Shulou(Shulou.com)06/02 Report--

This paper introduces the configuration method of using BoringSSL as Nginx encryption library.

BoringSSL is a work independently developed by Google after it was extracted from Openssl, and it is the imperial use of Google, Cloudflare and other big brands.

BoringSSL has both advantages and disadvantages: the advantage is that it natively provides encryption algorithm equivalence group support (I will describe in a later article), and supports tls1.3-draft23 quite well; while the disadvantage is that tls1.3 protocol cannot be enabled under Nginx, and BoringSSL itself is easy to fail to compile.

This article introduces how to use BoringSSL instead of Openssl as the Nginx encryption library.

BoringSSL

First you need to compile the BoringSSL. It is recommended that the host used for compilation be configured with 2G or more of memory because cmake consumes a lot of memory. There may be many of the following steps, please follow them step by step:

# create a directory All our work is done here for mkdir-p / home/nginx-installation & & cd / home/nginx-installation# installation and compilation depends on # BoringSSL needs Golang support apt-get install-y build-essential make cmake golang# BoringSSL source code is cloned git clone-- dep 1 https://boringssl.googlesource.com/boringssl & & cd boringssl# compilation starts mkdir-p / home/nginx-installation/boringssl/build / home/nginx-installation/boringssl/.openssl/ Lib / home/nginx-installation/boringssl/.openssl/includeln-sf / home/nginx-installation/boringssl/include/openssl / home/nginx-installation/boringssl/.openssl/include/openssltouch / home/nginx-installation/boringssl/.openssl/include/openssl/ssl.hcmake-B/home/nginx-installation/boringssl/build-H/home/nginx-installation/boringsslmake-C / home/nginx-installation/boringssl/buildcp / home/nginx-installation/boringssl/build/crypto/libcrypto.a / home/nginx-installation/boringssl / build/ssl/libssl.a / home/nginx-installation/boringssl/.openssl/lib

After the above steps are completed, the BoringSSL is compiled first. The next step is to provide it to Nginx with-- with-openssl.

Nginx

Compile Nginx with the following parameters:

# use-- with-openssl to specify the BoringSSL path # it does not change to "--with-boringssl". / configure.-- with-openssl=/home/nginx-installation/boringssl# after configure, you need to touch before continuing maketouch / home/nginx-installation/boringssl/.openssl/include/openssl/ssl.hmakemake install.

After compiling the Nginx, look at the parameters and you will see:

Sudo nginx-Vbuilt by gcc 4.9.2 (Debian 4.9.2) built with OpenSSL 1.1.0 (conpatible: BoringSSL) (running with BoringSSL) TLS SNI support enabled

Did you find out? The dazzling words BoringSSL inside.

Cipher Suite

Although OpenSSL has been replaced with BoringSSL, the cipher suite is written in pretty much the same way. You can write like this:

The copy code is as follows:

Ssl_ciphers' ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256'

Of course, if you want to use the equivalent group feature of BoringSSL, you can change it to this:

The copy code is as follows:

Ssl_ciphers'[ECDHE-ECDSA-AES128-GCM-SHA256 | ECDHE-ECDSA-CHACHA20-POLY1305 | ECDHE-RSA-AES128-GCM-SHA256 | ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256'

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.