centos7 ubuntu14.04 debian8 暂时都还是 openssl 1.0.1
除了编译之外,还有更好的方式么?
1
kiritoalex 2015-10-27 13:02:37 +08:00 via Android
换系统
|
2
pupboss 2015-10-27 13:08:39 +08:00
|
3
unity0703 2015-10-27 13:18:34 +08:00
找找有没有现成的 Docker
|
5
skydiver 2015-10-27 14:20:51 +08:00
为什么要新版?
如果是有安全漏洞, redhat 会 backport 到旧版上的。一直用官方源里面的就没问题。 |
6
Felldeadbird 2015-10-27 14:26:38 +08:00
ubuntu 找对应的源,然后升级咯。
|
7
pupboss 2015-10-27 14:26:59 +08:00 via iPhone
|
10
ivmm OP |
14
bigtan 2015-10-27 17:27:19 +08:00
昨天刚换了 Apache 升级到了支持 http2 的版本
把 Ubuntu 源 sid ,直接装,不用编译 |
15
skydiver 2015-10-27 17:33:26 +08:00
@ivmm 我直接加的 nginx 源安装的 http://nginx.org/en/linux_packages.html 没遇到 openssl 的问题。
|
16
ivmm OP |
17
ivmm OP ```
server { listen 80; server_name www.vobe.io; rewrite ^(.*) https://www.vobe.io/$1 permanent; } server { listen 443 ssl http2 default_server; server_name www.vobe.io; ssl on; ssl_certificate /usr/local/nginx/conf/vhost/1_vobe.io_bundle.crt; ssl_certificate_key /usr/local/nginx/conf/vhost/2_vobe.io.key; ssl_dhparam /usr/local/nginx/conf/vhost/3_vobe.io_dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4'; ssl_session_timeout 10m; ssl_buffer_size 1400; ssl_session_cache builtin:1000 shared:SSL:20m; ssl_session_tickets off; resolver 223.5.5.5 223.6.6.6 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains'; add_header X-Cache $upstream_cache_status; add_header Access-Control-Allow-Origin: *; ``` |
23
kn007 2015-10-27 17:54:05 +08:00
没有无痛,必须编译,编译也不会有问题啊。
nginx 的话可以不用编译: https://kn007.net/topics/choose-nginx-ssl-ciphers/ libressl (不需预编译)和 openssl (忘记要不要预编译)支持直接给 nginx 编译 |
24
kn007 2015-10-27 17:56:56 +08:00
|
26
hyuwang 2015-10-28 02:05:08 +08:00
试了下编译坑挺多的,花了不少时间才搞定,于是写了个 docker image, openssl 1.0.2 + nginx 1.9.6 with http2 module
欢迎尝试 http://www.v2ex.com/t/231591 |