返回

Nginx兼容Windows XP HTTPS访问

概述

Windows XP访问HTTPS网页需要3DES加密支持,而openSSL 1.1.0以上版本默认不支持3DES,需要自行编译启用支持。
这里我Nginx使用的是从Ubuntu默认软件仓库安装的,需要更改配置ldconfig让系统首先使用自行编译的OpenSSL,也可以自己手动编译Nginx来启用支持3DES加密。

编译OpenSSL启用WeakCiphers支持

1
2
3
4
5
6
7
wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar -zxvf openssl-1.1.1d.tar.gz
cd  openssl-1.1.1d
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl enable-weak-ssl-ciphers shared zlib
make
make test
sudo make install

配置OpenSSL动态库查找路径录

1
2
3
4
5
#配置OpenSSL动态库查找路径
sudo sh -c "echo '/usr/local/ssl/lib' > /etc/ld.so.conf.d/openssl.conf"
sudo ldconfig
#环境变量添加/usr/local/ssl/bin:
sudo sed 's/PATH="/PATH="\/usr\/local\/ssl\/bin:/' /etc/environment -i

查看Nginx调用动态库信息

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
$ which nginx
/usr/sbin/nginx
$ ldd /usr/sbin/nginx 
    linux-vdso.so.1 (0x00007ffe851e9000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1216d1d000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f1216afe000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f12168c6000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f1216654000)
    libssl.so.1.1 => /usr/local/ssl/lib/libssl.so.1.1 (0x00007f12163c0000)
    libcrypto.so.1.1 => /usr/local/ssl/lib/libcrypto.so.1.1 (0x00007f1215ecd000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1215cb0000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f12158bf000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f1217259000)

查看libssl.solibcrypto.so调用路径是否为正确的路径。

添加Nginx SSL配置

1
2
#修改Nginx配置文件添加ssl_ciphers设置
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
Licensed under CC BY-NC-SA 4.0
Built with Hugo
Theme Stack designed by Jimmy