Shulou(Shulou.com)06/02 Report--

Preface

TLS 1.3 benefit

TLS 1.3 has two main advantages over previous versions:

Enhanced security: security enhancement

Improved speed: speed up

A few basic ideas need to be kept in mind.

1) up to now, the TLS 1.3 protocol is still in the draft stage, and the latest RFC document is draft 28. For large systems, deployment is not recommended. For personal websites, of course, TLS 1.3 version can be deployed.

2) there is a big difference between TLS 1.3 and TLS 1.2. from the point of view of protocol messages, they are not compatible, which is why TLS 1.3 is not recommended for large systems at present.

With regard to the differences between the two versions, I will write a detailed article later.

3) the password base used by Nginx is OpenSSL, that is, whether TLS 1.3 is supported or not depends on the OpenSSL library.

Currently, versions above 1.13 of Nginx support TLS 1.3, while OpenSSL 1.1.1 supports TLS 1.3, and the latest OpenSSL 1.1.1-pre5 supports TLS 1.3 draft 26.

The running environment of this article is as follows:

Ubuntu 14.04.5 LTS system gcc version 4.8.4Nginx nginx1.13.5openssl1.1.1

If you encounter all kinds of problems during the specific installation, which may be related to the software version and the system environment, you need to check the manual or online Google.

Install OpenSSL

The best tool to learn about TLS 1.3 is OpenSSL, so the first step is to install the OpenSSL password base and command-line tools.

Run the following command:

$cd / root # download the source code $wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1-pre1.tar.gz $cd openssl-1.1.1-pre1 $grep TLS1_3_VERSION_DRAFT_TXT. / *-R# output draft 23. / include/openssl/tls1.h:# define TLS1_3_VERSION_DRAFT_TXT "TLS 1.3 (draft 23)" $. / config-- prefix=/usr/ Local/openssl1.1.1-openssldir=/usr/local/openssl1.1.1-libdir=lib shared-Wl -RJ make $(LIBRPATH)'- Wl,--enable-new-dtags enable-ec_nistp_64_gcc_128 enable-tls1_3 $make $make install in this version TLS 1.3 is enabled by default, so you can save OpenSSL command line tools and various packages and certificate files in the / usr/local/openssl1.1.1 directory without adding the enable-tls1_3 parameter. The corresponding version of TLS 1.3 is draft 23.

After the installation is complete, you can use the command line tool to learn about TLS 1.3.

For example, run the following command to learn about all cipher suites for this version:

$. / usr/local/openssl1.1.1/bin/openssl ciphers-V tls1_3 | column-t0x13 author0x02-TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM Mac=AEAD0x13,0x03-TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305 Mac=AEAD0x13,0x01-TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM Mac=AEAD

You can see a further reduction in the number of cipher suites supported by TLS version 1.3 (enhanced security).

Install Nginx

Nginx supports TLS version 1.3. You can specify the OpenSSL library and run the command as follows:

$cd / root $wget http://nginx.org/download/nginx-1.13.5.tar.gz $wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.41.tar.gz$ tar xvf pcre-8.41.tar.gz $tar xvf nginx-1.13.5.tar.gz $cd nginx-1.13.5 $. / configure\-- prefix=/usr/local/nginx1.13.5.tls1.3\- With-http_ssl_module\-with-pcre=../pcre-8.41\-with-stream\-with-openssl=../openssl-1.1.1-pre1\-with-openssl-opt= "enable-tls1_3 enable-ec_nistp_64_gcc_128"-with-pcre$ make $make install

-with-openssl-opt parameter is mainly used to configure OpenSSL

Nginx configuration TLS version 1.3

$cd / usr/local/nginx1.13.5.tls1.3$ vim conf/nginx.conf

The nginx.conf file is configured as follows:

Server {listen 443 ssl; server_name www.simplehttps.com; ssl_certificate / etc/letsencrypt/live/simplehttps.com/fullchain.pem; ssl_certificate_key / etc/letsencrypt/live/simplehttps.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on Ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-1 28 Mustang GCM Mustang SHA256 Fran TLS13 Maxim 128 CCM Muhami 8 Mercer SHA256; location / {root html; index index.html index.htm;}}

About how to apply for a certificate, you can refer to my original article.

It is easy to configure TLS version 1.3, just add TLSv1.3 to ssl_protocols.

Run the following command to start Nginx:

$. / sbin/nginx

Test TLS 1.3

There are three ways to test whether the site supports TLS 1.3.

1) OpenSSL command line

Run the following command:

$/ usr/local/openssl1.1.1/bin/openssl s_client-connect www.simplehttps.com:443-tls1_3 # output New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 2048 bitSecure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentSSL-Session: Protocol: TLSv1.3 Cipher: TLS_AES_256_GCM_SHA384

It can be seen that TLSv1.3 has successfully supported it.

2) Chrome

At present, mainstream browsers support TLS 1.3, as shown in the following figure:

Chrome enables TLS 1.3 support by default from version 62. If the version is below 62, you can configure it as follows.

(1) Open chrome://flags/ on the toolbar

(2) enable TLS 1.3

It is important to note that if the version of draft supported on the server side is not consistent with the version of draft supported by the browser, the HTTPS website will not be accessible.

(3) restart the browser

Then open a browser and test the https://www.simplehttps.com.

3) Firefox

Firefox enables TLS 1.3 support by default from version 47. If the version is below 47, you can configure it as follows.

(1) Open about:config on the toolbar

(2) modify security.tls.version.max to 4

(3) restart the browser

Then open a browser and test the https://www.simplehttps.com.

Summary

The above is the whole content of this article, I hope that the content of this article has a certain reference and learning value for your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.