TLS 1.3
TLS 1.3 优势
TLS 1.3 相对于之前的版本,主要有两大优势:
Enhanced security: 安全性增强
Improved speed:速度提升
Enhanced security
TLS 1.3 removes the “bad crypto smell” of these legacy features, making it less likely that attacks on previous versions of the protocol will affect TLS 1.3. This streamlining also makes TLS 1.3 much simpler to configure for server operators. A secondary side effect of the update is that the protocol can be made much faster, resulting in a better web browsing experience.
Improved Speed
With TLS 1.2, two round-trips are needed to complete the handshake before the request can be sent. Accessing a site over a mobile network can add more than half a second to its load time. With TLS 1.3, the initial handshake is cut in half, requiring only one round-trip. That’s like going from a fast station wagon (0-60mph in 10 seconds) to a Tesla Model S (5 seconds)
美中不足
The impact of latency is especially noticeable for:
a) users on mobile devices
b) users that geographically far away from the server
也就是说,在某一些特定的网络环境下,比如3G网络下,可能会导致移动终端以及长距离传输的速度变慢。
部署以及注意事项
部署
NGINX:需要1.13.0及以上版本 下载地址
OpenSSL:需要特定支持TLS1.3 的版本(github 上openssl 有draft-18 以及draft-19 分支,因为浏览器只支持到18 因此下载OpenSSL 1.1.1 的 draft-18 分支) 下载地址
NGINX:
./configure --with-openssl=/home/user/openssl --with-openssl-opt='enable-tls1_3' --with-http_ssl_module
其他配置项略
部署参考链接:本博客开始支持 TLS 1.3
注意事项
- 如果服务器有多个https域名服务,务必都要配置TLSv1.3 ,否则TLSv1.3不生效。
- 如果配置了TlSv1.3,却没有配置TLSv1.3的相关ssl_ciphers,会导致握手失败。
浏览器启用TLS1.3
How to enable TLS 1.3 in your browser
* Firefox*
Enter “about:config” in the address bar
Set security.tls.version.max from 3 to 4
Restart the browser
* Chrome*
Enter “chrome://flags/” in the address bar
select “TLS 1.3”
Restart the browser