±à¼ÍƼö: |
±¾ÎÄÀ´×ÔÓÚcodeceo£¬±¾ÎÄÏêϸ½éÉÜÁËTLSÖпɱ»ÅäÖõÄËã·¨£¬»á»°»Ö¸´ÒÔ¼°OCSP£¨ÔÚÏßÖ¤Êé״̬ÐÒ飩
µÈÏà¹ØÖªÊ¶¡£ |
|
×î½üÔÚѧϰhttpsÐÔÄÜÓÅ»¯£¬ËäÈ»ÍøÉÏÒѾÓÐÐí¶àµÄ¹ØÓÚhttpsÐÔÄÜÓÅ»¯µÄÎÄÕÂÁË£¬µ«»¹ÊÇÏëдÏÂÕâÆªÎÄÕ£¬×÷Ϊѧϰ×ܽá=^_^=£¬ÎÄÖжÔÓÚһЩ¸ÅÄîÐÔ»òʵÏÖϸ½ÚÉϵĶ«Î÷²¢²»»áÕ¹¿ª£¬µ«»á¸ø³öÏàÓ¦µÄÒýÓã¬ÓÐЩͼƬҲÀ´×ÔÍøÉÏ×ÊÔ´¡£
Õ½ڹ滮£º
ÈÏʶSSL/TLS
Ë㷨ѡÔñ
»á»°»Ö¸´
OCSP stapling
TLS »º³åÇøÓÅ»¯
TLS false start
ÆäËûÓÅ»¯
ÈÏʶSSL/TLS
SSLºÍTLS¶¼ÊÇÓÃÓÚ±£Õ϶˵½¶ËÖ®¼äÁ¬½ÓµÄ°²È«ÐÔ¡£SSL×î³õÊÇÓÉNetscape¿ª·¢µÄ£¬ºóÀ´ÎªÁËʹµÃ¸Ã°²È«ÐÒé¸ü¼Ó¿ª·ÅºÍ×ÔÓÉ£¬¸üÃûΪTLS£¬²¢±»±ê×¼»¯µ½RFCÖУ¬ÏÖÔÚÖ÷Á÷µÄÊÇTLS
1.2°æ±¾¡£

´ÓÉÏͼ£¬¿ÉÒÔ¿´³öSSL/TLSÊǽéÓÚÓ¦ÓòãºÍ´«Êä²ãÖ®¼ä£¬²¢ÇÒ·ÖΪÎÕÊֲ㣨Handshake Layer£©ºÍ¼Ç¼²ã£¨Record
Layer£©¡£
ÎÕÊֲ㣺¶ËÓë¶ËÖ®¼äÐÉÌÃÜÂëÌ×¼þ¡¢Á¬½Ó״̬¡£
¼Ç¼²ã£º¶ÔÊý¾ÝµÄ·â×°£¬Êý¾Ý½»¸ø´«Êä²ã֮ǰ£¬»á¾¹ý·ÖƬ-ѹËõ-ÈÏÖ¤-¼ÓÃÜ¡£
´ÓTLS 1.2 RFC¿ÉÒÔÁ˽â¸ü¶à£ºhttps://www.ietf.org/rfc/rfc5246.txt
Ë㷨ѡÔñ
TLSÖпɱ»ÅäÖõÄËã·¨·ÖÀࣺ
Êý×ÖÇ©Ãû£ºRSA¡¢DSA
Á÷¼ÓÃÜ£ºRC4
·Ö×é¼ÓÃÜ£ºDES¡¢AES
ÈÏÖ¤¼ÓÃÜ£ºGCM
¹«Ô¿¼ÓÃÜ£ºRSA
ÏûÏ¢ÈÏÖ¤Â룺SHA
ÃÜÔ¿½»»»£ºDiffie¨CHellman
ÃÜÂëÌ×¼þ¾ö¶¨ÁË»áʹÓõ½µÄËã·¨£¬ÀýÈçÖ´ÐÐopenssl ciphers -v 'ALL' | grep
ECDHE-RSA-AES128-GCM-SHA256£º
ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD |
±íÃ÷¸ÃËã·¨ÊÇÔÚTLS 1.2ÖÐÖ§³ÖµÄ£¬ÃÜÔ¿½»»»²ÉÓÃECDH£¨ECÊÇÖ¸²ÉÓÃÍÖÔ²ÇúÏßµÄDH£©,Êý×ÖÇ©Ãû²ÉÓÃRSA£¬¼ÓÃܲÉÓÃ128λÃÜÔ¿³¤¶ÈµÄAESGCM£¬ÏûÏ¢ÈÏÖ¤Âë²ÉÓÃAEAD£¨AEADÊÇÒ»ÖÖеļÓÃÜÐÎʽ£¬°Ñ¼ÓÃܺÍÏûÏ¢ÈÏÖ¤Âë½áºÏµ½Ò»Æð£¬¶ø²»ÊÇij¸öËã·¨£¬ÀýÈçʹÓÃAES²¢²ÉÓÃGCMģʽ¼ÓÃÜ£¬¾ÍÄܹ»ÎªÊý¾ÝÌṩ±£ÃÜÐÔ¡¢ÍêÕûÐԵı£ÕÏ£©¡£
ÈçºÎÀí½âÍêÕûÐÔ£¿
A ½«Ã÷ÎÄM¼ÓÃܺóΪMC£¬·¢¸øB£¬B½âÃÜ£¬µÃµ½Ã÷ÎÄ¡£ Èç¹û´ËʱÓÐÖмäÈËC£¬½«MCÌæ»»ÎªCMC£¨ËäÈ»C²»ÖªµÀAÔõô¼ÓÃܵ쬵«Õâû¹ØÏµ£©£¬B½«CMC½âÃÜ£¬µÃµ½Ã÷ÎÄ£¨ÄÇôBÄõ½µÄÆäʵÊÇ´íÎóµÄÃ÷ÎÄ£©¡£
ËùÒÔÐèÒªÒýÈëÏûÏ¢ÈÏÖ¤Â룬B²ÅÄܹ»ÅжÏÊÕµ½µÄÃÜÎÄÊÇ·ñ±»´Û¸Ä¹ý¡£ ÕâÀïÄã¿ÉÄÜ»áÎÊ£ºÄÇÈç¹ûCͬʱαÔìÏûÏ¢ÈÏÖ¤ÂëÄØ£¿
Õâ¸ö¾ÍµÃ¿´MACºÍ¼ÓÃÜÊÇÈçºÎÅäºÏµÄÁË£¬ÏêÇé¿ÉÒԲ鿴ÈÏÖ¤¼ÓÃÜÖеÄApproaches to Authenticated
EncryptionÕ½ڡ£
ÔÚTLSÎÕÊÖºÍÊý¾Ý´«ÊäµÄ²»Í¬½×¶Î»á²ÉÓÃÏàÓ¦µÄËã·¨£º
·þÎñ¶ËÉí·ÝÑéÖ¤£ºÊý×ÖÇ©Ãû£¨RSA¡¢ECDSA£©
ÃÜÔ¿½»»»£ºRSA/ÃÜÔ¿½»»»Ëã·¨£¨ECDH£©
¼ÓÃÜ/½âÃÜ£ºÁ÷¼ÓÃÜ£¨RC4£©ºÍ·Ö×é¼ÓÃÜ£¨3DES/AES/AESGCM£©
Éú³ÉÏûÏ¢ÈÏÖ¤Â룺SHA/AEAD
²»ÖªÊÇ·ñÓÐÈË·¢ÏÖ²¢Ã»ÓÐÌᵽѹËõËã·¨£¬Èç¹ûgoogleÏÂTLSѹËõÓÅ»¯Ïà¹ØµÄÄÚÈÝ£¬»á·¢ÏÖûÓУ¬ÒòΪĿǰÔÚTLS
1.2 RFCÖУ¬¹ØÓÚѹËõ·½·¨µÄ½á¹¹¶¨ÒåΪenum { null(0), (255) } CompressionMethod;£¬¼´Ö»ÓÐnull·½·¨£¨²»½øÐÐѹËõ£©¡£Ä¿Ç°´æÔÚ¶ÔTLSѹËõµÄ¹¥»÷£ºhttp://www.freebuf.com/articles/web/5636.html£¬¿ÉÄÜÊÇ»ùÓÚ´ËÔÒò£¬TLSѹËõĿǰֻÊǸö¸ÅÄîÐԵĶ«Î÷£¬Ã»Óб»ÕæÕýÓ¦ÓÃÆðÀ´¡£
ÈçºÎÑ¡ÔñËã·¨¡ª¡ª°²È«ÐÔ
ͨ³£¼ÓÃÜËã·¨µÄ°²È«ÐÔÒÀÀµÓÚÃÜÔ¿µÄ³¤¶È£¬ÇÒ²»Í¬¼ÓÃÜËã·¨£¬¼´Ê¹ÃÜÔ¿³¤¶ÈÏàͬ£¬µ«ÌṩµÄ°²È«ÐÔÒ²¿ÉÄÜÊDz»Í¬µÄ£¬Ïà¹Ø×ÊÁÏ£ºkey
size¡£ËùÒÔ²¢Ã»ÓÐÒ»¸ö±ê×¼µÄ¹éÒ»»¯·½·¨È¥ºâÁ¿ËùÓеļÓÃÜËã·¨£¬µ«ÊÇÓÐÀ´×ÔÊÀ½çÉϸ÷¸ö×éÖ¯/»ú¹¹¶Ô²»Í¬ÀàÐÍËã·¨°²È«ÐÔµÄÆÀ¹À£¬¿ÉÒÔ¿´ÏÂÕâ¸öÍøÕ¾£ºhttps://www.keylength.com/
Ö´ÐÐopenssl ciphers -v 'ALL' | wc -l»á·¢ÏÖÓÐ100+¸öÃÜÂëÌ×¼þ£¨²»Í¬openssl°æ±¾ÌṩµÄÃÜÂëÌ×¼þÓеã²îÒ죩£¬È»¶ø£¬Êµ¼ÊÖ»»áʹÓõ½ÆäÖÐÒ»²¿·Ö£¬ÒòΪopensslÌṩµÄ²»ÉÙËã·¨ÊDz»°²È«µÄ£¬ÐèÒªÅųýµô¡£
Ö´ÐÐopenssl ciphers -v 'HIGH MEDIUM !aNULL !eNULL !LOW
!MD5 !EXP !DSS !PSK !SRP !CAMELLIA !IDEA !SEED !RC4'
| wc -l£¬·¢ÏÖֻʣÏÂ50+¸öÃÜÂëÌ×¼þ¡£
ɸѡºóʣϵÄÃÜÂëÌ×¼þ»¹ÊÇͦ¶àµÄ£¬Ò»¸ö¸ö×öÐÔÄܲâÊԵϰ£¬»áGGµÄ= =¡£Æäʵ¿ÉÒÔ¸ù¾ÝÐèÒªÖ§³ÖµÄ¿Í»§¶Ë£¬ÔÙɸѡ³öÖ÷Á÷µÄÃÜÂëÌ×¼þ¡£ÍøÖ·£ºhttps://www.ssllabs.com/ssltest/clients.html£¬ÌṩÁ˾ø´ó²¿·Ö¿Í»§¶Ë¶ÔTLSµÄÖ§³ÖÇé¿ö£¬µã»÷ÏàÓ¦µÄUser
agent¿ÉÒԲ鿴µ½ÆäÖ§³ÖµÄÃÜÂëÌ×¼þ£¬²¢ÇÒ¸÷Ì×¼þµÄ°²È«ÐÔÒ²±»±ê×¢³öÀ´ÁË¡£
ÍøÖ·£ºhttps://www.ssllabs.com/ssltest/£¬¿ÉÒÔÓÃÓÚ²âÊÔ·þÎñÆ÷µÄSSLÅäÖÃÇé¿ö£¬²¢»á¸ø³öµÃ·Ö£¬ÈçÏÂͼgoogleµÄµÃ·ÖΪA£º

ÈçºÎÑ¡ÔñËã·¨¡ª¡ªÐÔÄÜ
ÒÔÏÂÐÔÄܲâÊÔ¶¼ÊÇѡȡÖ÷Á÷µÄËã·¨½øÐС£
Êý×ÖÇ©Ãû£ºECDSA vs RSA
ÐèÒªÏÈ·Ö±ðÉú³É²ÉÓÃECDSAºÍRSAµÄÇ©ÃûÖ¤Êé¡£
Éú³ÉECDSA×ÔÇ©ÃûµÄÖ¤Ê飺
openssl ecparam
-name prime256v1 -genkey -out ec_key.pem
openssl req -new -x509 -key ec_key.pem -out cert.pem
-days 365 |
-param_enc²ÎÊýʹÓÃĬÈϵÄnamed_curve¾Í¿ÉÒÔÁË£¬Èç¹ûʹÓÃexplicit£¬»á·¢ÏÖÉú³ÉµÄÖ¤ÊénginxÄÜÅäÖóɹ¦£¬µ«¿Í»§¶ËÁ¬½Óʱ»á³öÏÖhandshake
error¡£
Éú³ÉRSAÇ©ÃûµÄÖ¤Ê飺
openssl req
-newkey rsa:2048 -nodes -keyout rsa_key.pem -x509
-days 365 -out cert.pem |
Ö´ÐÐopenssl speed rsa2048 ecdsap256²âÊÔÏ£º
sign verify
sign/s verify/s
rsa 2048 bits 0.000834s 0.000024s 1198.9 41031.9
sign verify sign/s verify/s
256 bit ecdsa (nistp256) 0.0000s 0.0001s 21302.5
9728.5 |
¿ÉÒÔ¿´µ½Ç©ÃûÐÔÄÜECDSA > RSA£¬¶øÑéÖ¤ÐÔÄÜRSA > ECDSA¡£
²âÊÔ»·¾³£º
·þÎñ¶Ë£º1̨ÐéÄâ»úCentOS 4ºË openresty 2¸öworker
¿Í»§¶Ë£º4̨ÐéÄâ»úCentOS 4/2/2/2ºË£¨ÊÖÍ·Ö»ÓÐÕâЩÐéÄâ»ú= =£©£¬ ÓÃshell½Å±¾Ä£Äâ²¢·¢µÄab
-c 800 -n 800£¨²¢·¢µÄabʵÀýÊý=2*CPU_NUM£©£¬Ê¹ÓÃtimeÃüÁî»ñÈ¡ÏûºÄµÄʱ¼ä
²âÊÔÒ³Ãæ562×Ö½Ú£¬Ä¿±êÊDzâÊÔÊý×ÖÇ©ÃûµÄÐÔÄÜ£¬ËùÒÔÒ³ÃæÐ¡µã£¬±ÜÃâ¼ÓÃÜ/½âÃÜ¡¢Êý¾Ý´«ÊäÕ¼ÓÃÌ«¶àʱ¼ä
¶ą̀¿Í»§¶ËÈçºÎͬʱÆô¶¯£¿ctrl+tab£¬ÃüÁî+»Ø³µ¡¡
Ϊʲô²»ÓÃjmeter£¿ÎÒÓÃÁË1Master3SlaveµÄjmeter·Ö²¼Ê½Ñ¹²â·¢ÏÖ£¬jmeter¶ÔÓÚÔڸó¡¾°£¨CPU
bound£©ÏµÄÐÔÄܲâÊÔ²»ÐУ¬·þÎñ¶ËѹÁ¦Éϲ»È¥
ÔÚÏàͬµÄÇëÇóÁ¿Ï£¬RSAÇ©Ãû»áʹ·þÎñ¶ËCPUÕ¼Óøü¸ß£¬ËùÒÔÕâ´Î²âÊÔÐèÒªÔÚÁ½ÖÖÇ©ÃûµÄѹ²âÏ£¬·þÎñ¶ËCPU¶¼±£³ÖÔÚ90%ÒÔÉÏ£¨²»È»µÄ»°£¬¶ÔECDSA¾Í²»¹«Æ½ÁË£©¡£
ΪºÎopenrestyÊÇ2¸öworker£¿ÒòΪ¿ª4¸öµÄ»°£¬ECDSAµÄѹ²âû·¨Ê¹openresty4¸öworkerµÄCPUÏûºÄ´ïµ½90%
ECDHE-ECDSA-AES128-GCM-SHA256£¬·þÎñ¶ËCPUÕ¼±È90%£¬½á¹û£º

ECDHE-RSA-AES128-GCM-SHA256£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£º

´Ó±í¸ñÖеÄÊý¾Ý¿ÉÒÔ¿´³öECDSAµÄÐÔÄÜÒª±ÈRSAºÃµã£¬ÕâÀïECDSAµÄ²âÊÔÉÐδѹեÍê·þÎñ¶ËÄØ¡£´Óopenssl
speedµÄ½á¹ûÒ²¿ÉÒÔ¿´³öECDSAµÄÇ©ÃûÐÔÄÜÊÇÒªÔ¶³¬¹ýRSAµÄ£¬¶øÇÒÇ©ÃûÊÇÔÚ·þÎñ¶Ë×öµÄ£¬ËùÒÔÃæ¶Ôº£Á¿µÄ¿Í»§¶Ë£¬·þÎñ¶ËÓ¦¸ÃÑ¡ÔñʹÓÃECDSA¡£
ÃÜÔ¿½»»»£ºRSA vs ECDHE
²âÊÔ»·¾³Í¬ÉÏ£¬µ«Ö»Ê¹ÓÃÁË4/2ºËÁ½Ì¨¿Í»§¶Ë»úÆ÷·¢ÇëÇó¡£Ö¤ÊéʹÓõÄÊÇÉú³ÉµÄRSAÖ¤Ê飬ECDSAÖ¤ÊéÄÜÓõ½µÄÃÜÔ¿½»»»Ëã·¨Ö»ÄÜÊÇECDHE¡£
AES256-GCM-SHA384£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£º

ECDHE-RSA-AES256-GCM-SHA384£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£º

´Ó±í¸ñÖеÄÊý¾Ý¿ÉÒÔ¿´³öECDHEÓëRSAµÄÐÔÄܲ¶à¡£ECDHE±ÈRSAÒª¶àÁËÒ»´Î¶Ëµ½¶ËµÄ´«Ê䣬»¹»áÓõ½RSA¶ÔDH²ÎÊý½øÐÐÇ©ÃûºÍÑéÖ¤£»¶øRSAÃÜÔ¿½»»»Ôò»áʹÓõ½RSAµÄ¼ÓÃÜ/½âÃÜ£¬¾ßÌå¿É¿´ÈçÏÂCloudFlareµÄÁ½ÕÅͼ
ECDHEÖ§³ÖǰÏò±£ÃÜ£¨Forward Secrecy£©£¬¼òµ¥Àí½â£ºÖмäÈË¿ÉÒÔ±£´æÏÂÀ´¿Í»§¶ËºÍ·þÎñ¶ËÖ®¼äµÄËùÓÐͨÐÅÊý¾Ý£¬Èç¹ûʹÓÃRSAÎÕÊÖ£¬ÄÇôδÀ´Ä³Ò»Ì죬ÖмäÈËÈç¹û»ñÈ¡µ½ÁË·þÎñ¶ËµÄ˽Կ£¬¾Í¿ÉÒÔ½âÃÜËùÓÐ֮ǰ²É¼¯µÄͨÐÅÊý¾ÝÁË£»Èç¹û²ÉÓÃECDHEÎÕÊֵϰ£¬¾Í¿ÉÒÔ±ÜÃâÕâ¸öÎÊÌâ¡£¶øÇÒʹÓÃECDHEÎÕÊֵϰ£¬»¹ÓпÉÄÜ¿ªÆôTLS
false startµÄÌØÐÔ£¨ÏÂÎÄÖлáÌáµ½£©¡£
RSAÎÕÊÖ£º

ECDHEÎÕÊÖ£º

ËùÒÔÃÜÔ¿½»»»Ëã·¨ECDHE»á¸üºÃЩ¡£
¶Ô³Æ¼ÓÃÜ£ºAES256-GCM vs AES256 vs AES128-GCM vs 3DES
²âÊÔ»·¾³Í¬ÉÏ£¬µ«Ö»Ê¹ÓÃÁË4ºËһ̨¿Í»§¶Ë»úÆ÷·¢ÇëÇó£¬ab²ÎÊýΪab -n 2000 -c 10£¬abʵÀý4¸ö£¬²âÊÔÒ³Ãæ153K¡£ÒòΪÊÇҪѹ²â¶ÔÓ¦ÓòãÊý¾ÝµÄ¼ÓÃܽâÃÜÐÔÄÜ£¬ËùÒÔÁ¬½ÓÊýÉÙ£¬µ«Ã¿¸öÁ¬½ÓµÄÇëÇóÊý¶à¡£
ECDHE-RSA-AES256-GCM-SHA384£¬·þÎñ¶ËCPUÕ¼±È94%£¬½á¹û£º

ECDHE-RSA-AES256-SHA384£¬·þÎñ¶ËCPUÕ¼±È98%£¬½á¹û£º

ECDHE-RSA-AES128-GCM-SHA256£¬·þÎñ¶ËCPUÕ¼±È92%£¬½á¹û£º

DES-CBC3-SHA£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£¨Ì«ÂýÁË£¬¾Í²âÁËÁ½¸ö=¡£=£©£º

´Ó±í¸ñÖеÄÊý¾Ý¿ÉÒÔ¿´³öAES128GCM > AES256GCM > AES256 >
3DES¡£
ÏûÏ¢ÈÏÖ¤Â룺SHA256 vs SHA1 vs AEAD
²âÊÔ»·¾³Í¬ÉÏ¡£
AES256-SHA256£¬·þÎñ¶ËCPUÕ¼±È100%£¬½á¹û£º

AES256-SHA£¬·þÎñ¶ËCPUÕ¼±È98%£¬½á¹û£º

AES256-GCM-SHA384£¬·þÎñ¶ËCPUÕ¼±È95%£¬½á¹û£º

´Ó½á¹ûÖпÉÒÔ¿´³öAES256-GCM-SHA384 > AES256-SHA > AES256-SHA256¡£
»á»°»Ö¸´
Session Cache
¿Í»§¶ËÏ£Íû»Ö¸´ÏÈǰµÄsession£¬»òÕ߸´ÖÆÒ»¸ö´æÔÚµÄsession£¬¿ÉÒÔÔÚClientHelloÖдøÉÏSession
ID£¬Èç¹û·þÎñ¶ËÄܹ»ÔÚËüµÄSession CacheÖÐÕÒµ½ÏàÓ¦µÄSession IDµÄsession-state£¨´æ´¢ÐÉ̺õÄÃÜÂëÌ×¼þµÈÐÅÏ¢£©£¬²¢ÇÒÔ¸ÒâʹÓøÃSession
IDÖØ½¨Á¬½Ó£¬ÄÇô·þÎñ¶Ë»á·¢ËÍÒ»¸ö´øÓÐÏàͬSession IDµÄServerHello¡£

ĿǰNginx Ö»Ö§³Öµ¥»úSession Cache£¬Openresty Ö§³Ö·Ö²¼Ê½Session
Cache£¬µ«´¦ÓÚʵÑé½×¶Î¡£
Session Ticket
Session CacheÐèÒª·þÎñ¶Ë»º´æSessionÏà¹ØµÄÐÅÏ¢£¬¶Ô·þÎñ¶Ë´æÔÚ´æÈ¡Ñ¹Á¦£¬¶øÇÒ»¹Óзֲ¼Ê½Session
CacheÎÊÌâ¡£ ¶ÔÓÚÖ§³ÖSession TicketµÄ¿Í»§¶Ë£¬·þÎñ¶Ë¿ÉÒÔͨ¹ýijÖÖ»úÖÆ½«session-state¼ÓÃܺó×÷Ϊticket·¢¸ø¿Í»§¶Ë¡£¿Í»§¶Ëƾ½è¸Ãticket¾Í¿ÉÒÔ»Ö¸´ÏÈǰµÄ»á»°ÁË¡£
ÀàËÆÓÚHTTPÖÐÓÃJson Web TOken×÷Ϊcookie-sessionµÄÁíÒ»ÖÖÑ¡Ôñ¡£

OCSP£¨ÔÚÏßÖ¤Êé״̬ÐÒ飩 stapling
µ±¿Í»§¶ËÔÚÎÕÊÖ»·½Ú½ÓÊܵ½·þÎñ¶ËµÄÖ¤Êéʱ£¬³ýÁ˶ÔÖ¤Êé½øÐÐÇ©ÃûÑéÖ¤£¬»¹ÐèÒªÖªµÀÖ¤ÊéÊÇ·ñ±»µõÏúÁË£¬ÄÇôÐèÒªÏòÖ¤ÊéÖÐÖ¸¶¨µÄOCSP
url·¢ËÍOCSP²éѯÇëÇó¡£

¶ÔÓÚͬһ·Ý·þÎñ¶ËÖ¤Ê飬Èç¹ûÿ¸ö¿Í»§¶Ë¶¼×Ô¼ºÈ¥²éѯһ´ÎÖ¤Êé״̬¾ÍÀË·ÑÁË¡£ËùÒÔ£¬OCSP stapling¾ÍÊÇΪÁ˽â¾öÕâÒ»ÎÊÌ⣬ÓÉ·þÎñ¶Ë²éѯµ½Ö¤Êé״̬£¨Í¨³£»á»º´æÒ»¶Îʱ¼ä£©£¬²¢·µ»Ø¸ø¿Í»§¶Ë£¨¿Í»§¶Ë»áÔÚ±¾µØÐ£ÑéÕâ¸öÖ¤Êé״̬ÊÇ·ñÕæÊµ£©¡£

ÔÚnginxµÄÅäÖÃÖУ¬¿ÉÒÔÑ¡ÔñÐÔµÄÅäÖÃÊÇ·ñ¶ÔOCSP response×öУÑ飬·ÀÖ¹½«·Ç·¨µÄÖ¤Êé״̬·¢Ë͸ø¿Í»§¶Ë¡£Èç¹ûÉèÖÃÁËУÑ飬ssl_trusted_certificate²ÎÊýÐèҪΪ°üº¬ËùÓÐÖмäÖ¤Êé+¸ùÖ¤ÊéµÄÎļþ¡£
ÈçÏÂͼÊǶÔnginxÇëÇóOCSP ServerµÄ×¥°ü£¬¿ÉÒÔ¿´µ½·¢Á˸öhttpµÄocspÇëÇó£º

ÏÂͼÊǶÔnginxÔÚ·¢ËÍÖ¤Ê鏸¿Í»§¶Ëʱ£¬´øÉϵÄÖ¤Êé״̬µÄ×¥°ü£º

TLS»º³åÇøµ÷ÓÅ
nginxĬÈϵÄssl_buffer_sizeÊÇ16K£¨TLS Record Layer×î´óµÄ·ÖƬ£©£¬¼´Ò»¸öTLS
RecordµÄ´óС£¬Èç¹ûHTTPµÄÊý¾ÝÊÇ160K£¬ÄÇô¾Í»á±»²ð·ÖΪ10¸öTLS Record£¨Ã¿¸öTLS
Record»á±»TCP²ã²ð·ÖΪ¶à¸öTCP°ü´«Ê䣩·¢Ë͸ø¿Í»§¶Ë¡£

Èç¹ûTLS Record Size¹ý´óµÄ»°£¬²ð·ÖµÄTCP°üÒ²»á½Ï¶à£¬´«Êäʱ£¬Èç¹û³öÏÖTCP¶ª°ü£¬Õû¸öTLS
Recordµ½´ï¿Í»§¶ËµÄʱ¼ä¾Í»á¼Ó³¤£¬¿Í»§¶Ë±ØÐëµÈ´ýÍêÕûµÄTLS RecordÊÕµ½²ÅÄܽøÐнâÃÜ¡£

Èç¹ûTLS Record SizeСһЩµÄ»°£¬TCP¶ª°üÓ°ÏìµÄTLS RecordÕ¼±È¾Í»áСºÜ¶à£¬µ½´ï¿Í»§¶ËµÄTLS
Record¾Í»á¶àЩ£¬¿Í»§¶Ë¸ÉµÈ×ŵÄʱ¼ä¾ÍÏà¶ÔÉÙÁË¡£µ«ÊÇ£¬TLS Record HeadµÄ¸ºÔؾÍÔö¼ÓÁË£¬¿ÉÄÜ»¹»á½µµÍÁ¬½ÓµÄÍÌÍÂÁ¿¡£
¼ÙÉèssl_buffer_sizeÉèÖÃΪ1460byte£º

ͨ³££¬ÔÚTCPÂýÆô¶¯µÄ¹ý³ÌÖУ¬TLS Record SizeСµãºÃ£¬ÒòΪÕâ¸öʱºòTCPÁ¬½ÓµÄÓµÈû´°¿Úcwnd½ÏС£¬TCPÁ¬½ÓÍÌÍÂÁ¿Ò²Ð¡¡£¶øÔÚTCPÁ¬½Ó½áÊøÂýÆô¶¯Ö®ºó£¬TLS
Record Size¾Í¿ÉÒÔÔö´óһЩÁË£¬ÒòΪÕâ¸öʱºòÍÌÍÂÁ¿ÉÏÀ´ÁË¡£ËùÒÔ¸üÏ£ÍûÄܹ»¶¯Ì¬µÄµ÷ÕûnginxÖÐssl_buffer_sizeµÄ´óС£¬Ä¿Ç°¹Ù·½nginx»¹²»Ö§³Ö£¬²»¹ýcloudflareΪnginx´òÁ˸öpatch£¬ÒÔÖ§³Ö¶¯Ì¬µÄµ÷ÕûTLS
Record Size£ºOptimizing TLS over TCP to reduce latency
TLS False Start
ijһ¶ËÔÚ·¢ËÍ Change Cipher Spec¡¢Finished Ö®ºó£¬¿ÉÒÔÁ¢¼´·¢ËÍÓ¦ÓÃÊý¾Ý£¬ÎÞÐèµÈ´ýÁíÒ»¶ËµÄ
Change Cipher Spec¡¢Finished ¡£ÕâÑù£¬Ó¦ÓÃÊý¾ÝµÄ·¢ËÍʵ¼ÊÉϲ¢Î´µÈµ½ÎÕÊÖÈ«²¿Íê³É£¬´Ó¶ø½ÚÊ¡³öÒ»¸öRTTʱ¼ä¡£
ÍêÕûÎÕÊÖʱ£¬Client Side False Start£º

¼ò¶ÌÎÕÊÖʱ£¬Server Side False Start£º

¿ÉÒÔ¿´ÏÂÕâÆªÎÄÕ£ºTLS False Start¾¿¾¹ÊÇÈçºÎ¼ÓËÙÍøÕ¾µÄ ºÍ Transport Layer
Security (TLS) False Start
RFC7918Öв¢Ã»ÓжÔServer Side False Start½øÐж¨Ò壨Æä֮ǰµÄ²Ý°¸ÖоÍÓÐÌáµ½£¬draft-bmoeller-tls-falsestart-00/01£©£¬ÎÄÖеÄ˵Ã÷£ºHowever,
if the server sends application data first, the abbreviated
handshake adds two round-trip times, and this could
be reduced to just one added round-trip time by doing
a server-side False Start. There is little need for
this in practice, so this document does not consider
server-side False Starts further.
¿ÉÄÜÊÇÔÚ֮ǰµÄHTTP 1³¡¾°Ï£¬¶ÔServer Side False StartµÄÐèÇó²¢²»Ç¿ÁÒ£¬»òÕß˵ʵ¼ù²»¶à£¨µ±È»ÆäËûÓ¦ÓòãÐÒé¿ÉÄÜ»áÓУ¬ÀýÈçwebsocket£©¡£
Client Side False StartÐèÒªµÄÌõ¼þ£º
¿Í»§¶ËºÍ·þÎñ¶Ë¶¼ÐèÒªÖ§³ÖNPN/ALPN£¨ä¯ÀÀÆ÷ÒªÇó£©
ÐèÒª²ÉÓÃÖ§³ÖǰÏò±£ÃܵÄÃÜÂëÌ×¼þ£¬¼´Ê¹ÓÃECDHE½øÐÐÃÜÔ¿½»»»£¨RFC7918ÖÐÓй涨£©
ÆäËûÓÅ»¯
TCPÓÅ»¯£¬±Ï¾¹SSLÊý¾ÝÒ²ÊÇ»ùÓÚTCP½øÐд«ÊäµÄ
Ö¤ÊéÓÅ»¯£¬²ÉÓÃECDSAÖ¤Êé¡¢·þÎñÆ÷·¢Ë͸ø¿Í»§¶ËµÄÖ¤ÊéÁ´°üº¬ËùÓÐÖмäÖ¤Êé
Ó²¼þÅäÖÃÓÅ»¯£¬ÀýÈçʹÓÃSSL¼ÓËÙÆ÷
×ܽá
±¾ÎÄÊǸöÈ˽ü¶Îʱ¼äѧϰµ½µÄ¹ØÓÚHTTPSÐÔÄÜÓÅ»¯µÄ×ܽᡣ
ÍÆ¼öµÄÃÜÂëÌ×¼þÁÐ±í£º
<table width="60%"
border="0" align="center"
cellpadding="7" cellspacing="1"
bgcolor="#CCCCCC" class="content"
style="text-indent: 0em;"> <tr
bgcolor="#FFFFFF"> <td height="25"
bgcolor="#f5f5f5"> Hello World!</td>
</tr>
</table> |
ÆäËû¶îÍâµÄÃÜÂëÌ×¼þ£¬±ÈÈçÐèÒªÖ§³ÖIE6£¬¿ÉÒÔ·ÅÔÚÃÜÂëÌ×¼þÁбíĩβ¡£
×Ô¼ºÐ´Á˸ögo³ÌÐòÓÃÓÚ¼ì²âÃÜÂëÌ×¼þÁбíÖ§³Ö/²»Ö§³ÖµÄ¿Í»§¶Ë£ºsslciphersuitescheck

|