主机百科
TLS的发展有20多年的历史,在之前的版本中,TLS 1.2是高度可配置的,为了更好的兼容旧版本的浏览器,这意味着那些易受攻击的站点始终在运行着不安全的加密算法,这让互联网黑客有可乘之机。TLS 1.3在之前版本的基础上删除了那些不安全的加密算法。本次给大家带来的就是最新TLS1.3配置教程。
一、TLS1.3的好处
- 更快的访问速度
- 更强的安全性
二、配置教程
宝塔面板用户配置非常简单!宝塔NGINX1.15往后的版本都支持TLS 1.3协议。修改网站配置文件为如下内容即可
|
1 |
<span>ssl_protocols </span><span>TLSv1</span><span>.</span><span>2</span> <span>TLSv1</span><span>.</span><span>3</span><span>;</span><span> ssl_ciphers TLS13</span><span>-</span><span>AES</span><span>-</span><span>256</span><span>-</span><span>GCM</span><span>-</span><span>SHA384</span><span>:</span><span>TLS13</span><span>-</span><span>CHACHA20</span><span>-</span><span>POLY1305</span><span>-</span><span>SHA256</span><span>:</span><span>TLS13</span><span>-</span><span>AES</span><span>-</span><span>128</span><span>-</span><span>GCM</span><span>-</span><span>SHA256</span><span>:</span><span>TLS13</span><span>-</span><span>AES</span><span>-</span><span>128</span><span>-</span><span>CCM</span><span>-</span><span>8</span><span>-</span><span>SHA256</span><span>:</span><span>TLS13</span><span>-</span><span>AES</span><span>-</span><span>128</span><span>-</span><span>CCM</span><span>-</span><span>SHA256</span><span>:</span><span>EECDH</span><span>+</span><span>CHACHA20</span><span>:</span><span>EECDH</span><span>+</span><span>CHACHA20</span><span>-</span><span>draft</span><span>:</span><span>EECDH</span><span>+</span><span>ECDSA</span><span>+</span><span>AES128</span><span>:</span><span>EECDH</span><span>+</span><span>aRSA</span><span>+</span><span>AES128</span><span>:</span><span>RSA</span><span>+</span><span>AES128</span><span>:</span><span>EECDH</span><span>+</span><span>ECDSA</span><span>+</span><span>AES256</span><span>:</span><span>EECDH</span><span>+</span><span>aRSA</span><span>+</span><span>AES256</span><span>:</span><span>RSA</span><span>+</span><span>AES256</span><span>:</span><span>EECDH</span><span>+</span><span>ECDSA</span><span>+</span><span>3DES</span><span>:</span><span>EECDH</span><span>+</span><span>aRSA</span><span>+</span><span>3DES</span><span>:</span><span>RSA</span><span>+</span><span>3DES</span><span>:!</span><span>MD5</span><span>;</span> |
三、其他说明
- 目前最新的Chrome和Firefox浏览器都已支持 TLS 1.3协议,但需要手动开启,Chrome中需要将chrome://flags/ 中的 Maximum TLS version enabled 改为 TLS 1.3 Chrome 62 中需要将 TLS 1.3 改为 Enabled (Draft)即可。
- Firefox中,将 about:config 中的 security.tls.version.max 改为4即可
