Äú¿ÉÒÔ¾èÖú£¬Ö§³ÖÎÒÃǵĹ«ÒæÊÂÒµ¡£

1Ôª 10Ôª 50Ôª





ÈÏÖ¤Â룺  ÑéÖ¤Âë,¿´²»Çå³þ?Çëµã»÷Ë¢ÐÂÑéÖ¤Âë ±ØÌî



  ÇóÖª ÎÄÕ ÎÄ¿â Lib ÊÓÆµ iPerson ¿Î³Ì ÈÏÖ¤ ×Éѯ ¹¤¾ß ½²×ù Model Center   Code  
»áÔ±   
   
 
     
   
 ¶©ÔÄ
  ¾èÖú
HTTPS ÐÔÄÜÓÅ»¯Ñ§Ï°±Ê¼Ç
 
  2876  次浏览      28
 2018-12-14
 
±à¼­ÍƼö:
±¾ÎÄÀ´×ÔÓÚcodeceo£¬±¾ÎÄÏêϸ½éÉÜÁËTLSÖпɱ»ÅäÖõÄËã·¨£¬»á»°»Ö¸´ÒÔ¼°OCSP£¨ÔÚÏßÖ¤Êé״̬ЭÒ飩 µÈÏà¹ØÖªÊ¶¡£

×î½üÔÚѧϰhttpsÐÔÄÜÓÅ»¯£¬ËäÈ»ÍøÉÏÒѾ­ÓÐÐí¶àµÄ¹ØÓÚhttpsÐÔÄÜÓÅ»¯µÄÎÄÕÂÁË£¬µ«»¹ÊÇÏëдÏÂÕâÆªÎÄÕ£¬×÷Ϊѧϰ×ܽá=^_^=£¬ÎÄÖжÔÓÚһЩ¸ÅÄîÐÔ»òʵÏÖϸ½ÚÉϵĶ«Î÷²¢²»»áÕ¹¿ª£¬µ«»á¸ø³öÏàÓ¦µÄÒýÓã¬ÓÐЩͼƬҲÀ´×ÔÍøÉÏ×ÊÔ´¡£

Õ½ڹ滮£º

ÈÏʶSSL/TLS

Ë㷨ѡÔñ

»á»°»Ö¸´

OCSP stapling

TLS »º³åÇøÓÅ»¯

TLS false start

ÆäËûÓÅ»¯

ÈÏʶSSL/TLS

SSLºÍTLS¶¼ÊÇÓÃÓÚ±£Õ϶˵½¶ËÖ®¼äÁ¬½ÓµÄ°²È«ÐÔ¡£SSL×î³õÊÇÓÉNetscape¿ª·¢µÄ£¬ºóÀ´ÎªÁËʹµÃ¸Ã°²È«Ð­Òé¸ü¼Ó¿ª·ÅºÍ×ÔÓÉ£¬¸üÃûΪTLS£¬²¢±»±ê×¼»¯µ½RFCÖУ¬ÏÖÔÚÖ÷Á÷µÄÊÇTLS 1.2°æ±¾¡£

´ÓÉÏͼ£¬¿ÉÒÔ¿´³öSSL/TLSÊǽéÓÚÓ¦ÓòãºÍ´«Êä²ãÖ®¼ä£¬²¢ÇÒ·ÖΪÎÕÊֲ㣨Handshake Layer£©ºÍ¼Ç¼²ã£¨Record Layer£©¡£

ÎÕÊֲ㣺¶ËÓë¶ËÖ®¼äЭÉÌÃÜÂëÌ×¼þ¡¢Á¬½Ó״̬¡£

¼Ç¼²ã£º¶ÔÊý¾ÝµÄ·â×°£¬Êý¾Ý½»¸ø´«Êä²ã֮ǰ£¬»á¾­¹ý·ÖƬ-ѹËõ-ÈÏÖ¤-¼ÓÃÜ¡£

´ÓTLS 1.2 RFC¿ÉÒÔÁ˽â¸ü¶à£ºhttps://www.ietf.org/rfc/rfc5246.txt

Ë㷨ѡÔñ

TLSÖпɱ»ÅäÖõÄËã·¨·ÖÀࣺ

Êý×ÖÇ©Ãû£ºRSA¡¢DSA

Á÷¼ÓÃÜ£ºRC4

·Ö×é¼ÓÃÜ£ºDES¡¢AES

ÈÏÖ¤¼ÓÃÜ£ºGCM

¹«Ô¿¼ÓÃÜ£ºRSA

ÏûÏ¢ÈÏÖ¤Â룺SHA

ÃÜÔ¿½»»»£ºDiffie¨CHellman

ÃÜÂëÌ×¼þ¾ö¶¨ÁË»áʹÓõ½µÄËã·¨£¬ÀýÈçÖ´ÐÐopenssl ciphers -v 'ALL' | grep ECDHE-RSA-AES128-GCM-SHA256£º

ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD

±íÃ÷¸ÃËã·¨ÊÇÔÚTLS 1.2ÖÐÖ§³ÖµÄ£¬ÃÜÔ¿½»»»²ÉÓÃECDH£¨ECÊÇÖ¸²ÉÓÃÍÖÔ²ÇúÏßµÄDH£©,Êý×ÖÇ©Ãû²ÉÓÃRSA£¬¼ÓÃܲÉÓÃ128λÃÜÔ¿³¤¶ÈµÄAESGCM£¬ÏûÏ¢ÈÏÖ¤Âë²ÉÓÃAEAD£¨AEADÊÇÒ»ÖÖеļÓÃÜÐÎʽ£¬°Ñ¼ÓÃܺÍÏûÏ¢ÈÏÖ¤Âë½áºÏµ½Ò»Æð£¬¶ø²»ÊÇij¸öËã·¨£¬ÀýÈçʹÓÃAES²¢²ÉÓÃGCMģʽ¼ÓÃÜ£¬¾ÍÄܹ»ÎªÊý¾ÝÌṩ±£ÃÜÐÔ¡¢ÍêÕûÐԵı£ÕÏ£©¡£

ÈçºÎÀí½âÍêÕûÐÔ£¿

A ½«Ã÷ÎÄM¼ÓÃܺóΪMC£¬·¢¸øB£¬B½âÃÜ£¬µÃµ½Ã÷ÎÄ¡£ Èç¹û´ËʱÓÐÖмäÈËC£¬½«MCÌæ»»ÎªCMC£¨ËäÈ»C²»ÖªµÀAÔõô¼ÓÃܵ쬵«Õâû¹ØÏµ£©£¬B½«CMC½âÃÜ£¬µÃµ½Ã÷ÎÄ£¨ÄÇôBÄõ½µÄÆäʵÊÇ´íÎóµÄÃ÷ÎÄ£©¡£ ËùÒÔÐèÒªÒýÈëÏûÏ¢ÈÏÖ¤Â룬B²ÅÄܹ»ÅжÏÊÕµ½µÄÃÜÎÄÊÇ·ñ±»´Û¸Ä¹ý¡£ ÕâÀïÄã¿ÉÄÜ»áÎÊ£ºÄÇÈç¹ûCͬʱαÔìÏûÏ¢ÈÏÖ¤ÂëÄØ£¿ Õâ¸ö¾ÍµÃ¿´MACºÍ¼ÓÃÜÊÇÈçºÎÅäºÏµÄÁË£¬ÏêÇé¿ÉÒԲ鿴ÈÏÖ¤¼ÓÃÜÖеÄApproaches to Authenticated EncryptionÕ½ڡ£

ÔÚTLSÎÕÊÖºÍÊý¾Ý´«ÊäµÄ²»Í¬½×¶Î»á²ÉÓÃÏàÓ¦µÄËã·¨£º

·þÎñ¶ËÉí·ÝÑéÖ¤£ºÊý×ÖÇ©Ãû£¨RSA¡¢ECDSA£©

ÃÜÔ¿½»»»£ºRSA/ÃÜÔ¿½»»»Ëã·¨£¨ECDH£©

¼ÓÃÜ/½âÃÜ£ºÁ÷¼ÓÃÜ£¨RC4£©ºÍ·Ö×é¼ÓÃÜ£¨3DES/AES/AESGCM£©

Éú³ÉÏûÏ¢ÈÏÖ¤Â룺SHA/AEAD

²»ÖªÊÇ·ñÓÐÈË·¢ÏÖ²¢Ã»ÓÐÌᵽѹËõËã·¨£¬Èç¹ûgoogleÏÂTLSѹËõÓÅ»¯Ïà¹ØµÄÄÚÈÝ£¬»á·¢ÏÖûÓУ¬ÒòΪĿǰÔÚTLS 1.2 RFCÖУ¬¹ØÓÚѹËõ·½·¨µÄ½á¹¹¶¨ÒåΪenum { null(0), (255) } CompressionMethod;£¬¼´Ö»ÓÐnull·½·¨£¨²»½øÐÐѹËõ£©¡£Ä¿Ç°´æÔÚ¶ÔTLSѹËõµÄ¹¥»÷£ºhttp://www.freebuf.com/articles/web/5636.html£¬¿ÉÄÜÊÇ»ùÓÚ´ËÔ­Òò£¬TLSѹËõĿǰֻÊǸö¸ÅÄîÐԵĶ«Î÷£¬Ã»Óб»ÕæÕýÓ¦ÓÃÆðÀ´¡£

ÈçºÎÑ¡ÔñËã·¨¡ª¡ª°²È«ÐÔ

ͨ³£¼ÓÃÜËã·¨µÄ°²È«ÐÔÒÀÀµÓÚÃÜÔ¿µÄ³¤¶È£¬ÇÒ²»Í¬¼ÓÃÜËã·¨£¬¼´Ê¹ÃÜÔ¿³¤¶ÈÏàͬ£¬µ«ÌṩµÄ°²È«ÐÔÒ²¿ÉÄÜÊDz»Í¬µÄ£¬Ïà¹Ø×ÊÁÏ£ºkey size¡£ËùÒÔ²¢Ã»ÓÐÒ»¸ö±ê×¼µÄ¹éÒ»»¯·½·¨È¥ºâÁ¿ËùÓеļÓÃÜËã·¨£¬µ«ÊÇÓÐÀ´×ÔÊÀ½çÉϸ÷¸ö×éÖ¯/»ú¹¹¶Ô²»Í¬ÀàÐÍËã·¨°²È«ÐÔµÄÆÀ¹À£¬¿ÉÒÔ¿´ÏÂÕâ¸öÍøÕ¾£ºhttps://www.keylength.com/

Ö´ÐÐopenssl ciphers -v 'ALL' | wc -l»á·¢ÏÖÓÐ100+¸öÃÜÂëÌ×¼þ£¨²»Í¬openssl°æ±¾ÌṩµÄÃÜÂëÌ×¼þÓеã²îÒ죩£¬È»¶ø£¬Êµ¼ÊÖ»»áʹÓõ½ÆäÖÐÒ»²¿·Ö£¬ÒòΪopensslÌṩµÄ²»ÉÙËã·¨ÊDz»°²È«µÄ£¬ÐèÒªÅųýµô¡£

Ö´ÐÐopenssl ciphers -v 'HIGH MEDIUM !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !CAMELLIA !IDEA !SEED !RC4' | wc -l£¬·¢ÏÖֻʣÏÂ50+¸öÃÜÂëÌ×¼þ¡£

ɸѡºóʣϵÄÃÜÂëÌ×¼þ»¹ÊÇͦ¶àµÄ£¬Ò»¸ö¸ö×öÐÔÄܲâÊԵϰ£¬»áGGµÄ= =¡£Æäʵ¿ÉÒÔ¸ù¾ÝÐèÒªÖ§³ÖµÄ¿Í»§¶Ë£¬ÔÙɸѡ³öÖ÷Á÷µÄÃÜÂëÌ×¼þ¡£ÍøÖ·£ºhttps://www.ssllabs.com/ssltest/clients.html£¬ÌṩÁ˾ø´ó²¿·Ö¿Í»§¶Ë¶ÔTLSµÄÖ§³ÖÇé¿ö£¬µã»÷ÏàÓ¦µÄUser agent¿ÉÒԲ鿴µ½ÆäÖ§³ÖµÄÃÜÂëÌ×¼þ£¬²¢ÇÒ¸÷Ì×¼þµÄ°²È«ÐÔÒ²±»±ê×¢³öÀ´ÁË¡£

ÍøÖ·£ºhttps://www.ssllabs.com/ssltest/£¬¿ÉÒÔÓÃÓÚ²âÊÔ·þÎñÆ÷µÄSSLÅäÖÃÇé¿ö£¬²¢»á¸ø³öµÃ·Ö£¬ÈçÏÂͼgoogleµÄµÃ·ÖΪA£º

ÈçºÎÑ¡ÔñËã·¨¡ª¡ªÐÔÄÜ

ÒÔÏÂÐÔÄܲâÊÔ¶¼ÊÇѡȡÖ÷Á÷µÄËã·¨½øÐС£

Êý×ÖÇ©Ãû£ºECDSA vs RSA

ÐèÒªÏÈ·Ö±ðÉú³É²ÉÓÃECDSAºÍRSAµÄÇ©ÃûÖ¤Êé¡£

Éú³ÉECDSA×ÔÇ©ÃûµÄÖ¤Ê飺

openssl ecparam -name prime256v1 -genkey -out ec_key.pem
openssl req -new -x509 -key ec_key.pem -out cert.pem -days 365

-param_enc²ÎÊýʹÓÃĬÈϵÄnamed_curve¾Í¿ÉÒÔÁË£¬Èç¹ûʹÓÃexplicit£¬»á·¢ÏÖÉú³ÉµÄÖ¤ÊénginxÄÜÅäÖóɹ¦£¬µ«¿Í»§¶ËÁ¬½Óʱ»á³öÏÖhandshake error¡£

Éú³ÉRSAÇ©ÃûµÄÖ¤Ê飺

openssl req -newkey rsa:2048 -nodes -keyout rsa_key.pem -x509 -days 365 -out cert.pem

Ö´ÐÐopenssl speed rsa2048 ecdsap256²âÊÔÏ£º

sign verify sign/s verify/s
rsa 2048 bits 0.000834s 0.000024s 1198.9 41031.9
sign verify sign/s verify/s
256 bit ecdsa (nistp256) 0.0000s 0.0001s 21302.5 9728.5

¿ÉÒÔ¿´µ½Ç©ÃûÐÔÄÜECDSA > RSA£¬¶øÑéÖ¤ÐÔÄÜRSA > ECDSA¡£

²âÊÔ»·¾³£º

·þÎñ¶Ë£º1̨ÐéÄâ»úCentOS 4ºË openresty 2¸öworker

¿Í»§¶Ë£º4̨ÐéÄâ»úCentOS 4/2/2/2ºË£¨ÊÖÍ·Ö»ÓÐÕâЩÐéÄâ»ú= =£©£¬ ÓÃshell½Å±¾Ä£Äâ²¢·¢µÄab -c 800 -n 800£¨²¢·¢µÄabʵÀýÊý=2*CPU_NUM£©£¬Ê¹ÓÃtimeÃüÁî»ñÈ¡ÏûºÄµÄʱ¼ä

²âÊÔÒ³Ãæ562×Ö½Ú£¬Ä¿±êÊDzâÊÔÊý×ÖÇ©ÃûµÄÐÔÄÜ£¬ËùÒÔÒ³ÃæÐ¡µã£¬±ÜÃâ¼ÓÃÜ/½âÃÜ¡¢Êý¾Ý´«ÊäÕ¼ÓÃÌ«¶àʱ¼ä

¶ą̀¿Í»§¶ËÈçºÎͬʱÆô¶¯£¿ctrl+tab£¬ÃüÁî+»Ø³µ¡­¡­

Ϊʲô²»ÓÃjmeter£¿ÎÒÓÃÁË1Master3SlaveµÄjmeter·Ö²¼Ê½Ñ¹²â·¢ÏÖ£¬jmeter¶ÔÓÚÔڸó¡¾°£¨CPU bound£©ÏµÄÐÔÄܲâÊÔ²»ÐУ¬·þÎñ¶ËѹÁ¦Éϲ»È¥

ÔÚÏàͬµÄÇëÇóÁ¿Ï£¬RSAÇ©Ãû»áʹ·þÎñ¶ËCPUÕ¼Óøü¸ß£¬ËùÒÔÕâ´Î²âÊÔÐèÒªÔÚÁ½ÖÖÇ©ÃûµÄѹ²âÏ£¬·þÎñ¶ËCPU¶¼±£³ÖÔÚ90%ÒÔÉÏ£¨²»È»µÄ»°£¬¶ÔECDSA¾Í²»¹«Æ½ÁË£©¡£

ΪºÎopenrestyÊÇ2¸öworker£¿ÒòΪ¿ª4¸öµÄ»°£¬ECDSAµÄѹ²âû·¨Ê¹openresty4¸öworkerµÄCPUÏûºÄ´ïµ½90%

ECDHE-ECDSA-AES128-GCM-SHA256£¬·þÎñ¶ËCPUÕ¼±È90%£¬½á¹û£º

ECDHE-RSA-AES128-GCM-SHA256£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£º

´Ó±í¸ñÖеÄÊý¾Ý¿ÉÒÔ¿´³öECDSAµÄÐÔÄÜÒª±ÈRSAºÃµã£¬ÕâÀïECDSAµÄ²âÊÔÉÐδѹեÍê·þÎñ¶ËÄØ¡£´Óopenssl speedµÄ½á¹ûÒ²¿ÉÒÔ¿´³öECDSAµÄÇ©ÃûÐÔÄÜÊÇÒªÔ¶³¬¹ýRSAµÄ£¬¶øÇÒÇ©ÃûÊÇÔÚ·þÎñ¶Ë×öµÄ£¬ËùÒÔÃæ¶Ôº£Á¿µÄ¿Í»§¶Ë£¬·þÎñ¶ËÓ¦¸ÃÑ¡ÔñʹÓÃECDSA¡£

ÃÜÔ¿½»»»£ºRSA vs ECDHE

²âÊÔ»·¾³Í¬ÉÏ£¬µ«Ö»Ê¹ÓÃÁË4/2ºËÁ½Ì¨¿Í»§¶Ë»úÆ÷·¢ÇëÇó¡£Ö¤ÊéʹÓõÄÊÇÉú³ÉµÄRSAÖ¤Ê飬ECDSAÖ¤ÊéÄÜÓõ½µÄÃÜÔ¿½»»»Ëã·¨Ö»ÄÜÊÇECDHE¡£

AES256-GCM-SHA384£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£º

ECDHE-RSA-AES256-GCM-SHA384£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£º

´Ó±í¸ñÖеÄÊý¾Ý¿ÉÒÔ¿´³öECDHEÓëRSAµÄÐÔÄܲ¶à¡£ECDHE±ÈRSAÒª¶àÁËÒ»´Î¶Ëµ½¶ËµÄ´«Ê䣬»¹»áÓõ½RSA¶ÔDH²ÎÊý½øÐÐÇ©ÃûºÍÑéÖ¤£»¶øRSAÃÜÔ¿½»»»Ôò»áʹÓõ½RSAµÄ¼ÓÃÜ/½âÃÜ£¬¾ßÌå¿É¿´ÈçÏÂCloudFlareµÄÁ½ÕÅͼ

ECDHEÖ§³ÖǰÏò±£ÃÜ£¨Forward Secrecy£©£¬¼òµ¥Àí½â£ºÖмäÈË¿ÉÒÔ±£´æÏÂÀ´¿Í»§¶ËºÍ·þÎñ¶ËÖ®¼äµÄËùÓÐͨÐÅÊý¾Ý£¬Èç¹ûʹÓÃRSAÎÕÊÖ£¬ÄÇôδÀ´Ä³Ò»Ì죬ÖмäÈËÈç¹û»ñÈ¡µ½ÁË·þÎñ¶ËµÄ˽Կ£¬¾Í¿ÉÒÔ½âÃÜËùÓÐ֮ǰ²É¼¯µÄͨÐÅÊý¾ÝÁË£»Èç¹û²ÉÓÃECDHEÎÕÊֵϰ£¬¾Í¿ÉÒÔ±ÜÃâÕâ¸öÎÊÌâ¡£¶øÇÒʹÓÃECDHEÎÕÊֵϰ£¬»¹ÓпÉÄÜ¿ªÆôTLS false startµÄÌØÐÔ£¨ÏÂÎÄÖлáÌáµ½£©¡£

RSAÎÕÊÖ£º

ECDHEÎÕÊÖ£º

ËùÒÔÃÜÔ¿½»»»Ëã·¨ECDHE»á¸üºÃЩ¡£

¶Ô³Æ¼ÓÃÜ£ºAES256-GCM vs AES256 vs AES128-GCM vs 3DES

²âÊÔ»·¾³Í¬ÉÏ£¬µ«Ö»Ê¹ÓÃÁË4ºËһ̨¿Í»§¶Ë»úÆ÷·¢ÇëÇó£¬ab²ÎÊýΪab -n 2000 -c 10£¬abʵÀý4¸ö£¬²âÊÔÒ³Ãæ153K¡£ÒòΪÊÇҪѹ²â¶ÔÓ¦ÓòãÊý¾ÝµÄ¼ÓÃܽâÃÜÐÔÄÜ£¬ËùÒÔÁ¬½ÓÊýÉÙ£¬µ«Ã¿¸öÁ¬½ÓµÄÇëÇóÊý¶à¡£

ECDHE-RSA-AES256-GCM-SHA384£¬·þÎñ¶ËCPUÕ¼±È94%£¬½á¹û£º

ECDHE-RSA-AES256-SHA384£¬·þÎñ¶ËCPUÕ¼±È98%£¬½á¹û£º

ECDHE-RSA-AES128-GCM-SHA256£¬·þÎñ¶ËCPUÕ¼±È92%£¬½á¹û£º

DES-CBC3-SHA£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£¨Ì«ÂýÁË£¬¾Í²âÁËÁ½¸ö=¡£=£©£º

´Ó±í¸ñÖеÄÊý¾Ý¿ÉÒÔ¿´³öAES128GCM > AES256GCM > AES256 > 3DES¡£

ÏûÏ¢ÈÏÖ¤Â룺SHA256 vs SHA1 vs AEAD

²âÊÔ»·¾³Í¬ÉÏ¡£

AES256-SHA256£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£º

AES256-SHA£¬·þÎñ¶ËCPUÕ¼±È98%£¬½á¹û£º

AES256-GCM-SHA384£¬·þÎñ¶ËCPUÕ¼±È95%£¬½á¹û£º

´Ó½á¹ûÖпÉÒÔ¿´³öAES256-GCM-SHA384 > AES256-SHA > AES256-SHA256¡£

»á»°»Ö¸´

Session Cache

¿Í»§¶ËÏ£Íû»Ö¸´ÏÈǰµÄsession£¬»òÕ߸´ÖÆÒ»¸ö´æÔÚµÄsession£¬¿ÉÒÔÔÚClientHelloÖдøÉÏSession ID£¬Èç¹û·þÎñ¶ËÄܹ»ÔÚËüµÄSession CacheÖÐÕÒµ½ÏàÓ¦µÄSession IDµÄsession-state£¨´æ´¢Ð­É̺õÄÃÜÂëÌ×¼þµÈÐÅÏ¢£©£¬²¢ÇÒÔ¸ÒâʹÓøÃSession IDÖØ½¨Á¬½Ó£¬ÄÇô·þÎñ¶Ë»á·¢ËÍÒ»¸ö´øÓÐÏàͬSession IDµÄServerHello¡£

ĿǰNginx Ö»Ö§³Öµ¥»úSession Cache£¬Openresty Ö§³Ö·Ö²¼Ê½Session Cache£¬µ«´¦ÓÚʵÑé½×¶Î¡£

Session Ticket

Session CacheÐèÒª·þÎñ¶Ë»º´æSessionÏà¹ØµÄÐÅÏ¢£¬¶Ô·þÎñ¶Ë´æÔÚ´æÈ¡Ñ¹Á¦£¬¶øÇÒ»¹Óзֲ¼Ê½Session CacheÎÊÌâ¡£ ¶ÔÓÚÖ§³ÖSession TicketµÄ¿Í»§¶Ë£¬·þÎñ¶Ë¿ÉÒÔͨ¹ýijÖÖ»úÖÆ½«session-state¼ÓÃܺó×÷Ϊticket·¢¸ø¿Í»§¶Ë¡£¿Í»§¶Ëƾ½è¸Ãticket¾Í¿ÉÒÔ»Ö¸´ÏÈǰµÄ»á»°ÁË¡£

ÀàËÆÓÚHTTPÖÐÓÃJson Web TOken×÷Ϊcookie-sessionµÄÁíÒ»ÖÖÑ¡Ôñ¡£

OCSP£¨ÔÚÏßÖ¤Êé״̬ЭÒ飩 stapling

µ±¿Í»§¶ËÔÚÎÕÊÖ»·½Ú½ÓÊܵ½·þÎñ¶ËµÄÖ¤Êéʱ£¬³ýÁ˶ÔÖ¤Êé½øÐÐÇ©ÃûÑéÖ¤£¬»¹ÐèÒªÖªµÀÖ¤ÊéÊÇ·ñ±»µõÏúÁË£¬ÄÇôÐèÒªÏòÖ¤ÊéÖÐÖ¸¶¨µÄOCSP url·¢ËÍOCSP²éѯÇëÇó¡£

¶ÔÓÚͬһ·Ý·þÎñ¶ËÖ¤Ê飬Èç¹ûÿ¸ö¿Í»§¶Ë¶¼×Ô¼ºÈ¥²éѯһ´ÎÖ¤Êé״̬¾ÍÀË·ÑÁË¡£ËùÒÔ£¬OCSP stapling¾ÍÊÇΪÁ˽â¾öÕâÒ»ÎÊÌ⣬ÓÉ·þÎñ¶Ë²éѯµ½Ö¤Êé״̬£¨Í¨³£»á»º´æÒ»¶Îʱ¼ä£©£¬²¢·µ»Ø¸ø¿Í»§¶Ë£¨¿Í»§¶Ë»áÔÚ±¾µØÐ£ÑéÕâ¸öÖ¤Êé״̬ÊÇ·ñÕæÊµ£©¡£

ÔÚnginxµÄÅäÖÃÖУ¬¿ÉÒÔÑ¡ÔñÐÔµÄÅäÖÃÊÇ·ñ¶ÔOCSP response×öУÑ飬·ÀÖ¹½«·Ç·¨µÄÖ¤Êé״̬·¢Ë͸ø¿Í»§¶Ë¡£Èç¹ûÉèÖÃÁËУÑ飬ssl_trusted_certificate²ÎÊýÐèҪΪ°üº¬ËùÓÐÖмäÖ¤Êé+¸ùÖ¤ÊéµÄÎļþ¡£

ÈçÏÂͼÊǶÔnginxÇëÇóOCSP ServerµÄ×¥°ü£¬¿ÉÒÔ¿´µ½·¢Á˸öhttpµÄocspÇëÇó£º

ÏÂͼÊǶÔnginxÔÚ·¢ËÍÖ¤Ê鏸¿Í»§¶Ëʱ£¬´øÉϵÄÖ¤Êé״̬µÄ×¥°ü£º

TLS»º³åÇøµ÷ÓÅ

nginxĬÈϵÄssl_buffer_sizeÊÇ16K£¨TLS Record Layer×î´óµÄ·ÖƬ£©£¬¼´Ò»¸öTLS RecordµÄ´óС£¬Èç¹ûHTTPµÄÊý¾ÝÊÇ160K£¬ÄÇô¾Í»á±»²ð·ÖΪ10¸öTLS Record£¨Ã¿¸öTLS Record»á±»TCP²ã²ð·ÖΪ¶à¸öTCP°ü´«Ê䣩·¢Ë͸ø¿Í»§¶Ë¡£

Èç¹ûTLS Record Size¹ý´óµÄ»°£¬²ð·ÖµÄTCP°üÒ²»á½Ï¶à£¬´«Êäʱ£¬Èç¹û³öÏÖTCP¶ª°ü£¬Õû¸öTLS Recordµ½´ï¿Í»§¶ËµÄʱ¼ä¾Í»á¼Ó³¤£¬¿Í»§¶Ë±ØÐëµÈ´ýÍêÕûµÄTLS RecordÊÕµ½²ÅÄܽøÐнâÃÜ¡£

Èç¹ûTLS Record SizeСһЩµÄ»°£¬TCP¶ª°üÓ°ÏìµÄTLS RecordÕ¼±È¾Í»áСºÜ¶à£¬µ½´ï¿Í»§¶ËµÄTLS Record¾Í»á¶àЩ£¬¿Í»§¶Ë¸ÉµÈ×ŵÄʱ¼ä¾ÍÏà¶ÔÉÙÁË¡£µ«ÊÇ£¬TLS Record HeadµÄ¸ºÔؾÍÔö¼ÓÁË£¬¿ÉÄÜ»¹»á½µµÍÁ¬½ÓµÄÍÌÍÂÁ¿¡£

¼ÙÉèssl_buffer_sizeÉèÖÃΪ1460byte£º

ͨ³££¬ÔÚTCPÂýÆô¶¯µÄ¹ý³ÌÖУ¬TLS Record SizeСµãºÃ£¬ÒòΪÕâ¸öʱºòTCPÁ¬½ÓµÄÓµÈû´°¿Úcwnd½ÏС£¬TCPÁ¬½ÓÍÌÍÂÁ¿Ò²Ð¡¡£¶øÔÚTCPÁ¬½Ó½áÊøÂýÆô¶¯Ö®ºó£¬TLS Record Size¾Í¿ÉÒÔÔö´óһЩÁË£¬ÒòΪÕâ¸öʱºòÍÌÍÂÁ¿ÉÏÀ´ÁË¡£ËùÒÔ¸üÏ£ÍûÄܹ»¶¯Ì¬µÄµ÷ÕûnginxÖÐssl_buffer_sizeµÄ´óС£¬Ä¿Ç°¹Ù·½nginx»¹²»Ö§³Ö£¬²»¹ýcloudflareΪnginx´òÁ˸öpatch£¬ÒÔÖ§³Ö¶¯Ì¬µÄµ÷ÕûTLS Record Size£ºOptimizing TLS over TCP to reduce latency

TLS False Start

ijһ¶ËÔÚ·¢ËÍ Change Cipher Spec¡¢Finished Ö®ºó£¬¿ÉÒÔÁ¢¼´·¢ËÍÓ¦ÓÃÊý¾Ý£¬ÎÞÐèµÈ´ýÁíÒ»¶ËµÄ Change Cipher Spec¡¢Finished ¡£ÕâÑù£¬Ó¦ÓÃÊý¾ÝµÄ·¢ËÍʵ¼ÊÉϲ¢Î´µÈµ½ÎÕÊÖÈ«²¿Íê³É£¬´Ó¶ø½ÚÊ¡³öÒ»¸öRTTʱ¼ä¡£

ÍêÕûÎÕÊÖʱ£¬Client Side False Start£º

¼ò¶ÌÎÕÊÖʱ£¬Server Side False Start£º

¿ÉÒÔ¿´ÏÂÕâÆªÎÄÕ£ºTLS False Start¾¿¾¹ÊÇÈçºÎ¼ÓËÙÍøÕ¾µÄ ºÍ Transport Layer Security (TLS) False Start

RFC7918Öв¢Ã»ÓжÔServer Side False Start½øÐж¨Ò壨Æä֮ǰµÄ²Ý°¸ÖоÍÓÐÌáµ½£¬draft-bmoeller-tls-falsestart-00/01£©£¬ÎÄÖеÄ˵Ã÷£ºHowever, if the server sends application data first, the abbreviated handshake adds two round-trip times, and this could be reduced to just one added round-trip time by doing a server-side False Start. There is little need for this in practice, so this document does not consider server-side False Starts further.

¿ÉÄÜÊÇÔÚ֮ǰµÄHTTP 1³¡¾°Ï£¬¶ÔServer Side False StartµÄÐèÇó²¢²»Ç¿ÁÒ£¬»òÕß˵ʵ¼ù²»¶à£¨µ±È»ÆäËûÓ¦ÓòãЭÒé¿ÉÄÜ»áÓУ¬ÀýÈçwebsocket£©¡£

Client Side False StartÐèÒªµÄÌõ¼þ£º

¿Í»§¶ËºÍ·þÎñ¶Ë¶¼ÐèÒªÖ§³ÖNPN/ALPN£¨ä¯ÀÀÆ÷ÒªÇó£©

ÐèÒª²ÉÓÃÖ§³ÖǰÏò±£ÃܵÄÃÜÂëÌ×¼þ£¬¼´Ê¹ÓÃECDHE½øÐÐÃÜÔ¿½»»»£¨RFC7918ÖÐÓй涨£©

ÆäËûÓÅ»¯

TCPÓÅ»¯£¬±Ï¾¹SSLÊý¾ÝÒ²ÊÇ»ùÓÚTCP½øÐд«ÊäµÄ

Ö¤ÊéÓÅ»¯£¬²ÉÓÃECDSAÖ¤Êé¡¢·þÎñÆ÷·¢Ë͸ø¿Í»§¶ËµÄÖ¤ÊéÁ´°üº¬ËùÓÐÖмäÖ¤Êé

Ó²¼þÅäÖÃÓÅ»¯£¬ÀýÈçʹÓÃSSL¼ÓËÙÆ÷

×ܽá

±¾ÎÄÊǸöÈ˽ü¶Îʱ¼äѧϰµ½µÄ¹ØÓÚHTTPSÐÔÄÜÓÅ»¯µÄ×ܽᡣ

ÍÆ¼öµÄÃÜÂëÌ×¼þÁÐ±í£º

<table width="60%" border="0" align="center" cellpadding="7" cellspacing="1" bgcolor="#CCCCCC" class="content" style="text-indent: 0em;">
<tr bgcolor="#FFFFFF">
<td height="25" bgcolor="#f5f5f5"> Hello World!</td>
</tr>
</table>

ÆäËû¶îÍâµÄÃÜÂëÌ×¼þ£¬±ÈÈçÐèÒªÖ§³ÖIE6£¬¿ÉÒÔ·ÅÔÚÃÜÂëÌ×¼þÁбíĩβ¡£

×Ô¼ºÐ´Á˸ögo³ÌÐòÓÃÓÚ¼ì²âÃÜÂëÌ×¼þÁбíÖ§³Ö/²»Ö§³ÖµÄ¿Í»§¶Ë£ºsslciphersuitescheck

   
2876 ´Îä¯ÀÀ       28
Ïà¹ØÎÄÕÂ

¹È¸è½ÌÄãÈçºÎ¹¹½¨Ò»¸öÓÅÐãµÄÒÆ¶¯ÍøÕ¾
ÈçºÎ¸ßЧµØ¹ÜÀíÍøÕ¾¾²Ì¬×ÊÔ´
¸ßÐÔÄÜÍøÕ¾½¨ÉèµÄ×î¼Ñʵ¼ù
Ïл°ÍøÕ¾×ó²àµ¼º½µÄʵÏÖ
 
Ïà¹ØÎĵµ

ÍøÕ¾½¨Éè·½°¸Á÷³Ì
ÍøÕ¾½¨Éècss½Ì³Ì
ÆóÒµÍøÕ¾½¨ÉèÓëÍÆ¹ã
ÍøÕ¾½¨Éè·½°¸Êé
Ïà¹Ø¿Î³Ì

Éè¼ÆÄ£Ê½Ô­ÀíÓëÓ¦ÓÃ
´ÓÐèÇó¹ý¶Éµ½Éè¼Æ
Èí¼þÉè¼ÆÔ­ÀíÓëʵ¼ù
ÈçºÎ±àд¸ßÖÊÁ¿´úÂë