配置效果:
- 仅支持
TLSv1.2,TLSv1.3 - 仅保留高效安全的加密套件
- 按照加密效率从高到低排序
| Protocol support | Cipher suites |
|---|---|
| TLS 1.3 only | TLS_AES_128_GCM_SHA256 |
TLS_AES_256_GCM_SHA384 | |
TLS_CHACHA20_POLY1305_SHA256 | |
| TLS 1.2 only | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
Nginx 配置文件:
{
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519:secp256r1:secp384r1;
# TLS 1.3 套件(顺序按效率:AES-128 > AES-256 > ChaCha20)
ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
# TLS 1.2 套件(效率从高到低)
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
}
