进城务工人员小梅JDK1.8下SSLContext默认的protocol和cipher suite如下(TLS):
|
1 2 |
[DEBUG]2019-07-24 21:44:12.400@ExecutorThread-4 io.netty.handler.ssl.JdkSslContext[95] - Default protocols (JDK): [TLSv1.2, TLSv1.1, TLSv1] [DEBUG]2019-07-24 21:44:12.400@ExecutorThread-4 io.netty.handler.ssl.JdkSslContext[96] - Default cipher suites (JDK): [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA] |
参考资料1中称JDK部分cipher suite性能较OpenSSL的实现低下,未进行测试,其指定SslProvider及cipher suite的代码大致如下:
|
1 2 3 4 5 6 |
//一般写法 SslContext sslContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).sslProvider(SslProvider.OPENSSL).build(); //如果不要开GCM,那把ReferenceCountedOpenSslContext里面的DEFAULT_CIPHERS抄出来,删掉两个GCM的 List<String> ciphers = Lists.newArrayList("ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA", "AES128-SHA", "AES256-SHA", "DES-CBC3-SHA"); SslContext sslContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).sslProvider(SslProvider.OPENSSL).ciphers(ciphers).build(); |
可以想象,在跨平台时SSL/TLS握手确实可能存在兼容性问题。
参考资料:
1、https://www.cnblogs.com/wade-luffy/p/6019743.html
转载时请保留出处,违法转载追究到底:进城务工人员小梅 » Netty SSLContext的Provider的性能问题与JDK1.8默认的SSLContext protocol和cipher suite