search

proxysu / ProxySU

Xray,V2ray,Trojan,NaiveProxy, Trojan-Go, ShadowsocksR(SSR),Shadowsocks-libev及相关插件,MTProto+TLS 一键安装工具,windows下用(一键科学上网)
GNU General Public License v3.0
5.49k stars 1.52k forks source link

建议调整TLS中使用的加密套件种类 #143

Open Nautilus-Erkkinen opened 3 years ago

Nautilus-Erkkinen commented 3 years ago

为了满足“完全前向保密(Perfect Forward Security)”的要求,现代TLS协议中应停止使用不支持FS的加密套件类型(虽然这类服务器也还有很多),望作者予以考虑。

但是这样调整后,可能会导致不支持AES硬件加速的设备使用效率较低的AES协议而非chacha20协议。因我使用的都是较为现代的设备,不太好测试,请有条件的其他用户用wireshark抓包测试下。

下面是默认配置中使用的加密套件种类

支持的加密套件 TLS 1.3 (服务器没有顺序偏好) TLS_AES_128_GCM_SHA256 (0x1301) 128 bits FS TLS_AES_256_GCM_SHA384 (0x1302) 256 bits FS TLS_CHACHA20_POLY1305_SHA256 (0x1303) 256 bits FS TLS 1.2 (服务器没有顺序偏好) TLS_RSA_WITH_AES_128_CBC_SHA (0x2F) 128 bits TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 bits TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013) 128 bits FS TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) 256 bits FS TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9C) 128 bits TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9D) 256 bits TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) 128 bits FS TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) 256 bits FS TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCA8) 256 bits FS TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xA) 112 bits TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012) 112 bits FS

调整配置文件后的效果

支持的加密套件 TLS 1.3 (服务器顺序优先) TLS_AES_128_GCM_SHA256 (0x1301) 128 bits FS TLS_CHACHA20_POLY1305_SHA256 (0x1303) 256 bits FS TLS_AES_256_GCM_SHA384 (0x1302) 256 bits FS TLS 1.2 (服务器顺序优先) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013) 128 bits FS TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) 256 bits FS TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) 128 bits FS TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) 256 bits FS TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCA8) 256 bits FS

下面的修改方案供作者参考

"streamSettings": { "network": "tcp", "security": "xtls", "xtlsSettings": { "allowInsecure": false, "minVersion": "1.2", "preferServerCipherSuites":true, "cipherSuites":"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "alpn": [ "http/1.1" ], "certificates": [ { "certificateFile": "/usr/local/etc/xray/ssl/xray_ssl.crt", "keyFile": "/usr/local/etc/xray/ssl/xray_ssl.key" } ] } } }

next-autumn commented 3 years ago

感謝提供的安全建議,這類我還沒瞭解過。 我需要瞭解一下測試測試。