11:58 Cipher Suites
Now let’s go into cipher suites. What is a cipher suite? There are various cryptographic algorithms that SSL, TLS, and HTTPS use to establish connections and it’s really an alphabet soup. What do they mean?
Essentially, the first term is the key exchange, an algorithm that the two parties use to exchange keys. In this case, it’s based on the Diffie‑Hellman algorithm.
The second term is what type of key is in your certificate. So every certificate has a public key of a certain type. In this case it’s RSA.
The third piece is your transport cipher, the encryption algorithm used to encrypt all the data. There’s a lot of different pieces that go into this, but AES‑GCM is the most secure cipher; this is actually something that Intel processors do at almost zero cost. So this is a pretty cheap and solid cipher to use.
The last one is integrity. As I mentioned, messages have a cache that goes along with them to make sure they haven’t been tampered but if it’s encrypted, and with integrity, you can go from there.
13:17 Server Cipher Suites
So for example, if the client says, “These are the ones I support in this order”, the server only supports two and then it’ll just pick its favorite.
13:52 Recommended Cipher Suites
<img src="https://cdn-1.wp.nginx.com/wp-content/uploads/2016/08/Sullivan-conf2015-slide19_cipher-recommended-1024x488.png" alt="CloudFlare and Mozilla each publish a list of recommended cipher suites to provide website security through HTTPS [presentation by Nick Sullivan of CloudFlare at nginx.conf 2015]" width="1024" height="488" class="alignnone size-large wp-image-44957" https:="" cdn-1.wp.nginx.com="" wp-content="" uploads="" 2016="" 08="" sullivan-conf2015-slide19_cipher-recommended.png="" 1024w,="" sullivan-conf2015-slide19_cipher-recommended-300x143.png="" 300w,="" sullivan-conf2015-slide19_cipher-recommended-768x366.png="" 768w,="" sullivan-conf2015-slide19_cipher-recommended-150x71.png="" 150w,="" sullivan-conf2015-slide19_cipher-recommended-640x305.png="" 640w,="" sullivan-conf2015-slide19_cipher-recommended-320x153.png="" 320w"="" sizes="(max-width: 1024px) 100vw, 1024px" style="box-sizing: inherit; vertical-align: middle; border: 2px solid rgb(102, 102, 102); max-width: 100%; height: auto; padding: 2px; margin: 2px;">
This is not a really big matter of debate, but there’s a lot of options that you have out there. CloudFlare uses this cipher suite list and you can find it here. We have an NGINX configuration format and these are the ones we recommend. These are the ones that all sites that are on CloudFlare end up using.
So, there’s a cool new cipher called ChaCha 20. It’s not supported in mainline NGINX yet but we’re pushing to do it; everything else here you can use. Mozilla also has their own recommendations on this, and you can go to their server‑side TLS site and they will generate SSL configuration for you for NGINX or whatever web server you might be using. So that’s cipher suites.
参考:
每个算法套件包括4部分:
https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/#CipherSuites
nginx配置ssl_ciphers的写法:
https://www.openssl.org/docs/manmaster/man1/ciphers.html --> CIPHER LIST FORMAT
查看nginx机器上的openssl支持的套件
openssl ciphers -v
各种算法的测试方式参考:openssl speed
https://calomel.org/nginx.html
https://www.openssl.org/docs/manmaster/man1/speed.html
转载于:https://blog.51cto.com/tenderrain/2288034