返回
Network

OpenSSL 常用指令

查看 OpenSSL 所支持的加密方式并排序、跑分

查询跑分类

# 查看当前计算机使用加密算法的优先顺序,依次为 TLS v1.3 v1.2 v1
openssl ciphers -s -tls1_3 -v
openssl ciphers -s -tls1_2 -v
openssl ciphers -s -tls1 -v

# 常用的加密性能测试指令
# 单线程:
openssl speed -aead -evp aes-256-gcm
openssl speed -aead -evp chacha20-poly1305
openssl speed -aead -evp aes-128-gcm
# 多线程:
openssl speed -multi $(nproc) -aead -evp aes-256-gcm
openssl speed -multi $(nproc) -aead -evp chacha20-poly1305
openssl speed -multi $(nproc) -aead -evp aes-128-gcm

修改算法优先顺序

# 查看 OpenSSL 配置文件所在位置
openssl version -a | grep OPENSSLDIR

修改文件夹中 openssl.cnf 文件,在末尾追加

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA

其中 Ciphersuites 为 TLS v1.3 顺序,CipherString 为 TLS v1.2 顺序。修改此配置并不能保证全局适用,比如在 Nginx 中,TLS v1.3 的顺序受此配置文件影响,但 TLS v1.2 顺序受 Nginx 本身的配置文件影响,比如上面配置将优先使用 CHACHA20-POLY1305 你在 Nginx 的配置里面的 server 块内也需要加入下列字段

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA;
ssl_prefer_server_ciphers on;
© 2019 - 2021 NEGOCES
Built with Hugo
Theme Stack designed by Jimmy