OpenSSL加密套件释义

随着网站的更新迭代,在OpenSSL的加密套件中,有一些部分已经不再安全,例如ECDHE-ECDSA-AES128-SHA256,所以在lighttp引擎中,官方建议使用以下加密套件来进行SSL的服务端与客户端协商。

OpenSSL

安全套件

lighttp 引擎

TLS_AES_256_GCM_SHA384	TLSv1.3 Kx=any	Au=any	Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any	Au=any	Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256	TLSv1.3 Kx=any	Au=any	Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH	Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH	Au=RSA	Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH	Au=ECDSA Enc=CHACHA20/POLY1305 (256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH	Au=RSA	Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH	Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH	Au=RSA	Enc=AESGCM(128) Mac=AEAD
#即将弃用
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH	Au=ECDSA Enc=AES(128)	Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH	Au=RSA	Enc=AES(128)	Mac=SHA256

#下列组件还未启用

lighttp 引擎

DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH	Au=RSA	Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH	Au=RSA	Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH	Au=RSA	Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH	Au=ECDSA Enc=AES(256)	Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH	Au=RSA	Enc=AES(256)	Mac=SHA384
DHE-RSA-AES256-SHA256	TLSv1.2 Kx=DH	Au=RSA	Enc=AES(256)	Mac=SHA256
DHE-RSA-AES128-SHA256	TLSv1.2 Kx=DH	Au=RSA	Enc=AES(128)	Mac=SHA256
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK	Au=RSA	Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK	Au=PSK	Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK	Au=RSA	Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK	Au=PSK	Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK	Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384	TLSv1.2 Kx=RSA	Au=RSA	Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384	TLSv1.2 Kx=PSK	Au=PSK	Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305	TLSv1.2 Kx=PSK	Au=PSK	Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK	Au=RSA	Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK	Au=PSK	Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256	TLSv1.2 Kx=RSA	Au=RSA	Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256	TLSv1.2 Kx=PSK	Au=PSK	Enc=AESGCM(128) Mac=AEAD
AES256-SHA256	TLSv1.2 Kx=RSA	Au=RSA	Enc=AES(256)	Mac=SHA256
AES128-SHA256	TLSv1.2 Kx=RSA	Au=RSA	Enc=AES(128)	Mac=SHA256

更多加密套件名称,或已知不安全的组件,可以参考ssllabs检测结果列表和OpenSSL官方说明。

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

作者: 丁程

News

2022

2021

Update: 2022-4-9 11:15