We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
为了满足“完全前向保密(Perfect Forward Security)”的要求,现代TLS协议中应停止使用不支持FS的加密套件类型(虽然这类服务器也还有很多),望作者予以考虑。
但是这样调整后,可能会导致不支持AES硬件加速的设备使用效率较低的AES协议而非chacha20协议。因我使用的都是较为现代的设备,不太好测试,请有条件的其他用户用wireshark抓包测试下。
下面是默认配置中使用的加密套件种类
支持的加密套件 TLS 1.3 (服务器没有顺序偏好) TLS_AES_128_GCM_SHA256 (0x1301) 128 bits FS TLS_AES_256_GCM_SHA384 (0x1302) 256 bits FS TLS_CHACHA20_POLY1305_SHA256 (0x1303) 256 bits FS TLS 1.2 (服务器没有顺序偏好) TLS_RSA_WITH_AES_128_CBC_SHA (0x2F) 128 bits TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 bits TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013) 128 bits FS TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) 256 bits FS TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9C) 128 bits TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9D) 256 bits TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) 128 bits FS TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) 256 bits FS TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCA8) 256 bits FS TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xA) 112 bits TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012) 112 bits FS
调整配置文件后的效果
支持的加密套件 TLS 1.3 (服务器顺序优先) TLS_AES_128_GCM_SHA256 (0x1301) 128 bits FS TLS_CHACHA20_POLY1305_SHA256 (0x1303) 256 bits FS TLS_AES_256_GCM_SHA384 (0x1302) 256 bits FS TLS 1.2 (服务器顺序优先) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013) 128 bits FS TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) 256 bits FS TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) 128 bits FS TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) 256 bits FS TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCA8) 256 bits FS
下面的修改方案供作者参考
"streamSettings": { "network": "tcp", "security": "xtls", "xtlsSettings": { "allowInsecure": false, "minVersion": "1.2", "preferServerCipherSuites":true, "cipherSuites":"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "alpn": [ "http/1.1" ], "certificates": [ { "certificateFile": "/usr/local/etc/xray/ssl/xray_ssl.crt", "keyFile": "/usr/local/etc/xray/ssl/xray_ssl.key" } ] } } }
The text was updated successfully, but these errors were encountered:
感謝提供的安全建議,這類我還沒瞭解過。 我需要瞭解一下測試測試。
Sorry, something went wrong.
No branches or pull requests
为了满足“完全前向保密(Perfect Forward Security)”的要求,现代TLS协议中应停止使用不支持FS的加密套件类型(虽然这类服务器也还有很多),望作者予以考虑。
但是这样调整后,可能会导致不支持AES硬件加速的设备使用效率较低的AES协议而非chacha20协议。因我使用的都是较为现代的设备,不太好测试,请有条件的其他用户用wireshark抓包测试下。
下面是默认配置中使用的加密套件种类
调整配置文件后的效果
下面的修改方案供作者参考
The text was updated successfully, but these errors were encountered: