nginx下ssl_ciphers配置对tls1.3无效,当开启ssl_prefer_server_ciphers选项时以openssl默认的顺序选择ciphers。
查看openssl支持的ciphers:
openssl ciphers -s -tls1_3
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
修改openssl tls1.3 ciphers顺序
centos8下修改配置文件/etc/crypto-policies/back-ends/opensslcnf.config
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
其它版本,修改/etc/pki/tls/openssl.cnf配置文件:
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
然后重启nginx即可。
https://trac.nginx.org/nginx/ticket/1529
https://trac.nginx.org/nginx/ticket/1445
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
https://github.com/ssllabs/ssllabs-scan/issues/636
标签:none