Nginx配置HTTPS支持CHACHA20_POLY1305

Aug 15, 2016#boringssl #https #libressl #nginx #openssl63

AI-generated summary

This article discusses how to configure Nginx to support the CHACHA20_POLY1305 encryption algorithm. It explains that to enable this support, the OpenSSL library in Nginx needs to be replaced with either BoringSSL or LibreSSL. It provides links to guides on how to replace OpenSSL with these libraries. The article also mentions the necessary changes to the nginx.conf file and recommends restarting Nginx after making the configuration changes. It concludes by suggesting a website SSL testing tool for further reference.

Nginx 打开 CHACHA20_POLY1305 支持需要替换 Nginx 的 OpenSSL 库为 BoringSSL 或 LibreSSL

具体实现替换方法请参考

Nginx 替换 OpenSSL 为 LibreSSL 请参考 https://www.lidaren.com/archives/1702

Nginx 替换 OpenSSL 为 BoringSSL 请参考 https://www.lidaren.com/archives/1705

修改 nginx.conf 让 nginx 支持 CHACHA20 加密算法即可这里增加”EECDH+CHACHA20+CHACHA20-draft:"

ssl_ciphers EECDH+CHACHA20+CHACHA20-draft+AES128+AES128+AES256+AES256+3DES+3DES:!MD5;
#BoringSSL 默认关闭 SSLv3
ssl_protocols TLSv1 TLSv1.1TLSv1.2;

重启 nginx 配置后即可启用 CHACHA20_POLY1305 安全加密算法。

最后提供一个网站 SSL 测试工具 https://www.ssllabs.com/ssltest/

参考 http://www.v2ex.com/t/174625