Nginx国密改造

GmSSL 2.5.4 – OpenSSL 1.1.0d 19 Jun 2019
built on: re produci ble build, date unsp ecified
platform: linux–x86_64
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DGMI_ASM -DPOLY1305_ASM -DOPENSSLDIR=“”/usr/local/gmssl“” -DENGINESDIR=“”/usr/local/gmssl/lib/engines-1.1″” -Wa,–no exec stack
OPENSSLDIR: “/usr/local/gmssl”
ENGINESDIR: “/usr/local/gmssl/lib/engines-1.1”
[root@test1 ~]#

gmssl安装完成，下面就开始安装nginx

[root@test1 nginx]# tar -zx f nginx-1.18.0.tar.gz

[root@test1 nginx]# cd nginx-1.18.0

在编译前需要 更改 解压 目录内的auto/li b/openssl/conf，将全部

[root@test1 nginx-1.18.0]# vim auto/li b/openssl/conf

39 CORE_INCS=“$CORE_INCS

”

OPENSSL/include” 40 CORE_DEPS=”

$OPENSS L / in c l u d e “40 COR E_{D} EPS = “$ CORE_DEPS

”

OPENSSL/include/openssl/ssl.h” 41 CORE_LIBS=”

$OPENSS L / in c l u d e / o p e n ss l / ss l . h “41 COR E_{L} I BS = “$ CORE_LIBS

”

OPENSSL/lib/li bssl.a” 42 CORE_LIBS=”

$OPENSS L / l ib / l ib ss l . a “42 COR E_{L} I BS = “$ CORE_LIBS $OPENSSL/lib/libcrypto.a”

[root@test1 nginx-1.18.0]# ./configure

–wi thout-http_gzip_module
–wi th–http_ssl_module
–wi th–http_stub_status_module
–wi th–http_v2_module
–wi th–file-aio
–wi th–openssl=“/usr/local/gmssl”
–wi th–cc–opt=“-I/usr/local/gmssl/include”
–with–ld–opt=“-lm”

[root@test1 nginx-1.18.0]# make && make install

安装完成后，我们 准备好本次用于 测试的国密证书，开始修改 配置文件

请添加图片描述

提交之后我们会下载 一个SM2.zip的压缩包，打开之后就会有我们 需要的四个文件了，把他们 放到 服务器之后开始配置nginx

请添加图片描述

[root@test1 ~]# cd /opt/nginx/gmkey/

[root@test1 gmkey]# ll

总用量 16
-rw——- 1 root root 863 5月 30 17:34 sm2…enc.crt.pem
-rw——- 1 root root 258 5月 30 17:34 sm2…enc.key.pem
-rw——- 1 root root 863 5月 30 17:34 sm2…sig.crt.pem
-rw——- 1 root root 258 5月 30 17:34 sm2…sig.key.pem

将nginx 配置文件 修改 如下

[root@test1 gmkey]# vim /usr/local/nginx/conf/nginx.conf

server {
    listen       443 ssl;
    server_name  localhost;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH::AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECC-SM4-GCM-SM3:ECDHE-SM2-WITH-SMS4-GCM-SM3:ECDHE-SM2-WITH-SMS4-SHA256:ECDHE-SM2-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES;
    ssl_verify_client off;

    ssl_certificate /opt/nginx/gmkey/sm2.sig.crt.pem;
    ssl_certificate_key /opt/nginx/gmkey/sm2.sig.key.pem;

    ssl_certificate /opt/nginx/gmkey/sm2.enc.crt.pem;
    ssl_certificate_key /opt/nginx/gmkey/sm2.enc.key.pem;
    location / {
        root   html;
        index  index.html index.htm;
    }
}

[root@test1 gmkey]# cd /usr/local/nginx/sbin/

[root@test1 sbin]# ./nginx -t ###检查 配置文件 正确性

[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 dec ryption private key
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/co nf/nginx.co nf test is successful

[root@test1 sbin]# ./nginx -s reload ### 重载nginx

[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
[GMTLS_DEBUG] set sm2 encryption certificate
[GMTLS_DEBUG] set sm2 decryption private key

[root@test1 sbin]# netstat -anput | grep nginx ###查看 监听 端口 是否 启动

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 15918/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 15918/nginx: master

[root@test1 sbin]# systemctl stat us firewalld ###查看 防火墙 状态，如果是用到了防火墙的阻断，可先放行80和443端口，防火墙 拦截往往是最常见的。

● firewalld.service – firewalld – dynamic firewall daemon
Loa ded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@test1 sbin]#

使用国密浏览器做出验证是正常显示国密了

请添加图片描述

服务器上抓个包看看

[root@test1 nginx]# tcpdump -i ens192 -vnn port 443 –w /root/gm.pcap

tcpdump: listening on ens192, link–type EN10MB (Ethernet), capture size 262144 bytes

然后 需要 使用 支持国密的Wire sha rk去打开（下载 地址：ht tps://www.gmssl.cn/gmssl/down/wireshark–win32-2.9.0-gm.3.exe）

能看到GMTLSv.x即是国密算法了。

请添加图片描述

这里说写些在过程 汇总 遇到的问题吧

1、访问nginx的http和https 返回403，这种通常是因为权限不足导致，详见error 日志内出现：

2023/05/30 17:54:16 [error] 18320#0: *154 “/usr/local/nginx/html/index.html” is forb id den (13: Permission denied), client: 172.16.2.2, server: localhost1, request: “GET / HTTP/1.1”, host: “192.168.7.129”
2023/05/30 17:54:16 [error] 18320#0: *154 “/usr/local/nginx/html/index.html” is forb id den (13: Permission denied), client: 172.16.2.2, server: localhost1, request: “GET / HTTP/1.1”, host: “192.168.7.129”
2023/05/30 17:54:16 [error] 18320#0: *154 “/usr/lo cal/nginx/html/index.html” is forb id den (13: Permission denied), client: 172.16.2.2, server: localhost1, request: “GET / HTTP/1.1”, host: “192.168.7.129”

chmod 644 /站点 路径 修改 权限便可解决

2、在nginx同时存在 http和https的时候，http能够正常访问，但HTTPS不能，浏览器 回显 没有值得参考 信息，查看 error 日志 发现

2023/05/30 18:04:55 [info] 18320#0: *183 SSL_do_hand shake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL ha nd sha king, client: 172.16.2.2, server: 0.0.0.0:443
2023/05/30 18:04:55 [info] 18320#0: *184 SSL_do_ha nd shake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL ha nd sha king, client: 172.16.2.2, server: 0.0.0.0:443
2023/05/30 18:04:59 [info] 18320#0: *185 SSL_do_hands hake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking, client: 172.16.2.2, server: 0.0.0.0:443