大家好,欢迎来到IT知识分享网。
11:58 Cipher Suites
Now let’s go into cipher suites. What is a cipher suite? There are various cryptographic algorithms that SSL, TLS, and HTTPS use to establish connections and it’s really an alphabet soup. What do they mean?
Essentially, the first term is the key exchange, an algorithm that the two parties use to exchange keys. In this case, it’s based on the Diffie‑Hellman algorithm.
The second term is what type of key is in your certificate. So every certificate has a public key of a certain type. In this case it’s RSA.
The third piece is your transport cipher, the encryption algorithm used to encrypt all the data. There’s a lot of different pieces that go into this, but AES‑GCM is the most secure cipher; this is actually something that Intel processors do at almost zero cost. So this is a pretty cheap and solid cipher to use.
The last one is integrity. As I mentioned, messages have a cache that goes along with them to make sure they haven’t been tampered but if it’s encrypted, and with integrity, you can go from there.
13:17 Server Cipher Suites
So for example, if the client says, “These are the ones I support in this order”, the server only supports two and then it’ll just pick its favorite.
13:52 Recommended Cipher Suites
<img src=”https://cdn-1.wp.nginx.com/wp-content/uploads/2016/08/Sullivan-conf2015-slide19_cipher-recommended-1024×488.png” alt=”CloudFlare and Mozilla each publish a list of recommended cipher suites to provide website security through HTTPS [presentation by Nick Sullivan of CloudFlare at nginx.conf 2015]” width=”1024″ height=”488″ class=”alignnone size-large wp-image-44957″ https:=”” cdn-1.wp.nginx.com=”” wp-content=”” uploads=”” 2016=”” 08=”” sullivan-conf2015-slide19_cipher-recommended.png=”” 1024w,=”” sullivan-conf2015-slide19_cipher-recommended-300×143.png=”” 300w,=”” sullivan-conf2015-slide19_cipher-recommended-768×366.png=”” 768w,=”” sullivan-conf2015-slide19_cipher-recommended-150×71.png=”” 150w,=”” sullivan-conf2015-slide19_cipher-recommended-640×305.png=”” 640w,=”” sullivan-conf2015-slide19_cipher-recommended-320×153.png=”” 320w”=”” sizes=”(max-width: 1024px) 100vw, 1024px” style=”box-sizing: inherit; vertical-align: middle; border: 2px solid rgb(102, 102, 102); max-width: 100%; height: auto; padding: 2px; margin: 2px;”>
This is not a really big matter of debate, but there’s a lot of options that you have out there. CloudFlare uses this cipher suite list and you can find it here. We have an NGINX configuration format and these are the ones we recommend. These are the ones that all sites that are on CloudFlare end up using.
So, there’s a cool new cipher called ChaCha 20. It’s not supported in mainline NGINX yet but we’re pushing to do it; everything else here you can use. Mozilla also has their own recommendations on this, and you can go to their server‑side TLS site and they will generate SSL configuration for you for NGINX or whatever web server you might be using. So that’s cipher suites.
参考:
每个算法套件包括4部分:
https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/#CipherSuites
nginx配置ssl_ciphers的写法:
https://www.openssl.org/docs/manmaster/man1/ciphers.html –> CIPHER LIST FORMAT
查看nginx机器上的openssl支持的套件
openssl ciphers -v
各种算法的测试方式参考:openssl speed
转载于:https://blog.51cto.com/tenderrain/2288034
免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://yundeesoft.com/25359.html