nginx 之 TLS1.3配置_nginx tls1.3

配置TLS1.3

环境：

nginx 1.20
openssl 1.1.1l

如果查看openssl支持的ciphers
使用命令openssl ciphers

如何查看openssl支持的所有TLS/SSL版本:
penssl s_client -help 2>&1 | awk '/-(ssl|tls)[0-9]/{print $1}'

配置tls1.3

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #增加 TLSv1.3
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;

配置ssl_ciphers默认值：

Version 1.0.5 and later: the default SSL ciphers are “HIGH:!aNULL:!MD5”.
Version 0.7.65, 0.8.20 and later: the default SSL ciphers are “HIGH:!ADH:!MD5”.
Version 0.8.19: the default SSL ciphers are “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.
Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
“ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”