ssl_ciphers "ECC-SM4-SM3:ECDHE-SM4-SM3" 不生效 #34
Comments
|
打上这个#21 |
这个配置下由于nginx默认最高协议版本为TLS1.2且未配置TLS1.2相关套件,故报错”No ciphers enabled for max supported SSL/TLS version“,可以通过配置“ssl_protocols TLSv1.3;”规避。(TLS1.3套件不通过"ssl_ciphers"配置且默认使能),此时结果也是“密信是SM访问(因为密信默认先SM),360安全和火狐是RSA访问”
按照我们的理解首先应选择协议版本,然后才是选择密码套件(国密SSL与标准SSL区别不只是套件区别,版本号也不同)。nginx会先根据浏览器发送的client hello中的版本确定协议版本,然后才是确认协商套件。而由于浏览器会尝试多个不同版本且优先级不同(密信优先国密SSL,360/火狐优先TLS1.3),所以会有不同的协商结果。如果需要nginx来选择使用的协议版本,nginx需要知道浏览器支持的版本,亦即"如果浏览器同时支持国密SSL+标准SSL,如何通过一个client_hello来告诉nginx”,这涉及到国密SSL和标准SSL的版本兼容和升降级机制,目前没有标准化的实现。这是一种方法 #21 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
nginx配置SM和RSA双证书,想通过 ssl_ciphers 来配置 优先使用 SM密码套件,还是RSA密码套件,但SM密码套件似乎不生效。
请问是否我的配置/测试有误?
基本配置:
# sm
ssl_certificate /etc/nginx/certs/SS.crt;
ssl_certificate_key /etc/nginx/certs/SS.key;
ssl_certificate /etc/nginx/certs/SE.crt;
ssl_certificate_key /etc/nginx/certs/SE.key;
# rsa
ssl_certificate /etc/nginx/certs_inter/server.crt;
ssl_certificate_key /etc/nginx/certs_inter/server.key;
浏览器:
密信、360安全、火狐浏览器
配置1:
ssl_ciphers "ECC-SM4-SM3:ECDHE-SM4-SM3";
ssl_prefer_server_ciphers on;
配置2:
ssl_prefer_server_ciphers on;
配置3:
ssl_prefer_server_ciphers on;
ssl_ciphers "ECC-SM4-SM3:ECDHE-SM4-SM3:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
The text was updated successfully, but these errors were encountered: