Nginx integration of state secret SSL Protocol

Time:2021-9-15

1 background

Nginx itself supports the standard SSL protocol, but does not support the state secret SSL protocol. This paper describes the complete process of the state secret SSL Protocol (one-way) configured by nginx for learning and reference only. Features: nginx does not need to change the source code and supports any version.

2 Environment
The server OS is the 64 bit version of CentOS 7.7, the IP bit is 192.168.0.98, and the client OS is WindowsXP.

Nginx is nginx-1.18.0.

The browser is a 360 secure browser (supporting state secrets).

3 installation method 1: source code compilation

Gmssl.cn provides a state secret version Library of OpenSSL, which can be compiled with nginx. The generated nginx supports the state secret SSL protocol.

1) Prepare gmssl_ openssl

Download pagehttps://www.gmssl.cn/gmssl/in…

Download gmssl_ openssl_ 1.1_ b1.tar.gz

Download pagehttps://www.gmssl.cn/gmssl/in…

Copy to / root / directory

decompression

   tar xzfm gmssl\_openssl\_1.1\_bxx.tar.gz -C /usr/local

**Then / usr / local / gmssl is the state secret OpenSSL directory

2) Prepare nginx

Download pagehttp://nginx.org/download/ngi…

Copy to / root / directory

decompression

   tar xzfm nginx-1.18.0.tar.gz

Then / root / nginx-1.18.0 is the nginx directory

cd /root/nginx-1.18.0

VI auto / lib / OpenSSL / conf, change all $OpenSSL /. OpenSSL / to $OpenSSL / and save

3) Compile

./configure \

–without-http_gzip_module \

–with-http_ssl_module \

–with-http_stub_status_module \

–with-http_v2_module \

–with-file-aio \

–with-openssl=”/usr/local/gmssl” \

–with-cc-opt=”-I/usr/local/gmssl/include” \

–with-ld-opt=”-lm”

make install

**Then / usr / local / nginx is the generated state secret version nginx directory

Note: you may need to install the required PCRE devel package.

4. Installation method 2: direct installation

Gmssl.cn has provided a state secret version nginx compiled according to method 1, which can be downloaded, installed and used directly.

Download pagehttps://www.gmssl.cn/gmssl/in…

Download gmssl\_ nginx\_ 1.8.0\_ b7.tar.gz

Copy to / root / directory

decompression

   tar xzfm gmssl\_nginx\_1.8.0\_bxxx.tar.gz -C /usr/local

**Then / usr / local / nginx is the nginx directory of state secret edition

5. State secret double certificate

1) Generate state secret double certificate

visithttps://www.gmssl.cn/gmssl/in…, you can generate free test state secret double certificates.

Save sm2.demo1.gmssl.cn.zip after submission

Transfer it to the server / root / and unzip it

unzip sm2.demo1.gmssl.cn.zip -d /root/sm2.demo1/

6. Nginx deploys state secret SSL

1) Configure nginx

vi /usr/local/nginx/conf/nginx.conf

Add under http

serve

{

listen 0.0.0.0:443 ssl;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphersECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-SM3:ECDHE-SM4-SM3;

ssl_verify_client off;

ssl_certificate/root/sm2.demo1/sm2.demo1.gmssl.cn.sig.crt.pem;

ssl_certificate_key/root/sm2.demo1/sm2.demo1.gmssl.cn.sig.key.pem;

ssl_certificate/root/sm2.demo1/sm2.demo1.gmssl.cn.enc.crt.pem;

ssl_certificate_key/root/sm2.demo1/sm2.demo1.gmssl.cn.enc.key.pem;

location /

{

root html;

index index.html index.htm;

}

}

1) Testing
/usr/local/nginx/sbin/nginx-t
OpenSSL(GM version) by www.gmssl.cn.Test Only!!!
OpenSSL(GM version) bywww.gmssl.cn. Test Only!!!
OpenSSL(GM version) bywww.gmssl.cn. Test Only!!!
OpenSSL(GM version) bywww.gmssl.cn. Test Only!!!
nginx: the configuration file/usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file/usr/local/nginx/conf/nginx.conf test is successful
Note: test only and other information is the prompt information output by the state secret version of OpenSSL, which does not affect the test and use.

2) Run
/usr/local/nginx/sbin/nginx

7 access verification
1) Download 360 secure browser
https://se.360.cn

2) Open national secret SSL support
Nginx integration of state secret SSL Protocol

3) Enable speed mode
visithttps://192.168.0.98, the error page appears and the speed mode is turned on
Nginx integration of state secret SSL Protocol

4) Successfully accessed state secret SSL
Nginx integration of state secret SSL Protocol

8 summary

By using the state secret SSL component, nginx can simply support the state secret SSL protocol without any compilation and modification, and meet the policy compliance of equal protection. It is indeed a simple and operable method. Www.gmssl.cn provides all free test components, supports two-way state secret SSL, supports state secret SSL / standard SSL adaptation, and also supports Tomcat and Apache, which is worthy of recommendation and trial.