nignx 中的 ssl_ciphers 如何配置

这个指令的参数是以冒号为分割的 OpenSSL name,需要根据你的 openssl 版本支持的算法套件来配置,每个名字代表了 TLS 握手所使用的算法、证书签名、完整性检查算法。

1ssl_ciphers “TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”;

以ECDHE-RSA-AES128-GCM-SHA256 为例

秘钥交换算法:ECDHE
证书验证签名算法:RSA
建立连接后的对称加密算法:AES128
完整性检查HASH算法:GCM-SHA256

查询 OpenSSL 支持哪些算法套件:

123456789[root@www ~]# openssl ciphers -v |grep CHATLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEADDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEADRSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEADDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEADECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEADPSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD

Kx  密钥交换算法  :用来协商回话密钥
Au 验证算法 :用来验证服务端身份
Enc对称加密算法:加密消息
Mac摘要算法:防消息篡改

以下三个名字都是不同叫法的同一套加密套件:

IANA name:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

OpenSSL name:ECDHE-RSA-CHACHA20-POLY1305

GnuTLS name:TLS_ECDHE_RSA_CHACHA20_POLY1305

TLS Version(s):TLS1.2


Protocol:Transport Layer Security (TLS)

Key Exchange:Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)

Authentication:Rivest Shamir Adleman algorithm (RSA)

Encryption:ChaCha stream cipher and Poly1305 authenticator (CHACHA20 POLY1305)

Hash:Secure Hash Algorithm 256 (SHA256)

检测TLS版本命令:

curl -I -v –tlsv1 –tls-max 1.0 https://www.nginx.cn
curl -I -v –tlsv1.1 –tls-max 1.1 https://www.nginx.cn

  • -I : Show document header info only
  • -v : Verbose outputs
  • --tlsv1--tlsv1.0--tlsv1.1--tlsv1.2--tlsv1.3: Use given TLS version
  • --tls-max VERSION : Set maximum allowed TLS version

参考:

检测浏览器支持:https://ssl.haka.se/

tls 测试:https://www.cdn77.com/tls-test

ssl 测试:https://www.ssllabs.com/ssltest/index.html

https://blog.cloudflare.com/announcing-keyless-ssl-all-the-benefits-of-cloudflare-without-having-to-turn-over-your-private-ssl-keys/

https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/

http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html

https://dev.admirable.pro/ssl-optimization/

Was this helpful?

0 / 0

发表评论 0

Your email address will not be published. Required fields are marked *