微信小程序:对应的服务器 TLS 为 TLS 1.0 ,小程序程序要求的 TLS 版本必须大于等于 1.2--LNMP升级TLS版本

·  阅读 839

由于App Store的原因,微信小程序要求服务器的TLS版本必须大于1.2,今天就给大家分享一下TLS的升级步骤:

一、查看openssl的版本是否≥1.0.1g,没有就需要升级

1.查看openssl版本

[root@xxxx ~]# openssl version -a
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008复制代码

2.升级openssl

①下载openssl-1.0.2n.tar.gz

[root@xxxx ~]# wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
复制代码

②更新zlib

[root@xxxx ~]# yum install -y zlib
复制代码

③解压安装

[root@xxxx ~]# tar zxf openssl-1.0.2n.tar.gz
[root@xxxx ~]# cd openssl-1.0.2n
[root@xxxx ~]# ./config shared zlib
[root@xxxx ~]# make
[root@xxxx ~]# make install
[root@xxxx ~]# mv /usr/bin/openssl /usr/bin/openssl.bak[
[root@xxxx ~]# mv /usr/include/openssl /usr/include/openssl.bak
[root@xxxx ~]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
[root@xxxx ~]# ln -s /usr/local/ssl/include/openssl /usr/include/openssl
[root@xxxx ~]# echo “/usr/local/ssl/lib” >> /etc/ld.so.conf
[root@xxxx ~]# ldconfig -v复制代码

④检查是否升级成功

[root@xxxx ~]# openssl version
OpenSSL 1.0.2n  7 Dec 2017复制代码

二、重新编译nginx,不然nginx对应的openssl还是老的版本

1.到官网下载和当前版本相同的nginx

[root@xxxx ~]# wget http://nginx.org/download/nginx-1.8.0.tar.gz
复制代码

2.解压并进入目录

[root@xxxx ~]# tar zxvf nginx-1.8.0.tar.gz
[root@xxxx ~]# cd nginx-1.8.0复制代码

3.修改加载openssl 方式:

[root@xxxx nginx-1.8.0]# vi auto/lib/openssl/conf
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
复制代码

改为:

CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"复制代码

4.复制原nginx的配置信息 (V一定是大写)

[root@xxxx nginx-1.8.0]# nginx -V
nginx version: nginx/1.8.0
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-55)
built with OpenSSL 1.0.2n  7 Dec 2017TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_spdy_module --with-http_gzip_static_module --with-ipv6 --with-http_sub_module --with-google_perftools_module --with-openssl=/usr/local/ssl复制代码

复制configure arguments:后面的那一串

5.重新编译nginx

[root@xxx nginx-1.8.0]# ./configure \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_spdy_module \
--with-http_gzip_static_module \
--with-ipv6 \
--with-http_sub_module \
--with-google_perftools_module \
--with-openssl=/usr/local/ssl复制代码

6. 编译

sudo make复制代码

千万不要使用普通安装包的make install 进行全新安装。我只需要编译出来的代码即可

7.终止正在运行的nginx

[root@xxxx nginx-1.8.0]# sudo nginx -s stop复制代码

8.修改nginx

[root@xxxx nginx-1.8.0]# cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old
[root@xxxx nginx-1.8.0]# cp ./objs/nginx /usr/local/nginx/sbin/复制代码
9.启动nginx 并查看nginx模块

[root@xxxx nginx-1.8.0]# sudo nginx
[root@xxxx ~]# nginx -V
nginx version: nginx/1.8.0
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-55)built with OpenSSL 1.0.2n  7 Dec 2017TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module 
--with-http_ssl_module 
--with-http_spdy_module 
--with-http_gzip_static_module
--with-ipv6 --with-http_sub_module 
--with-google_perftools_module 
--with-openssl=/usr/local/ssl复制代码

三、配置nginx.conf(配置完了重启nginx)

server
    {
	listen 443 ssl;
        server_name xxx.com;
        index  index.php;
        root  /home/xxx/xxx;

	ssl on;
    	ssl_certificate   ../cert/214719214440685.pem;
    	ssl_certificate_key  ../cert/214719214440685.key;
    	ssl_session_timeout 5m;
    	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    	ssl_prefer_server_ciphers on;
    }
复制代码

微信小程序再次访问后台,OK,打完收工...


收藏成功!
已添加到「」, 点击更改