海运的博客

nginx下ssl_ciphers配置对tls1.3无效，当开启ssl_prefer_server_ciphers选项时以openssl默认的顺序选择ciphers。
查看openssl支持的ciphers:

openssl ciphers -s -tls1_3
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

修改openssl tls1.3 ciphers顺序
centos8下修改配置文件/etc/crypto-policies/back-ends/opensslcnf.config

Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

其它版本，修改/etc/pki/tls/openssl.cnf配置文件：

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

然后重启nginx即可。

https://trac.nginx.org/nginx/ticket/1529
https://trac.nginx.org/nginx/ticket/1445
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
https://github.com/ssllabs/ssllabs-scan/issues/636

openssl req -new -x509 -days 3650 -nodes -out server.crt -keyout server.key -subj "/C=XX/L=Default City/O=Default Company Ltd/"

指定证书为2048位RSA：

openssl req -newkey rsa:2048 -x509 -days 3650 -nodes -out server.crt -keyout server.key -subj "/C=XX/L=Default City/O=Default Company Ltd/"

查看证书信息：

openssl x509 -text -noout -in server.crt 

生成ecc证书：

openssl ecparam -genkey -name prime256v1 -out server.key
# -name secp384r1
openssl req -new -x509 -days 3650 -key server.key -out server.cert

caddy使用上面自签名ssl的证书错误：
loading tls app module: provision tls: caching unmanaged certificate: certificate has no names
在签名时指定DNS名称为当前IP解决：

-addext 'subjectAltName=DNS:192.168.1.1,DNS:127.0.0.1'

参考：
https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
https://blog.csdn.net/qq_41827547/article/details/105682770