zxm256 / nginx-with-gmsslv3 Goto Github PK

1. 通过docker部署，并使用reqsign_ext.sh生成证书和密钥之后，可以通过服务器正常访问

root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# gmssl tls13_client -host 192.168.10.23 -port 4443 -cacert /certs/cacert.pem 
generate handshake secrets
recv {EncryptedExtensions}
Connection established

root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# gmssl tls13_client -host 192.168.10.23 -port 4443                           
generate handshake secrets
recv {EncryptedExtensions}
Connection established

2. 我试了以下国密浏览器都不能正常访问：

• 奇安信国密浏览器
• 密信浏览器
• 360国密浏览器
• Samarium浏览器

效果都是如此：

每次通过浏览器访问https都会在error.log刷新日志：

root@d6ef447811d4:/Nginx-with-GmSSLv3/tools# tail -n 50 /usr/local/nginx/logs/error.log
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:867:ngx_ssl_recv():
tls_record_do_recv: Resource temporarily unavailable
/GmSSL/src/tls.c:1491:tls_record_do_recv():
/GmSSL/src/tls.c:1527:tls_record_recv():
/GmSSL/src/tls13.c:321:tls13_do_recv():
/GmSSL/src/tls13.c:357:tls13_recv():
src/event/ngx_event_gmssl.c:992:ngx_ssl_handle_recv():
src/event/ngx_event_gmssl.c:1404:ngx_ssl_shutdown():
src/event/ngx_event_gmssl.c:1404:ngx_ssl_shutdown():

@zxm256
输入命令 ：sudo /usr/local/nginx/sbin/nginx

显示日志：
root@iZ2ze36c0org6dywmc6gx0Z:~/Nginx-with-GmSSLv3/tools# sudo /usr/local/nginx/sbin/nginx
src/event/ngx_event_gmssl.c:60:ngx_ssl_init():
src/event/ngx_event_gmssl.c:68:ngx_ssl_create():
src/event/ngx_event_gmssl.c:82:ngx_ssl_certificates():
src/event/ngx_event_gmssl.c:104:ngx_ssl_certificate():
src/event/ngx_event_gmssl.c: 109: ngx_ssl_certificate: /root/Nginx-with-GmSSLv3/tools/certs.pem
src/event/ngx_event_gmssl.c: 111: ngx_ssl_certificate: /root/Nginx-with-GmSSLv3/tools/signkey.pem
src/event/ngx_event_gmssl.c:133:ngx_ssl_ciphers():
src/event/ngx_event_gmssl.c:412:ngx_ssl_ecdh_curve():
src/event/ngx_event_gmssl.c:1473:ngx_ssl_session_cache():
src/event/ngx_event_gmssl.c:1542:ngx_ssl_session_ticket_keys():
src/event/ngx_event_gmssl.c:429:ngx_ssl_early_data():
src/event/ngx_event_gmssl.c:445:ngx_ssl_conf_commands():
src/event/ngx_event_gmssl.c:1487:ngx_ssl_session_cache_init():

修改了个寂寞，
参考https://www.gmssl.cn/gmssl/index.jsp?go=CA 部署nginx1.18，使用https://www.gmssl.cn/gmssl/index.jsp?go=CA 生成证书，测试通过（rsa和sm2自适应）
配置文件：
server {
listen 0.0.0.0:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
ssl_verify_client off;

    ssl_certificate /usr/local/nginx/conf/ssl/server.crt;  ## rsa证书
    ssl_certificate_key /usr/local/nginx/conf/ssl/server.key;  ## rsa证书

    ssl_certificate /usr/local/nginx/conf/ssl/sm2.liuliang.com.sig.crt.pem;  ##  sm2证书
    ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.liuliang.com.sig.key.pem; ##  sm2证书

    ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.liuliang.com.enc.key.pem; ##  sm2证书
    ssl_certificate /usr/local/nginx/conf/ssl/sm2.liuliang.com.enc.crt.pem; ##  sm2证书

    location / {
      root html;
      index index.html index.htm;
    }
}

同样的配置和证书 部署Nginx-with-GmSSLv3 无法访问，不论是国密浏览器还是火狐谷歌之类。rsa证书也不能访问

另外证书生成脚本里生成的证书，指定-key_usage digitalSignature, 是不是应该加上-key_usage digitalSignature -key_usage keyEncipherment -key_usage dataEncipherment -key_usage keyAgreement

gmssl tls13_client -host 127.0.0.1 -port 443
generate handshake secrets
recv {EncryptedExtensions}
Connection established

以上 gmssl成功
但是浏览器依旧不能联通
提示以下信息 使用的是gmssl.org提供的 mac版 国密chrome 我需要配置什么吗
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

reqgen子命令不支持-days选项，提示reqgen: illegal option '-days'

命令行测试了一下这个命令，的确如此：

$ gmssl reqgen -help
usage: gmssl reqgen [-C str] [-ST str] [-L str] [-O str] [-OU str] -CN str -key pem -pass pass [-sm2_id str | -sm2_id_hex hex] [-out pem]

请问-days选项对reqgen命令有影响吗?

gmssl版本:

$ gmssl version
GmSSL 3.1.1 Dev

nginx error.log如下：
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sat Aug 27 12:12:39 2050
random: 00337A8E9B06EB9AF1F80D4E24A62214F5C20D02C0074D7F01F8E4BB
SessionID: (null)
CipherSuites
(null) (0x8a8a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Tue Apr 17 20:10:18 2057
random: 6BF8416B3F84A7BE6F55D3F304B56E0AE2E544F90338EBD6AB98FC4A
SessionID: (null)
CipherSuites
(null) (0xbaba)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sun Mar 8 14:29:40 1987
random: 188B18A5E0F0D5832EF74D7B95D746E735EEE1150D3E7E92705C5D95
SessionID: (null)
CipherSuites
(null) (0x5a5a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Thu Apr 8 20:28:05 2021
random: 29783727DFE13F42F2E6CD6F49B00D79BCCDCF735C4AE937DE1263C5
SessionID: (null)
CipherSuites
(null) (0x6a6a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Mon May 28 14:50:10 2007
random: EB56618C91FE1BF72AEA09E567CCD5F85FDEBC382D8D05E6DB36F7EA
SessionID: (null)
CipherSuites
(null) (0x2a2a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():
src/http/ngx_http_request.c 221: ngx_http_init_connection
src/http/ngx_http_request.c 660: ngx_http_ssl_handshake
src/event/ngx_event_gmssl.c:479:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:518:ngx_ssl_create_connection():
src/event/ngx_event_gmssl.c:568:ngx_ssl_handshake():
last_decrypted_block: B79C912A5A840A0A0A0A0A0A0A0A0A0A
Record
ContentType: Handshake (22)
Version: TLCP (1.1)
Length: 47
Handshake
Type: ClientHello (1)
Length: 43
ClientHello
Version: TLCP (1.1)
Random
gmt_unix_time : Sun Jun 7 03:57:44 1992
random: BA3F1480378BE7A589E1515DEA733B302B1157C4060B4E13CC5D7CFD
SessionID: (null)
CipherSuites
(null) (0x3a3a)
TLCP_ECC_SM4_CBC_SM3 (0xe013)
CompressionMethods
no_compression (0)

/GmSSL-develop/src/tls12.c:697:tls12_accept():
src/event/ngx_event_gmssl.c:598:ngx_ssl_handshake():
src/http/ngx_http_request.c 802: ngx_http_ssl_handshake_handler
src/event/ngx_event_gmssl.c:1402:ngx_ssl_shutdown():

使用tools下面的reqsign_ext.sh生成服务器证书后，启动nginx报错
nginx: [emerg] SSL_CTX_use_certificate("/etc/nginx/certs/certs.pem") failed (SSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)

请问怎么解决？

gmssl 3.0更改了命令行模式，和openssl以及之前的区分开，但是命令还有问题，具体如下：
执行该生成证书脚本，有如下错误提示：

certgen: '-key_usage' option required
reqsign: parse CA certificate failure

经查看，生成的证书内容都是空的，问题出在根证书生成失败，需要一个 “密钥用途的关键字”。
手动加上关键字后：

gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN CA -days 365 -key cakey.pem -pass 123456 -out cacert.pem -key_usage digitalSignature

报错：

/home/GmSSL-develop/src/asn1.c:458:asn1_integer_to_der_ex():
/home/GmSSL-develop/src/x509_ext.c:671:x509_authority_key_identifier_to_der():
/home/GmSSL-develop/src/x509_ext.c:113:x509_exts_add_authority_key_identifier():
/home/GmSSL-develop/src/x509_ext.c:131:x509_exts_add_default_authority_key_identifier():
certgen: inner error

希望您解决一下，生成证书需要传入什么参数呢，还是说是由于关老师的GMSSL有问题

执行后最终生成的cacert.pem内容为空
执行结果如下：

• gmssl sm2keygen -pass 123456 -out cakey.pem -pubout capubkey.pem
• gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN CA -days 365 -key cakey.pem -pass 123456 -out cacert.pem
  certgen: '-key_usage' option required
• gmssl certparse -in cacert.pem
• gmssl sm2keygen -pass 123456 -out signkey.pem -pubout signpubkey.pem
• gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key signkey.pem -pass 123456 -out signreq.pem
• gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 123456 -out signcert.pem
  reqsign: parse CA certificate failure
• gmssl certparse -in signcert.pem
• gmssl sm2keygen -pass 123456 -out enckey.pem -pubout encpubkey.pem
• gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key enckey.pem -pass 123456 -out encreq.pem
• gmssl reqsign -in encreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 123456 -out enccert.pem
  reqsign: parse CA certificate failure
• gmssl certparse -in enccert.pem

使用docker启动该服务（编译会失败）
后续执行测试程序时报错， 端口改4443同样报错
$ ./tls12_client.sh -host 127.0.0.1 -port 443 -cacert cacert.pem
/home/mm/GmSSL/src/x509_cer.c:1694:x509_certs_new_from_file():
/home/mm/GmSSL/src/tls.c:2091:tls_ctx_set_ca_certificates():
tls12_client: context init error

端口没有占用

错误信息如下
tls_record_do_recv: Connection reset by peer
/opt/install/GmSSL/src/tls.c:1492:tls_record_do_recv():
/opt/install/GmSSL/src/tls.c:1533:tls_record_recv():
/opt/install/GmSSL/src/tls13.c:1528:tls13_do_connect():

根据 issue-1304449702 可以编译，http 部分运行正常。（部分错误，使用 C99 模式）
#6 (comment)

但是我需要 TLS + TCP ，我添加了 --with-stream --with-stream_ssl_module， 编译就无法通过。
众多编译错误

只有签名证书？

我的邮箱是[email protected]，盼回复

nginx: error while loading shared libraries: libgmssl.so.3: cannot open shared object file: No such file or directory

编译带上--with-stream_ssl_module 发现了报错
gmssl2.5.4 还是没有问题的
看介绍 gmssl3.0 和openssl 的一些实现，移除了很多兼容性，
是否有详细一点的差异介绍

已安装了GmSSL 3.0.0 Beta
[root@localhost Nginx-with-GmSSLv3]# gmssl version

到安装编译安装Nginx-with-GmSSLv3的configure这步，提示

checking for GmSSL library ... not found

./configure: error: SSL modules require the GmSSL TLS library.

在编译安装GmSSL3.0
原本需要执行的命令如下，但由于GmSSL更新了版本，而本项目没有更新，所以后续在构建本项目时会报错

gmssl@ubuntu:~/nginx_doc$ cd GmSSL/
gmssl@ubuntu:~/nginx_doc/GmSSL$ mkdir build
gmssl@ubuntu:~/nginx_doc/GmSSL$ cd build/
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ cmake ..
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ make
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ sudo make install


解决方案如下：
gmssl@ubuntu:~/nginx_doc$ git clone https://github.com/guanzhi/GmSSL.git
gmssl@ubuntu:~/nginx_doc$ cd GmSSL/
// 加了以下步骤，将GmSSL版本回滚
gmssl@ubuntu:~/nginx_doc/GmSSL$ git reset --hard 1c02e18fcdf63ced3b728a1962047d8c292f47ed
gmssl@ubuntu:~/nginx_doc/GmSSL$ mkdir build
gmssl@ubuntu:~/nginx_doc/GmSSL$ cd build/
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ cmake ..
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ make
gmssl@ubuntu:~/nginx_doc/GmSSL/build$ sudo make install

实测可正常make该项目

此nginx如何配置国密的双证书

用docker镜像创建的浏览器无法访问，打不开页面，用代码编译按照项目中的编译步骤，结果执行make的时候报错了，错误类似下面这样
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2002:6: note: expected ‘const uint64_t ()[2][2][8]’ but argument is of type ‘uint64_t ()[2][2][8]’
void sm9_final_exponent(sm9_fp12_t r, const sm9_fp12_t f)
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c: In function ‘sm9_fn_from_hash’:
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:11: error: redeclaration of ‘i’ with no linkage
for (int i = 0; i < 10; i++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2217:6: note: previous declaration of ‘i’ was here
int i, j;
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:2: error: ‘for’ loop initial declarations are only allowed in C99 mode
for (int i = 0; i < 10; i++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2220:2: note: use option -std=c99 or -std=gnu99 to compile your code
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2221:3: error: ‘for’ loop initial declarations are only allowed in C99 mode
for (int j = 0; j < 4; j++) {
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c: In function ‘sm9_twist_point_to_uncompressed_octets’:
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2339:2: warning: passing argument 1 of ‘sm9_fp2_to_bytes’ from incompatible pointer type [enabled by default]
sm9_fp2_to_bytes(x, octets + 1);
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:479:6: note: expected ‘const uint64_t ()[8]’ but argument is of type ‘uint64_t ()[8]’
void sm9_fp2_to_bytes(const sm9_fp2_t a, uint8_t buf[64])
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:2340:2: warning: passing argument 1 of ‘sm9_fp2_to_bytes’ from incompatible pointer type [enabled by default]
sm9_fp2_to_bytes(y, octets + 32 * 2 + 1);
^
/root/Nginx-with-GmSSLv3/GmSSL/src/sm9_alg.c:479:6: note: expected ‘const uint64_t ()[8]’ but argument is of type ‘uint64_t ()[8]’
void sm9_fp2_to_bytes(const sm9_fp2_t a, uint8_t buf[64])
^
make[2]: *** [CMakeFiles/gmssl.dir/src/sm9_alg.c.o] Error 1
make[1]: *** [CMakeFiles/gmssl.dir/all] Error 2
make: *** [all] Error 2

其他的协议grpc和ftp这些是否可以使用？

如上的代码片段是个永真式呀，也就是转发过程完全不能配https，无论是否国密
location / { proxy_pass https://upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; access_log /usr/local/nginx/logs/host-access1.log main; proxy_ssl_certificate /etc/tls/kona/client.pem; proxy_ssl_certificate_key /etc/tls/kona/client.key; proxy_ssl_trusted_certificate /etc/tls/kona/server.pem; proxy_ssl_verify off; proxy_ssl_verify_depth 2; }
实用性值得商榷

auto/lib/make中定义了关于gmssl的make脚本
if [ $GMSSL != NONE -a $GMSSL != NO -a $GMSSL != YES ]; then
. auto/lib/gmssl/make

但是实际上不存在这个文件，会报此
creating objs/Makefile
auto/lib/make: line 11: auto/lib/gmssl/make: No such file or directory

src/event/ngx_event_gmssl.c:499:5: error: implicit declaration of function ‘tls_set_fd’ [-Werror=implicit-function-declaration]
if (tls_set_fd(sc->connection, c->fd) == 0) {

我看了配置是反向代理。

实际上我是想通过 NGINX国密加密后 访问外部的服务器。

因为程序语言不支持，这个有办法吗？

ngx_event_gmssl.c中的tls_recv和tls_send函数输入参数不对，请问如何解决呢

按照教程完成了编译安装，并成功启动了nginx，但启动nginx后无法访问https接口，运行

gmssl tls13_client -host 127.0.0.1 -port 443

命令会提示：Connection reset by peer
尝试

curl https://127.0.0.1/

也会报错，提示：连接被重置
有人遇到过这个问题吗，应该怎么解决啊？

thanks.

I want a stream tcp port ssl, but fail with

nginx: [emerg] unknown directive "stream" in /usr/local/nginx/conf/nginx.conf:121

worker_processes 1;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
sendfile on;
keepalive_timeout 65;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

server {
    listen       443 ssl;
    default_type text/html ;
    client_max_body_size 1000000M;
    client_body_buffer_size 3000M;
    ssl_certificate /usr/local/nginx/conf/ssl/certs.pem;
    ssl_certificate_key /usr/local/nginx/conf/ssl/signkey.pem;
    ssl_session_timeout    5m;
    location / {
        return 200;
    }
}

}

按照文档部署完，国密浏览器报ERR_SSL_VERSION_OR_CIPHER_MISMATCH，wireshark抓包也看不到server hello协商加密套件。
大量错误日志

这个例子是nginx1.21，如何使用gmssl3.0+NGINX1.25？应该如何更新nginx的代码呢

Nginx-with-GmSSLv3/GmSSL/src/tls12.c:278:tls12_do_connect():
Nginx-with-GmSSLv3/GmSSL/src/tls.c:343:tls_cbc_decrypt(): invalid tls cbc ciphertext length 326
Nginx-with-GmSSLv3/GmSSL/src/tls.c:1738:tls_do_recv():
Nginx-with-GmSSLv3/GmSSL/src/tls.c:1759:tls_recv():

通过docker启动的项目，conf文件参照readme配置，且gmssl的检测命令已经成功，但是页面还是不支持打开
这里截图是奇安信的国密浏览器，360的和密信的都是类似结果

这个版本nginx支持四层的国密证书吗，我看是代理https，有没有四层的国密代理

gmssl应该是不支持异步处理的，gmssl-withe-gmsslv3能很好的work吗？

我的国密库安装在/usr/local/gzgmssllib/目录下，当我在执行
./configure --with-http_ssl_module --without-http_upstream_zone_module --with-gmssl=/usr/local/gzgmssllib/ --with-debug
报错

请问这种情况该如何改配置文件