nginx environment configuration of TLS 1.2 environment based on ATS requirements for HTTPS under iOS9

1.
The new App Transport Security (ATS) feature in iOS9 is required, which mainly turns the HTTP used in the original request to the TLS1.2 protocol for transmission. This also means that all HTTP protocols are forced to use the HTTPS protocol for transmission. Therefore, the mobile api needs to be configured as https and support tls 1.2

. 2. Project situation
Server side: The operating system used by the company's server is centos, the development language is php, and the web container uses nginx.
Client:
The communication between the ios android client and the service is
completed by loading h5 through webbiew with some functions in the http and json app.

3. The final configuration is successful
The relevant configurations in nginx.conf are as follows:

server
        {
                server_name mobileapi.xx.com;
                index index.html index.htm index.php default.html default.htm default.php;
                root  /home/wwwroot/mobileapi.xx.com/web;


                listen 443 ssl;
                 ssl on;
                 ssl_certificate        /home/wwwroot/ssl.xx.com/xx.crt;
                 ssl_certificate_key    /home/wwwroot/ssl.xx.com/xx.key;
                 ssl_session_timeout  5m;
                
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
                ssl_prefer_server_ciphers   on;



                include none.conf;
                location ~ .*\.(php|php5)?$
                        {
                                try_files $uri =404;
                                #fastcgi_pass  unix:/tmp/php-cgi.sock;
                                fastcgi_pass  unix:/dev/shm/php-cgi.sock;
                                fastcgi_index index.php;
                                include fcgi.conf;
                        }

                location /{
                                 if (!-e $request_filename){
                                          rewrite ^/(.*) /index.php last;
                                  }
                }
                location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
                        {
                                expires      30d;
                        }

                location ~ .*\.(js|css)?$
                        {
                                expires      12h;
                        }

                access_log off;
        }

4. Versions of key software
nginx 1.11.7
openssl 1.0.1e-fips
contos 6.3

5. nginx and openssl installation
openssl installation yum install openssl
download nginx 1.11.7
nginx installation command from the official website: ./configure --prefix=/usr/ local/nginx1_11_7 --with-http_ssl_module


6. Test method
nscurl --ats-diagnostics https://mobileapi.xx.com
If all passes prove that the configuration is successful

7. The pit
nginx encountered was version 1.4.4 was too low, not Support TLS 1.2
openssl version is too low, it was 0.9.8e
CentOS at that time If it is 5.x, upgrade openssl manually, can not use yum


7. Reference

https://my.oschina.net/vimfung/blog/494687
https ://zhidao.baidu.com/question/1114939951869020059.html
http://blog.sina.com.cn/s/blog_4e11d20b0102vmne.html
http://bguncle.blog.51cto.com/3184079/1392870/
http://www.cnblogs.com/hitwtx/archive/2012/02/13/2349742.html
https://my.oschina.net/u/1423896/blog/267511