11:58 Cipher Suites

Section title slide reading

Now let’s go into cipher suites. What is a cipher suite? There are various cryptographic algorithms that SSL, TLS, and HTTPS use to establish connections and it’s really an alphabet soup. What do they mean?

A cipher suite has four parts: the key-exchange algorithm, the type of public key, the cipher used to encrypt data in transfer, and the anti-tampering checksum A cipher suite is a set of algorithms that together determine the variety of cryptography used for and SSL/TLS connection [presentation by Nick Sullivan of CloudFlare at nginx.conf 2015]

Essentially, the first term is the key exchange, an algorithm that the two parties use to exchange keys. In this case, it’s based on the Diffie‑Hellman algorithm.

The second term is what type of key is in your certificate. So every certificate has a public key of a certain type. In this case it’s RSA.

The third piece is your transport cipher, the encryption algorithm used to encrypt all the data. There’s a lot of different pieces that go into this, but AES‑GCM is the most secure cipher; this is actually something that Intel processors do at almost zero cost. So this is a pretty cheap and solid cipher to use.

The last one is integrity. As I mentioned, messages have a cache that goes along with them to make sure they haven’t been tampered but if it’s encrypted, and with integrity, you can go from there.

13:17 Server Cipher Suites

Slide depicts negotiation of the SSL/TLS cipher suite between client and server to provide website security through HTTPS [presentation by Nick Sullivan of CloudFlare at nginx.conf 2015]

So for example, if the client says, “These are the ones I support in this order”, the server only supports two and then it’ll just pick its favorite.

13:52 Recommended Cipher Suites

<img src=”https://cdn-1.wp.nginx.com/wp-content/uploads/2016/08/Sullivan-conf2015-slide19_cipher-recommended-1024×488.png” alt=”CloudFlare and Mozilla each publish a list of recommended cipher suites to provide website security through HTTPS [presentation by Nick Sullivan of CloudFlare at nginx.conf 2015]” width=”1024″ height=”488″ class=”alignnone size-large wp-image-44957″ https:=”” cdn-1.wp.nginx.com=”” wp-content=”” uploads=”” 2016=”” 08=”” sullivan-conf2015-slide19_cipher-recommended.png=”” 1024w,=”” sullivan-conf2015-slide19_cipher-recommended-300×143.png=”” 300w,=”” sullivan-conf2015-slide19_cipher-recommended-768×366.png=”” 768w,=”” sullivan-conf2015-slide19_cipher-recommended-150×71.png=”” 150w,=”” sullivan-conf2015-slide19_cipher-recommended-640×305.png=”” 640w,=”” sullivan-conf2015-slide19_cipher-recommended-320×153.png=”” 320w”=”” sizes=”(max-width: 1024px) 100vw, 1024px” style=”box-sizing: inherit; vertical-align: middle; border: 2px solid rgb(102, 102, 102); max-width: 100%; height: auto; padding: 2px; margin: 2px;”>

This is not a really big matter of debate, but there’s a lot of options that you have out there. CloudFlare uses this cipher suite list and you can find it here. We have an NGINX configuration format and these are the ones we recommend. These are the ones that all sites that are on CloudFlare end up using.

So, there’s a cool new cipher called ChaCha 20. It’s not supported in mainline NGINX yet but we’re pushing to do it; everything else here you can use. Mozilla also has their own recommendations on this, and you can go to their server‑side TLS site and they will generate SSL configuration for you for NGINX or whatever web server you might be using. So that’s cipher suites.

参考:

每个算法套件包括4部分:

https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/#CipherSuites

nginx配置ssl_ciphers的写法:

https://www.openssl.org/docs/manmaster/man1/ciphers.html  –> CIPHER LIST FORMAT

查看nginx机器上的openssl支持的套件

openssl ciphers -v

各种算法的测试方式参考:openssl speed

https://calomel.org/nginx.html

https://www.openssl.org/docs/manmaster/man1/speed.html