We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl_protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
如果不打算继续支持 IE8,或者一些合规的要求,可以去掉TLSv1。
然后我们再修改对应的加密算法,加入TLS1.3引入的新算法:
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
如果不打算继续支持 IE8,可以去掉包含 3DES 的 Cipher Suite。
默认情况下 Nginx 因为安全原因,没有开启 TLS 1.3 0-RTT,可以通过添加 ssl_early_data on; 指令开启 0-RTT的支持。
https://segmentfault.com/a/1190000017270510#articleHeader14
The text was updated successfully, but these errors were encountered:
feature: enabled HTTP2 and supported to set ssl_protocols. (#663)
0e10fa6
* feature: enabled HTTP2 and supported to set `ssl_protocols`. * bugfix: used default certificate if failed to load certificate by SNI. Fix #595.
Successfully merging a pull request may close this issue.
TLS 1.3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
如果不打算继续支持 IE8,或者一些合规的要求,可以去掉TLSv1。
然后我们再修改对应的加密算法,加入TLS1.3引入的新算法:
如果不打算继续支持 IE8,可以去掉包含 3DES 的 Cipher Suite。
默认情况下 Nginx 因为安全原因,没有开启 TLS 1.3 0-RTT,可以通过添加 ssl_early_data on; 指令开启 0-RTT的支持。
https://segmentfault.com/a/1190000017270510#articleHeader14
The text was updated successfully, but these errors were encountered: