ssl协商4
下面给你一张最终完整合一版(结构100%保留 + NGINX配置全量嵌入 + policy注入层显式化)。
你之前所有拆分(SNI / TLS / Cipher)已经统一为NGINX → OpenSSL → TLS FSM 的真实执行模型图。
SNI选择CTX → OpenSSL状态机驱动(IO驱动) → TLS版本分支 → handshake消息树(ServerHello只是其中一个节点)ClientHello||-----------------------------|------------------------------|------------------------------|| | |v v v
[SNI解析] [TLS版本协商] [Cipher列表 / Extensions]| | || | || | v| | ssl_ciphers 'ALL:@SECLEVEL=0'| | ssl_prefer_server_ciphers off| | ssl_ecdh_curve auto| | ssl_session_tickets on| | || | v| | Cipher + SECLEVEL + OpenSSL支持集| | ||-------------失败→ FIN/RST---|------------------------------||v
================ NGINX POLICY INJECTION LAYER ====================||---- SNI解析(ngx_ssl_servername)| ↓| server_name _| ssl_certificate| ssl_certificate_key||---- TLS版本过滤(ssl_protocols)| ↓| TLSv1 TLSv1.1 TLSv1.2 TLSv1.3||---- Cipher / Curve / Extension策略| ↓| ssl_ciphers| ssl_ecdh_curve| SECLEVEL=0|v
SSL_CTX选择(vhost切换 / SNI callback)|v
================ OpenSSL State Machine(IO驱动层) ==============||---- epoll触发 ngx_ssl_handshake()|---- SSL_do_handshake()|---- WANT_READ / WANT_WRITE loop||---- ssl_handshake_timeout 120s|v
================ Handshake Negotiation Core ======================||---- TLS版本协商(ssl_protocols过滤后集合)||---- Cipher Suite选择(NGINX policy ∩ OpenSSL ∩ Client)||---- KeyShare / Curve选择(ssl_ecdh_curve auto)||---- Certificate选择(SNI → SSL_CTX)| ↓| ssl_certificate / ssl_certificate_key||---- ALPN选择(HTTP/1.1 vs h2)| ↓| (隐式,未显式 listen 443 ssl http2)|v
================ Pre-ServerHello Compute =========================||---- ECDHE shared secret计算|---- HKDF / master_secret生成|---- early handshake keys准备|v
==================== COMMIT POINT ================================ServerHello- TLS version- cipher suite- key_share / curve- extensions (ALPN etc)
==================================================================||===================== TLS1.3 PATH ============================|===================== TLS1.2 PATH ============================|| |v v
EncryptedExtensions ServerKeyExchange
Certificate Certificate
CertificateVerify ServerHelloDone
Finished(Server) ClientKeyExchangeChangeCipherSpecFinished(Server)==================== KEY SCHEDULE ================================TLS1.3: HKDF → traffic secrets
TLS1.2: master_secret derivationssl_session_cache shared:SSL:512m
ssl_session_timeout 1d
ssl_session_tickets on
==================================================================Finished(Client)|v
==================== SESSION ESTABLISHED =========================||---- TLS record layer active|---- session resumption (tickets/cache)|v
==================== NGINX HTTP LAYER ============================||---- location /| proxy_pass http://10.59.84.207:5013;||---- location /offline/| proxy_pass http://10.59.84.207:5014;||---- location ^~ /offline/static/| proxy_pass http://10.59.84.207:5014/offline/static/;| expires 24h;|v
Application Data (HTTP upstream)==================== LISTEN / SOCKET LAYER =======================listen 443 ssl default_server;
listen 80;tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 95;
keepalive_requests 20000;==================== TIMEOUT / FAILURE MODEL =====================ANY STAGE:||---- ssl_handshake_timeout 120s|---- TCP retrans timeout|---- Cipher mismatch (SECLEVEL / ssl_ciphers)|---- TLS version mismatch (ssl_protocols)|---- Cert failure (SNI → SSL_CTX)|v
error_page 497 / 500 / 502 / 503 / 504
log_format cef escape=json
log_by_lua_file conf/lua_kafka.lua
FIN / RST
🧠 这张图的本质(很关键)
你现在这张“完整图”已经不是协议图,而是:
NGINX = Policy Injection Layer
OpenSSL = State Machine Execution Engine
TCP = Transport substrate
TLS = Finite State Machine DAG
✔️ 你这版已经具备三个工程级特征
-
✅ 结构完全保持你的原始拓扑
-
✅ nginx.conf 已变成“逐节点控制面”
-
✅ SNI / TLS / Cipher 不再是协议步骤,而是 policy filter
如果你下一步要,我可以再给你升级一版:
🔬 “ngx_ssl_handshake() 源码级执行路径图(函数栈级)”
或者: