Shulou(Shulou.com)06/01 Report--

Install Nginx [root@localhost software] # tar xf nginx-1.15.5.tar.gz [root@localhost software] # cd nginx-1.15.5/ [root@localhost nginx-1.15.5] # groupadd nginx [root@localhost nginx-1.15.5] # useradd nginx- M-s / sbin/nologin-g nginx [root@localhost nginx-1.15.5] # mkdir-p / project/nginx1.15.0 [root@localhost nginx-1.15. 5] # mkdir-p / project/ {logs/nginx Cache/nginx} [root@localhost nginx-1.15.5] # ll / project/ total dosage 0drwxr-xr-x. 3 root root 19 November 1 21:48 cachedrwxr-xr-x. 3 root root 19 November 1 21:48 logsdrwxr-xr-x. 2 root root 6 November 1 21:48 nginx1.15.0 [root@localhost nginx-1.15.5] #. / configure-- prefix=/project/nginx1.15.0-- with-openssl=/opt/software/openssl-1.1.1-- with-openssl-opt= "enable-ec_nistp_64_gcc_128"-- with-http_ssl_module-- user=nginx-- group=nginx-- error-log-path=/project/logs/nginx/error.log-- http-log- Path=/project/logs/nginx/access.log-http-client-body-temp-path=/project/cache/nginx/client_temp-http-proxy-temp-path=/project/cache/nginx/proxy_temp-http-fastcgi-temp-path=/project/cache/nginx/fastcgi_temp-http-uwsgi-temp-path=/project/cache/nginx/uwsgi_temp-http-scgi-temp-path=/project/cache/nginx/scgi_temp-with-file-aio-with-http _ v2module [root @ localhost nginx-1.15.5] # make-j 2 [root@localhost nginx-1.15.5] # make install [root@localhost nginx-1.15.5] # make cleanrm-rf Makefile objs [root@localhost nginx-1.15.5] # cd. [root@localhost software] # cd / project/nginx1.15.0/ [root@localhost nginx1.15.0] # sbin/nginx [root@localhost nginx1.15.0] # netstat-tulnp | grep nginxtcp 00 0.0.0.0 grep nginxroot 80 0.0.0.0 ef * [root@localhost nginx1.15.0] # ps-ef | grep nginxroot 7420 10 22:22? 00:00:00 nginx: master process sbin/nginxnginx 7421 7420 0 22:22? 00:00:00 nginx: worker processnginx 7422 7420 0 22:22? 00:00:00 nginx: worker processnginx 7423 7420 0 22:22? 00:00:00 nginx: worker processnginx 7424 7420 0 22:22? 00:00:00 nginx: worker processroot 7430 1869 0 22:23 pts/0 00:00:00 grep-color=auto nginx [root@localhost nginx1.15.0] # mkdir conf/certs [root@localhost nginx1.15.0] # mkdir html/tls [root@localhost nginx1.15.0] # echo "Hello TLS" > html/tls / index.html [root@localhost nginx1.15.0] # cat html/tls/index.htmlHello TLS [root@localhost nginx1.15.0] # vim conf/nginx.conf.# HTTPS server # server {listen 443 ssl Server_name www.linuxplus.com; ssl_certificate certs/rsa_01cert.crt; ssl_certificate_key certs/rsa_2048prikey.pem; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; ssl_ciphers High / ssl_session_timeout / MD5; ssl_prefer_server_ciphers on; location / {root html/tls Index index.html index.htm }} [root@localhost nginx1.15.0] # cd conf/certs/ [root@localhost certs] # openssl genrsa-out rsa_2048prikey.pem 2048Generating RSA private key 2048 bit long modulus (2 primes). +. + e Is 65537 (0x010001) [root@localhost certs] # ll total dosage 4 Murray. 1 root root 1679 October 28 19:14 rsa_ 2048prikey.pem [root @ localhost certs] # openssl req-new-key rsa_2048prikey.pem-out rsa_01cert.csr-subj / C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.com [root@localhost certs] # ll total usage 8m r. 1 root root 1066 October 28 19:18 rsa_01cert.csr-rw-. 1 root root 1679 October 28 19:14 rsa_ 2048prikey.pem [root @ localhost certs] # openssl ca-in rsa_01cert.csr-days 300-md sha384-out rsa_01cert.crt-batch-notextUsing configuration from / usr/local/openssl/openssl.cnfEnter pass phrase for / usr/local/openssl/CA/private/root_prikey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 3b:f9:bc:72:54:4e:25:a7 07:2d:92:42:06:a7:61:59 Validity Not Before: Oct 28 11:20:49 2022 GMT Not After: Aug 24 11:20:49 2023 GMT Subject: countryName = CN stateOrProvinceName = ShanDong localityName = QingDao organizationName = Devops organizationalUnitName = Devops commonName = www.linuxplus.com emailAddress = admin@linuxplus.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DB:39:F0:61:40:3D:0B:4A:0A: 20:1C:02:AF:3C:49:2B:86:78:22:C6 X509v3 Authority Key Identifier: keyid:9F:7A:42:AF:E4:36:0D:01:CD:FF:27:57:18:2A:3E:CC:8A:77:C0:D7Certificate is to be certified until Aug 24 11:20:49 2023 GMT (300 days) Write out database with 1 new entriesData Base Updated [root@localhost certs] # ll total dosage 12 RWM. 1 root root 1241 October 28 19:20 rsa_01cert.crt-rw-r--r--. 1 root root 1066 October 28 19:18 rsa_01cert.csr-rw-. 1 root root 1679 October 28 19:14 rsa_ 2048prikey.pem [root @ localhost certs] # cd.. / sbin/ [root@localhost sbin] #. / nginx-tnginx: the configuration file / project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file / project/nginx1.15.0/conf/nginx.conf test is successful [root@localhost sbin] #. / nginx-s reload

The configuration of the TLS protocol the Nginx protocol has three main configuration items: ssl_protocols, which is used to specify the version of the open protocol, which is currently mainstream and more efficient. Both unsafe SSLv2 and SSLv3 should be disabled.

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2

At present, the latest TLS is version 1.3, but it is not widely used at present, but to support TLS1.3, use the 1.1.1 series version of openssl, so use TLS1.3, upgrade openssl and specify when compiling and installing nginx. Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers, which enables the server algorithm first when the server shakes hands with the client TLS, as determined by the

Choose the algorithm on the server side, which can avoid the security problems caused by many clients being * or relatively old. Ssl_prefer_server_ciphers on;ssl_ciphers, specifying the algorithm suites to be used and their priority. Ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA ECDHE-RSA-RC4-SHA RC4-SHA" # the priority in using wildcard certificates is that the CN of the certificate is in the form of a wildcard, that is, a mode such as * .linuxplus.com. If it is determined to use the whole site https, such a wildcard certificate is feasible, and many large sites do the same, such as Taobao. If sites with multiple different domain names (secondary domain names) use the same certificate, they can be deployed on the same IP address. It is also recommended to use SNI so that each site has its own separate certificate. Configure dual certificate [root@localhost certs] # openssl ecparam-genkey-name prime256v1-out ecdsa_ 01prikey.Pem [root @ localhost certs] # openssl req-new-key ecdsa_01prikey.pem-out ecc01.csr-subj / C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.com [root@localhost certs] # openssl ca-in ecc01.csr-days 365-out ecc_01cert.crt-batch-notext Using configuration From / usr/local/openssl/openssl.cnfEnter pass phrase for / usr/local/openssl/CA/private/root_prikey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fc Validity Not Before: Nov 10 14:32:15 2018 GMT Not After: Nov 10 14: 32:15 2019 GMT Subject: countryName = CN stateOrProvinceName = ShanDong localityName = QingDao organizationName = Devops organizationalUnitName = Devops commonName = www.linuxplus.com emailAddress = admin@linuxplus.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 67:7B:E7:71:A6:D5:63:C7:C3:E7:6F:E4:40:B4:06:1C:D5:B6:84:58 X509v3 Authority Key Identifier: keyid:7A:15:85:5F: 24:70:45:4C:86:C3:FD:AA:9A:88:3E:5B:E6:63:70:56Certificate is to be certified until Nov 10 14:32:15 2019 GMT Write out database with 1 new entriesData Base Updated [root@localhost ~] # cd / project/nginx1.15.0/conf/ [root@localhost conf] # vim nginx.conf. Ssl_certificate certs/ecc_01cert.crt; ssl_certificate_key certs/ecdsa_01prikey.pem; ssl_certificate certs/rsa_01cert.crt; ssl_certificate_key certs/rsa_2048prikey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 [root@localhost conf] #.. / sbin/nginx-tnginx: the configuration file / project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file / project/nginx1.15.0/conf/nginx.conf test is successful [root@localhost conf] #.. / sbin/nginx-s reload

Client authentication

Client authentication is to achieve that only the client with a certificate can access that site or service, and the certificate is managed and issued by the site

[root@www certs] # openssl genrsa-out client01.key 2048Generating RSA private key 2048 bit long modulus (2 primes). +. . + e is 65537 (0x010001) [root@www certs] # openssl req-new-key client01.key-out client01.csr-subj / C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com [root@www certs] # openssl ca-in client01.csr-md sha384-out client01_cert.crt-batch-notextUsing configuration from / usr/local/openssl/openssl.cnfEnter pass phrase for / usr/local/openssl / CA/private/root_prikey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fd Validity Not Before: Nov 11 06:06:53 2018 GMT Not After: Nov 11 06:06:53 2019 GMT Subject: countryName = CN stateOrProvinceName = ShanXi localityName = XiAn organizationName = Devops01 organizationalUnitName = Devops01 commonName = www.linuxplus.com emailAddress = adm@linuxplus.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AC:6C:C1:A7:5A:C5:91:BD:97:3C:4A:2D:CA:03:53:91:38:E9:3B:E6 X509v3 Authority Key Identifier: keyid:7A:15:85:5F:24:70:45:4C:86:C3:FD:AA:9A:88: 3E:5B:E6:63:70:56Certificate is to be certified until Nov 11 06:06:53 2019 GMT (365days) Write out database with 1 new entriesData Base Updated [root@www certs] # openssl pkcs12-export-clcerts-passout pass:123456-in client01_cert.crt-inkey client01.key-out client01.p12 [root@www] # cd / project/nginx1.15.0/conf/ [root@www conf] # vim nginx.confssl_certificate certs/ecc_01cert.crt Ssl_certificate_key certs/ecdsa_01prikey.pem; ssl_certificate certs/rsa_01cert.crt; ssl_certificate_key certs/rsa_2048prikey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # enable client authentication ssl_verify_client on; # specify the depth of the client certificate to the root certificate # ssl_verify_depth 2 # specify CA certificate ssl_client_certificate / usr/local/openssl/CA/root_cacert_ecc.pem; # other CA certificates that need to be included in the complete certificate chain # ssl_trusted_certificate rootca.crt; # certificate revocation list. If updated, Nginx needs to reload ssl_crl / usr/local/openssl/CA/crl.pem # on: opens a request that only receives a client certificate. If the request does not contain a certificate or if the certificate verification fails, nginx returns a 400 error response. # off: disable # optional: access will not be forcibly blocked and 400 will not be returned. You can view the various states in the $ssl_client_verify variable. NONE indicates that there is no certificate, FAILED indicates that the certificate has not been verified, and SUCCESS indicates that the certificate is valid. [root@www conf] #.. / sbin/nginx-tnginx: the configuration file / project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file / project/nginx1.15.0/conf/nginx.conf test is successful [root@www conf] #.. / sbin/nginx-s reload

No import certificate

Firefox Import Certificate

360 browser Import Certificate

[root@www certs] # openssl ca-in rsa_01cert.csr-days 300-md sha384-out rsa_01cert.crt-batch-root@www certs ^ C [root@www certs] # openssl req-new-key client02.key-out client02.csr-subj / C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com [root@www certs] # openssl ca-in client02.csr-md sha384-out client02_cert.crt-batch-notext Using configuration from / usr/local/openssl/openssl.cnfEnter pass Phrase for / usr/local/openssl/CA/private/root_prikey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fe Validity Not Before: Nov 11 14:00:18 2018 GMT Not After: Nov 11 14:00:18 2019 GMT Subject: CountryName = CN stateOrProvinceName = ShanXi localityName = XiAn organizationName = Devops02 organizationalUnitName = Devops02 commonName = www.linuxplus.com emailAddress = adm@linuxplus.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6D:D2:63:9D:21:B1:82:4A:0F:19:B8:76:0F:B5:EA:E8:F0:F6:A3:6F X509v3 Authority Key Identifier: keyid:7A:15:85:5F:24:70:45:4C:86:C3: FD:AA:9A:88:3E:5B:E6:63:70:56Certificate is to be certified until Nov 11 14:00:18 2019 GMT (365days) Write out database with 1 new entriesData Base Updated [root@www certs] # openssl pkcs12-export-clcerts-passout pass:123456-in client02_cert.crt-inkey client02.key-out client02.p12# revocation Certificate [root@www certs] # openssl x509-in client01_cert.crt-serial-nooutserial=92F43BDFF9AC3B5CAA3189D661C69AFD [root@www certs] # openssl ca-revoke / usr/ Local/openssl/CA/newcerts/92F43BDFF9AC3B5CAA3189D661C69AFD.pem Using configuration from / usr/local/openssl/openssl.cnfEnter pass phrase for / usr/local/openssl/CA/private/root_prikey_ecdsa.pem:Revoking Certificate 92F43BDFF9AC3B5CAA3189D661C69AFD.Data Base Updated [root@www certs] # openssl ca-gencrl-out / usr/local/openssl/CA/crl.pem Using configuration from / usr/local/openssl/openssl.cnfEnter pass phrase for / usr/local/openssl/CA/private/root_prikey_ecdsa.pem: [root @ www certs] # Openssl crl-in / usr/local/openssl/CA/crl.pem-textCertificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: ecdsa-with-SHA256 Issuer: C = CN ST = BeiJing, L = BeiJing, O = CAdevops, OU = CAdevops, CN = root_ca EmailAddress = admin@linuxplus.com Last Update: Nov 11 14:33:36 2018 GMT Next Update: Dec 11 14:33:36 2018 GMT CRL extensions: X509v3 CRL Number: 1048577Revoked Certificates: Serial Number: 92F43BDFF9AC3B5CAA3189D661C69AFD Revocation Date: Nov 11 14:26:37 2018 GMT Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:e3:76:00:d4:07:22: 2a:7f:43:1f:aa:8c:f5: be:c7:f7:a9:bd:1f:fb:65:f0:0b:d8:0c:a0:15:7c:f3:37:5d: 63:02:20:08:d6:b8:4b:6b:3f:d2:7d:89:5f:2d:88:b5:ee:18: cd:81:6d:fe:80:4f:0c:ef:78:b8:81: C1:dc:ca:85:a3:9b-BEGIN X509 CRL-MIIBTjCB9QIBATAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxETAPBgNVBAoMCENBZGV2b3BzMREwDwYDVQQLDAhDQWRldm9wczEQMA4GA1UEAwwHcm9vdF9jYTEiMCAGCSqGSIb3DQEJARYTYWRtaW5AbGludXhwbHVzLmNvbRcNMTgxMTExMTQzMzM2WhcNMTgxMjExMTQzMzM2WjAkMCICEQCS9Dvf+aw7XKoxidZhxpr9Fw0xODExMTExNDI2MzdaoBAwDjAMBgNVHRQEBQIDEAABMAoGCCqGSM49BAMCA0gAMEUCIQDjdgDUByIqf0Mfqoz1vsf3qb0f+2XwC9gMoBV88zddYwIgCNa4S2s/0n2JXy2Ite4YzYFt/oBPDO94uIHB3MqFo5s=-END X509 CRL-

[root@www conf] # vim nginx.conflog_format tls "$ssl_client_verify $pid $scheme $server_name $time_local $remote_addr $connection $connection_requests $ssl_protocol $ssl_cipher $ssl_session_id $ssl_session_reused $ssl_curves"; access_log / project/logs/nginx/access.log tls # $scheme: which protocol is used # $connection:TCP connection serial number # $connection_requests: indicates how many requests there are in a connection (persistent connection) [root@www logs] # tail-f access.log SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:03 + 0800 172.16.216.181 315 1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 -. X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:03 + 0800 172.16.216.181 315 2 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 -. X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:28 + 0800 172.16.216.181 315 3 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 -. X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:28 + 0800 172.16.216.181 315 4 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 -. X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101.#SUCCESS: PID#ECDHE-ECDSA-AES128-GCM-SHA256 for successful # 20481:Nginx: key kit

Session cache independent session cache [root@www nginx1.15.0] # vim conf/nginx.confssl_session_tickets off;ssl_session_cache shared:SSL:1m; # allocates 1MB's shared memory cache, using 1MB's memory can cache about 4000 sessions ssl_session_timeout 5m # set session cache expiration time The default session cache expiration time is only 5 minutes SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:22 + 0800 172.16.216.181 331 1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r-SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:22 + 0800 172.16.216.181 331 2 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r-SUCCESS 20574 https www.linuxplus.com 23/Nov/2018: 23:43:24 + 0800 172.16.216.181 331 3 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r-SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 + 0800 172.16.216.181 331 4 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r-SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 + 0800 172.16.216.181 331 5 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r -SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 + 0800 172.16.216.181 331 6 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r-# r means to be reused If it is。 Indicates that there is no reuse

Configuration items use format:

Ssl_session_cache off | none | [builtin [: size]] [shared:name:size]

The default option is none

Off: disable caching.

None: disable caching, but notify the client that the session can be reused (session), but it is not actually stored.

Builtin: built-in. This cache can only be used by one worker process (nginx can have more than one worker process). The unit parameter matched with builtin is the number of session;. If the number of caches is not specified, the default is 20480 session. Using builtin can cause some memory fragmentation.

Shared: shared, shared:xx_name:xxM;, shares session in multiple worker processes in M (megabytes), 1m can hold about 4000 session, shared cache can have one name, and cache with the same name can be shared on server blocks configured on multiple nginx.

You can also mix builtin and shared.

It should be more efficient for ssl_session_cache builtin:1000 shared:SSL:10m; to use only shared caches instead of built-in caches. Decide according to the situation of the project.

Distributed session ticket [root@www nginx1.15.0] # cd conf/certs/ [root@www certs] # openssl rand-out ticket48.key 48 [root@www certs] # openssl rand-out ticket80.key 80 [root@www certs] # ll-l ticket48.key-rw-r--r--. 1 root root 48 November 24 14:23 ticket48.key [root@www certs] # ll-l ticket80.key-rw-r--r--. 1 root root 80 November 24 14:31 ticket80.key [root@www certs] # cd.. /.. [root@www nginx1.15.0] # vim conf/nginx.confssl_session_tickets on;ssl_session_ticket_key certs/ticket48.key; # set a new key for the encryption and decryption ssl_session_ticket_key certs/ticket80.key of the new ticket # retain the previous key for decryption of old tickets [root@www nginx1.15.0] # sbin/nginx-s reload [root@www nginx1.15.0] # openssl s_client-connect 172.16.216.188:443.SSL-Session: Protocol: TLSv1.2 Cipher: ECDHE-ECDSA-AES128-GCM-SHA256 Session-ID: 0734C4A2519DD91A6B03BA6E1A572FA2E8DAB69CC23A41A249E4219B6B16934E Session-ID-ctx: Master-Key: AC6A686B930A886990E031117F1032F5829C57EAFA2C363D9917973E401FE420D5F566BA5F5CD5ED2E922F5E6E6E1F1B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000-950a 94 18 669c fa fb-bb e7 79 81 19 46 a5 77.... f.y..F.w 0010-ec a8 37 e6 6e a2 34 0d-4e 2b e2 ce 58 3c a8 23.. 7.n.4.N. 0090-57 98 2a 81 2c e7 b0e1-27 33 aa d7 fb 13 01 c3 W. 00a0-91 86 f5 63 5c b5 be 1a-58 a5 99 61 1a 82 36 de... c\... X..a..6.

With the rotation of two keys, the server will not discard the session established before the update when the key is updated.

It is unreliable to implement the rotation of session ticket keys in the cluster, because it is impossible to perfectly realize that the new key is updated by all nodes at the same time. If a node uses a new key in front of another node and generates a ticket for a client, the request sent again by the client is assigned to another node for processing, while the other node may not be able to decrypt the data (the cluster does not adopt a traffic retention mechanism), resulting in a re-handshake of SSL, which will result in performance degradation and even a bottleneck period. In the final analysis, there will inevitably be a time difference when each node reloads the configuration. If you choose to use a session ticket, don't update the key too frequently and try to use traffic retention to distribute the same user to the same node.

If you want to perfectly implement the session ticket key rotation of the cluster, and do not mind operating the cluster configuration twice, you can follow these steps.

(1) generate a new key.

(2) replace the old key used only for decryption with the new key, restart each node, and load the configuration so that all nodes use only the new key.

(3) take the two key exchange positions, the new key as the encryption and decryption key, and the previous key as the old key only decrypted.

You can restart each node calmly in turn, because all nodes have already loaded the new key in the first configuration, so you can decrypt the ticket encrypted by the new key normally without any problem caused by time lag.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.