_to_bytes’ from incompatible pointer type [enabled by default]
sm9_fp2_to_bytes(y, octets + 32 * 2 + 1);
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:479:6: note: expected ‘const uint64_t ()[8]’ but argument is of type ‘uint64_t ()[8]’
void sm9_fp2_to_bytes(const sm9_fp2_t a, uint8_t buf[64])
^
make[2]: *** [CMakeFiles/gmssl.dir/src/sm9_alg.c.o] Error 1
make[1]: *** [CMakeFiles/gmssl.dir/all] Error 2
make: *** [all] Error 2

给大家提供一个临时解决方案,关于make时报错问题

在编译安装GmSSL3.0
原本需要执行的命令如下,但由于GmSSL更新了版本,而本项目没有更新,所以后续在构建本项目时会报错

gmssl@ubuntu:~/nginx_doc$ cd GmSSL/
gmssl@ubuntu:~/nginx_doc/GmSSL$ mkdir build
gmssl@ubuntu:~/nginx_doc/GmSSL$ cd build/
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ cmake ..
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ make
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ sudo make install


解决方案如下:
gmssl@ubuntu:~/nginx_doc$ git clone https://github.com/guanzhi/GmSSL.git
gmssl@ubuntu:~/nginx_doc$ cd GmSSL/
// 加了以下步骤,将GmSSL版本回滚
gmssl@ubuntu:~/nginx_doc/GmSSL$ git reset --hard 1c02e18fcdf63ced3b728a1962047d8c292f47ed
gmssl@ubuntu:~/nginx_doc/GmSSL$ mkdir build
gmssl@ubuntu:~/nginx_doc/GmSSL$ cd build/
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ cmake ..
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ make
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ sudo make install

实测可正常make该项目

国密相关的浏览器并不能正确打开页面

通过docker启动的项目,conf文件参照readme配置,且gmssl的检测命令已经成功,但是页面还是不支持打开
这里截图是奇安信的国密浏览器,360的和密信的都是类似结果
image

测试通过 但是浏览器不能访问

gmssl tls13_client -host 127.0.0.1 -port 443
generate handshake secrets
recv {EncryptedExtensions}
Connection established

以上 gmssl成功
但是浏览器依旧不能联通
提示以下信息 使用的是gmssl.org提供的 mac版 国密chrome 我需要配置什么吗
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

可以正向代理吗?

我看了配置是反向代理。

实际上我是想通过 NGINX国密加密后 访问外部的服务器。

因为程序语言不支持,这个有办法吗?

配置之后443不能访问 80可以访问

端口没有占用

错误信息如下
tls_record_do_recv: Connection reset by peer
/opt/install/GmSSL/src/tls.c:1492:tls_record_do_recv():
/opt/install/GmSSL/src/tls.c:1533:tls_record_recv():
/opt/install/GmSSL/src/tls13.c:1528:tls13_do_connect():

rsa证书也不能用了

修改了个寂寞,
参考https://www.gmssl.cn/gmssl/index.jsp?go=CA 部署nginx1.18,使用https://www.gmssl.cn/gmssl/index.jsp?go=CA 生成证书,测试通过(rsa和sm2自适应)
配置文件:
server {
listen 0.0.0.0:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
ssl_verify_client off;

    ssl_certificate /usr/local/nginx/conf/ssl/server.crt;  ## rsa证书
    ssl_certificate_key /usr/local/nginx/conf/ssl/server.key;  ## rsa证书

    ssl_certificate /usr/local/nginx/conf/ssl/sm2.liuliang.com.sig.crt.pem;  ##  sm2证书
    ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.liuliang.com.sig.key.pem; ##  sm2证书

    ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.liuliang.com.enc.key.pem; ##  sm2证书
    ssl_certificate /usr/local/nginx/conf/ssl/sm2.liuliang.com.enc.crt.pem; ##  sm2证书

    location / {
      root html;
      index index.html index.htm;
    }
}

同样的配置和证书 部署Nginx-with-GmSSLv3 无法访问,不论是国密浏览器还是火狐谷歌之类。rsa证书也不能访问

另外证书生成脚本里生成的证书,指定-key_usage digitalSignature, 是不是应该加上-key_usage digitalSignature -key_usage keyEncipherment -key_usage dataEncipherment -key_usage keyAgreement

reqsign_ext.sh执行问题

执行后最终生成的cacert.pem内容为空
执行结果如下:

  • gmssl sm2keygen -pass 123456 -out cakey.pem -pubout capubkey.pem
  • gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN CA -days 365 -key cakey.pem -pass 123456 -out cacert.pem
    certgen: '-key_usage' option required
  • gmssl certparse -in cacert.pem
  • gmssl sm2keygen -pass 123456 -out signkey.pem -pubout signpubkey.pem
  • gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key signkey.pem -pass 123456 -out signreq.pem
  • gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 123456 -out signcert.pem
    reqsign: parse CA certificate failure
  • gmssl certparse -in signcert.pem
  • gmssl sm2keygen -pass 123456 -out enckey.pem -pubout encpubkey.pem
  • gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key enckey.pem -pass 123456 -out encreq.pem
  • gmssl reqsign -in encreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 123456 -out enccert.pem
    reqsign: parse CA certificate failure
  • gmssl certparse -in enccert.pem

使用docker启动该服务(编译会失败)
后续执行测试程序时报错, 端口改4443同样报错
$ ./tls12_client.sh -host 127.0.0.1 -port 443 -cacert cacert.pem
/home/mm/GmSSL/src/x509_cer.c:1694:x509_certs_new_from_file():
/home/mm/GmSSL/src/tls.c:2091:tls_ctx_set_ca_certificates():
tls12_client: context init error

国密库安装在指定路径时,configure报错

我的国密库安装在/usr/local/gzgmssllib/目录下,当我在执行
./configure --with-http_ssl_module --without-http_upstream_zone_module --with-gmssl=/usr/local/gzgmssllib/ --with-debug
报错
image
请问这种情况该如何改配置文件

SSL_CTX_use_certificate:ca md too weak 错误

使用tools下面的reqsign_ext.sh生成服务器证书后,启动nginx报错
nginx: [emerg] SSL_CTX_use_certificate("/etc/nginx/certs/certs.pem") failed (SSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)

请问怎么解决?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.