龙空技术网

关于ssl证书使用的加密套件

孤独患者wo 109

前言:

此时各位老铁们对“nginx 加密套件”大体比较关注,同学们都需要剖析一些“nginx 加密套件”的相关资讯。那么小编同时在网摘上网罗了一些关于“nginx 加密套件””的相关资讯,希望我们能喜欢,大家一起来学习一下吧!

一、ciphers是配置ssl证书所需的加密套件,基于OpenSSL。用户可以控制在协商TLS连接时要考虑的密码。使已知密码的名称根据libcurl构建TLS后端。

SSL协议有sslv2, sslv3, tlsv1, tlsv1.1和tlsv1.2。目前推荐使用的有tlsv1.2,其它协议都存在各种安全漏洞。在每种SSL协议中,又包括了一系列的加密算法,也即是ciphers suite。

SSL3 加密套件:

NULL-MD5 NULL-SHA RC4-MD5 RC4-SHA IDEA-CBC-SHA DES-CBC3-SHA DH-DSS-DES-CBC3-SHA DH-RSA-DES-CBC3-SHA DHE-DSS-DES-CBC3-SHA DHE-RSA-DES-CBC3-SHA ADH-RC4-MD5 ADH-DES-CBC3-SHA

TLS v1.0与1.1 加密套件:

NULL-MD5 NULL-SHA RC4-MD5 RC4-SHA IDEA-CBC-SHA DES-CBC3-SHA DHE-DSS-DES-CBC3-SHA DHE-RSA-DES-CBC3-SHA ADH-RC4-MD5 ADH-DES-CBC3-SHA

TLS v1.2加密套件:

NULL-SHA256 AES128-SHA256 AES256-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 DH-RSA-AES128-SHA256 DH-RSA-AES256-SHA256 DH-RSA-AES128-GCM-SHA256 DH-RSA-AES256-GCM-SHA384 DH-DSS-AES128-SHA256 DH-DSS-AES256-SHA256 DH-DSS-AES128-GCM-SHA256 DH-DSS-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-DSS-AES128-SHA256 DHE-DSS-AES256-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-DSS-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ADH-AES128-SHA256 ADH-AES256-SHA256 ADH-AES128-GCM-SHA256 ADH-AES256-GCM-SHA384 AES128-CCM AES256-CCM DHE-RSA-AES128-CCM DHE-RSA-AES256-CCM AES128-CCM8 AES256-CCM8 DHE-RSA-AES128-CCM8 DHE-RSA-AES256-CCM8 ECDHE-ECDSA-AES128-CCM ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES256-CCM8

基于ECC加密算法的加密套件:

ecdh_ecdsa_null_sha ecdh_ecdsa_rc4_128_sha ecdh_ecdsa_3des_sha ecdh_ecdsa_aes_128_sha ecdh_ecdsa_aes_256_shaecdhe_ecdsa_null_sha ecdhe_ecdsa_rc4_128_sha ecdhe_ecdsa_3des_sha ecdhe_ecdsa_aes_128_sha ecdhe_ecdsa_aes_256_shaecdh_rsa_null_sha ecdh_rsa_128_sha ecdh_rsa_3des_sha ecdh_rsa_aes_128_sha ecdh_rsa_aes_256_sha ecdhe_rsa_nullecdhe_rsa_rc4_128_sha ecdhe_rsa_3des_sha ecdhe_rsa_aes_128_sha ecdhe_rsa_aes_256_sha ecdh_anon_null_shaecdh_anon_rc4_128sha ecdh_anon_3des_sha ecdh_anon_aes_128_sha ecdh_anon_aes_256_sha

二、推荐服务器使用的加密协议与套件

Nginx:

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!3DES:!aNULL:!MD5:!ADH:!RC4; #允许的加密套件ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #首选加密协议

Apache:

SSLProtocol all -SSLv2 -SSLv3 #禁止不安全的加密协议SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!3DES:!MD5:!ADH:!RC4:!DH:!DHE #首选的加密套件

Tomcat:

说明:Tomcat一般默认,支持TLS v1.2协议必须要jdk1.7+Tomcat7以上版本才能支持

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA" ###以上是参考的示例

标签: #nginx 加密套件