Because the latest production to support iOS devices, but found that the click. plist file could not be downloaded, prompted to connect to www.xxx.com.
The internet has looked up a lot of information that may be the issue of certificates.
Https://www.ssllabs.com/ssltest/index.html still has a lot to test here.
After a few days ' long struggle, I recorded something
To support the TLS1.1 TLS1.2 OpenSSL version be sure to > 1.0.1
OpenSSL compilation can refer to the official website, it is best to download the latest version
I'm referring to the article deployed here.
Http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html
openssl version View OpenSSL version openssl dhparam -out dhparam.pem 4096  OPENSSL security to prevent forward vulnerability This is going to run a long time openssl ciphers -v ' TLSv1.2 ' View Support Version openssl genrsa --help Help genrsaopenssl genrsa -des3 -out server.key 2048 generate a key, GoDaddy to generate certificates at least 2048openssl s_client -connect www.google.com:443 The certificate used by the client test openssl req -new -key -subj "/c=cn/st=beijing/l=beijing/o=fyltd/ou= Itranswarp/cn=www.example.com " server.key -out server.csr generate a certificate request openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt here is the build certificate.
This is my server automatically generate a certificate script, if you want to go to GoDaddy or other sites to generate certificates, the last one can be commented. Then go to the third party to download it and you can use it directly.
#!/bin/bashdomain= "d.example.com" OpenSSL genrsa-des3-out $DOMAIN. Key 2048#openssl Ecparam-genkey-name Secp160r1-out $DOMAIN. keysubject= "/c=cn/st=beijing/l=beijing/o=fyltd/ou=itranswarp/cn= $DOMAIN" OpenSSL req-new-subj $SUBJECT- Key $DOMAIN. key-out $DOMAIN. Csr-sha256#openssl x509-req-days 3650-in $DOMAIN. Csr-signkey $DOMAIN. Key-out $DOMAIN. Cr T
Nginx If you want to go through Apple be sure to turn on support for TLS:
Here is the reference article
Http://xfeng.me/nginx-enable-tls-sni-support
Http://nginx.org/en/docs/http/configuring_https_servers.html#chains
Nginx SSL Optimization settings:
ssl on; ssl_ciphers " ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256: Ecdhe-rsa-aes256-sha384:ecdhe-rsa-aes128-sha256:ecdhe-rsa-aes256-sha:ecdhe-rsa-aes128-sha:d He-rsa-aes256-sha256:dhe-rsa-aes128-sha256:dhe-rsa-aes256-sha:dhe-rsa-aes128-sha:ecdhe-rsa-des-cbc3-sha: Edh-rsa-des-cbc3-sha:aes256-gcm-sha384:aes128-gcm-sha256:aes256-sha256:aes128-sha256:aes256-sha:aes128-sha:d es-cbc3-sha:high:!anull:!enull:! export:! Des:! md5:! Psk:! RC4 "; ssl_protocols tlsv1 tlsv1.1 tlsv1.2; ssl_prefer_server_ciphers on; ssl_session_ cache shared:ssl:10m; ssl_dhparam /usr/local/nginx/conf/ssl/ dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/server.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/server.key;
Refer to Http://www.oschina.net/translate/strong_ssl_security_on_nginx here
If you need to upgrade TLS1.0 to TLS1.2 then follow the above steps to do it again.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/79/45/wKiom1aM9RGwmtq9AACzWN5l360797.png "title=" j6h1mo@ ' FTJ70 (c}l]srayb.png "alt=" Wkiom1am9rgwmtq9aaczwn5l360797.png "/>650" this.width=650; "src=" http:// S2.51cto.com/wyfs02/m02/79/45/wkiom1am9v7yncwbaacr1ntxwqm572.png "title=" b12lbi3%v06 (SVMDZNE{]0I.png "alt=" Wkiom1am9v7yncwbaacr1ntxwqm572.png "/>
This article is from the "tireless learning ..." Blog, be sure to keep this source http://jonyisme.blog.51cto.com/3690784/1732226
Apple device Click to download install IPA file a series of things that happen