feature: enable HTTP2 and set `ssl_protocols`. #595

membphis · 2019-09-26T01:47:45Z

TLS 1.3

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

如果不打算继续支持 IE8，或者一些合规的要求，可以去掉TLSv1。

然后我们再修改对应的加密算法，加入TLS1.3引入的新算法：

ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;

如果不打算继续支持 IE8，可以去掉包含 3DES 的 Cipher Suite。

默认情况下 Nginx 因为安全原因，没有开启 TLS 1.3 0-RTT，可以通过添加 ssl_early_data on; 指令开启 0-RTT的支持。

https://segmentfault.com/a/1190000017270510#articleHeader14

The text was updated successfully, but these errors were encountered:

* feature: enabled HTTP2 and supported to set `ssl_protocols`. * bugfix: used default certificate if failed to load certificate by SNI. Fix #595.

membphis added this to the ver 0.9 milestone Sep 26, 2019

membphis mentioned this issue Oct 10, 2019

feature: enabled HTTP2 and supported to set ssl_protocols. #663

Merged

membphis closed this as completed in #663 Oct 10, 2019

membphis added a commit that referenced this issue Oct 10, 2019

feature: enabled HTTP2 and supported to set ssl_protocols. (#663)

0e10fa6

* feature: enabled HTTP2 and supported to set `ssl_protocols`. * bugfix: used default certificate if failed to load certificate by SNI. Fix #595.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feature: enable HTTP2 and set `ssl_protocols`. #595

feature: enable HTTP2 and set `ssl_protocols`. #595

membphis commented Sep 26, 2019

feature: enable HTTP2 and set ssl_protocols. #595

feature: enable HTTP2 and set ssl_protocols. #595

Comments

membphis commented Sep 26, 2019

TLS 1.3

feature: enable HTTP2 and set `ssl_protocols`. #595

feature: enable HTTP2 and set `ssl_protocols`. #595