功能介绍
加密套件是用于在SSL/TLS握手期间协商安全设置的算法的组合。在Client Hello和Server Hello消息交换之后,客户端发送密码支持套件列表,服务器从列表中选择密码套件进行响应。
天翼云CDN加速在域名配置完HTTPS证书后,可选择加密套件类型:全部加密套件、强加密套件、自定义加密套件。
选择全部加密套件后,默认支持的加密套件及对应套件支持的最低版本的SSL/TLS协议如下:
| 加密算法 | 最低版本的SSL/TLS协议 |
|---|---|
| TLS_AES_256_GCM_SHA384 | TLSv1.3 |
| TLS_CHACHA20_POLY1305_SHA256 | TLSv1.3 |
| TLS_AES_128_GCM_SHA256 | TLSv1.3 |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 |
| ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 |
| DHE-DSS-AES256-GCM-SHA384 | TLSv1.2 |
| DHE-RSA-AES256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ECDSA-CHACHA20-POLY1305 | TLSv1.2 |
| ECDHE-RSA-CHACHA20-POLY1305 | TLSv1.2 |
| DHE-RSA-CHACHA20-POLY1305 | TLSv1.2 |
| ECDHE-ECDSA-AES256-CCM8 | TLSv1.2 |
| ECDHE-ECDSA-AES256-CCM | TLSv1.2 |
| DHE-RSA-AES256-CCM8 | TLSv1.2 |
| DHE-RSA-AES256-CCM | TLSv1.2 |
| ECDHE-ECDSA-ARIA256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ARIA256-GCM-SHA384 | TLSv1.2 |
| DHE-DSS-ARIA256-GCM-SHA384 | TLSv1.2 |
| DHE-RSA-ARIA256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLSv1.2 |
| ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 |
| DHE-DSS-AES128-GCM-SHA256 | TLSv1.2 |
| DHE-RSA-AES128-GCM-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-AES128-CCM8 | TLSv1.2 |
| ECDHE-ECDSA-AES128-CCM | TLSv1.2 |
| DHE-RSA-AES128-CCM8 | TLSv1.2 |
| DHE-RSA-AES128-CCM | TLSv1.2 |
| ECDHE-ECDSA-ARIA128-GCM-SHA256 | TLSv1.2 |
| ECDHE-ARIA128-GCM-SHA256 | TLSv1.2 |
| DHE-DSS-ARIA128-GCM-SHA256 | TLSv1.2 |
| DHE-RSA-ARIA128-GCM-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-AES256-SHA384 | TLSv1.2 |
| ECDHE-RSA-AES256-SHA384 | TLSv1.2 |
| DHE-RSA-AES256-SHA256 | TLSv1.2 |
| DHE-DSS-AES256-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-CAMELLIA256-SHA384 | TLSv1.2 |
| ECDHE-RSA-CAMELLIA256-SHA384 | TLSv1.2 |
| DHE-RSA-CAMELLIA256-SHA256 | TLSv1.2 |
| DHE-DSS-CAMELLIA256-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-AES128-SHA256 | TLSv1.2 |
| ECDHE-RSA-AES128-SHA256 | TLSv1.2 |
| DHE-RSA-AES128-SHA256 | TLSv1.2 |
| DHE-DSS-AES128-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-CAMELLIA128-SHA256 | TLSv1.2 |
| ECDHE-RSA-CAMELLIA128-SHA256 | TLSv1.2 |
| DHE-RSA-CAMELLIA128-SHA256 | TLSv1.2 |
| DHE-DSS-CAMELLIA128-SHA256 | TLSv1.2 |
| RSA-PSK-AES256-GCM-SHA384 | TLSv1.2 |
| DHE-PSK-AES256-GCM-SHA384 | TLSv1.2 |
| RSA-PSK-CHACHA20-POLY1305 | TLSv1.2 |
| DHE-PSK-CHACHA20-POLY1305 | TLSv1.2 |
| ECDHE-PSK-CHACHA20-POLY1305 | TLSv1.2 |
| DHE-PSK-AES256-CCM8 | TLSv1.2 |
| DHE-PSK-AES256-CCM | TLSv1.2 |
| RSA-PSK-ARIA256-GCM-SHA384 | TLSv1.2 |
| DHE-PSK-ARIA256-GCM-SHA384 | TLSv1.2 |
| AES256-GCM-SHA384 | TLSv1.2 |
| AES256-CCM8 | TLSv1.2 |
| AES256-CCM | TLSv1.2 |
| ARIA256-GCM-SHA384 | TLSv1.2 |
| PSK-AES256-GCM-SHA384 | TLSv1.2 |
| PSK-CHACHA20-POLY1305 | TLSv1.2 |
| PSK-AES256-CCM8 | TLSv1.2 |
| PSK-AES256-CCM | TLSv1.2 |
| PSK-ARIA256-GCM-SHA384 | TLSv1.2 |
| RSA-PSK-AES128-GCM-SHA256 | TLSv1.2 |
| DHE-PSK-AES128-GCM-SHA256 | TLSv1.2 |
| DHE-PSK-AES128-CCM8 | TLSv1.2 |
| DHE-PSK-AES128-CCM | TLSv1.2 |
| RSA-PSK-ARIA128-GCM-SHA256 | TLSv1.2 |
| DHE-PSK-ARIA128-GCM-SHA256 | TLSv1.2 |
| AES128-GCM-SHA256 | TLSv1.2 |
| AES128-CCM8 | TLSv1.2 |
| AES128-CCM | TLSv1.2 |
| ARIA128-GCM-SHA256 | TLSv1.2 |
| PSK-AES128-GCM-SHA256 | TLSv1.2 |
| PSK-AES128-CCM8 | TLSv1.2 |
| PSK-AES128-CCM | TLSv1.2 |
| PSK-ARIA128-GCM-SHA256 | TLSv1.2 |
| AES256-SHA256 | TLSv1.2 |
| CAMELLIA256-SHA256 | TLSv1.2 |
| AES128-SHA256 | TLSv1.2 |
| CAMELLIA128-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-AES256-SHA | TLSv1 |
| ECDHE-RSA-AES256-SHA | TLSv1 |
| ECDHE-ECDSA-AES128-SHA | TLSv1 |
| ECDHE-RSA-AES128-SHA | TLSv1 |
| ECDHE-PSK-AES256-CBC-SHA384 | TLSv1 |
| ECDHE-PSK-AES256-CBC-SHA | TLSv1 |
| RSA-PSK-AES256-CBC-SHA384 | TLSv1 |
| DHE-PSK-AES256-CBC-SHA384 | TLSv1 |
| ECDHE-PSK-CAMELLIA256-SHA384 | TLSv1 |
| RSA-PSK-CAMELLIA256-SHA384 | TLSv1 |
| DHE-PSK-CAMELLIA256-SHA384 | TLSv1 |
| PSK-AES256-CBC-SHA384 | TLSv1 |
| PSK-CAMELLIA256-SHA384 | TLSv1 |
| ECDHE-PSK-AES128-CBC-SHA256 | TLSv1 |
| ECDHE-PSK-AES128-CBC-SHA | TLSv1 |
| RSA-PSK-AES128-CBC-SHA256 | TLSv1 |
| DHE-PSK-AES128-CBC-SHA256 | TLSv1 |
| ECDHE-PSK-CAMELLIA128-SHA256 | TLSv1 |
| RSA-PSK-CAMELLIA128-SHA256 | TLSv1 |
| DHE-PSK-CAMELLIA128-SHA256 | TLSv1 |
| PSK-AES128-CBC-SHA256 | TLSv1 |
| PSK-CAMELLIA128-SHA256 | TLSv1 |
| DHE-RSA-AES256-SHA | SSLv3 |
| DHE-DSS-AES256-SHA | SSLv3 |
| DHE-RSA-CAMELLIA256-SHA | SSLv3 |
| DHE-DSS-CAMELLIA256-SHA | SSLv3 |
| DHE-RSA-AES128-SHA | SSLv3 |
| DHE-DSS-AES128-SHA | SSLv3 |
| DHE-RSA-CAMELLIA128-SHA | SSLv3 |
| DHE-DSS-CAMELLIA128-SHA | SSLv3 |
| SRP-DSS-AES-256-CBC-SHA | SSLv3 |
| SRP-RSA-AES-256-CBC-SHA | SSLv3 |
| SRP-AES-256-CBC-SHA | SSLv3 |
| RSA-PSK-AES256-CBC-SHA | SSLv3 |
| DHE-PSK-AES256-CBC-SHA | SSLv3 |
| AES256-SHA | SSLv3 |
| CAMELLIA256-SHA | SSLv3 |
| PSK-AES256-CBC-SHA | SSLv3 |
| SRP-DSS-AES-128-CBC-SHA | SSLv3 |
| SRP-RSA-AES-128-CBC-SHA | SSLv3 |
| SRP-AES-128-CBC-SHA | SSLv3 |
| RSA-PSK-AES128-CBC-SHA | SSLv3 |
| DHE-PSK-AES128-CBC-SHA | SSLv3 |
| AES128-SHA | SSLv3 |
| CAMELLIA128-SHA | SSLv3 |
| PSK-AES128-CBC-SHA | SSLv3 |
选择强加密套件后,默认支持的加密套件及对应套件支持的最低版本的SSL/TLS协议如下:
| 加密算法 | 最低版本的SSL/TLS协议 |
|---|---|
| TLS_AES_256_GCM_SHA384 | TLSv1.3 |
| TLS_CHACHA20_POLY1305_SHA256 | TLSv1.3 |
| TLS_AES_128_GCM_SHA256 | TLSv1.3 |
| ECDHE-ECDSA-CHACHA20-POLY1305 | TLSv1.2 |
| ECDHE-RSA-CHACHA20-POLY1305 | TLSv1.2 |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 |
| ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ECDSA-AES256-CCM8 | TLSv1.2 |
| ECDHE-ECDSA-AES256-CCM | TLSv1.2 |
| ECDHE-ECDSA-ARIA256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ARIA256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLSv1.2 |
| ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-AES128-CCM8 | TLSv1.2 |
| ECDHE-ECDSA-AES128-CCM | TLSv1.2 |
| ECDHE-ECDSA-ARIA128-GCM-SHA256 | TLSv1.2 |
| ECDHE-ARIA128-GCM-SHA256 | TLSv1.2 |
选择自定义加密套件后,可从如下列表中自定义选择1个或多个加密套件:
| 加密算法 | 最低版本的SSL/TLS协议 |
|---|---|
| TLS_AES_256_GCM_SHA384 | TLSv1.3 |
| TLS_CHACHA20_POLY1305_SHA256 | TLSv1.3 |
| TLS_AES_128_GCM_SHA256 | TLSv1.3 |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 |
| ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ECDSA-CHACHA20-POLY1305 | TLSv1.2 |
| ECDHE-RSA-CHACHA20-POLY1305 | TLSv1.2 |
| ECDHE-ECDSA-AES256-CCM8 | TLSv1.2 |
| ECDHE-ECDSA-AES256-CCM | TLSv1.2 |
| ECDHE-ECDSA-ARIA256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ARIA256-GCM-SHA384 | TLSv1.2 |
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLSv1.2 |
| ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-AES128-CCM8 | TLSv1.2 |
| ECDHE-ECDSA-AES128-CCM | TLSv1.2 |
| ECDHE-ECDSA-ARIA128-GCM-SHA256 | TLSv1.2 |
| ECDHE-ARIA128-GCM-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-AES256-SHA384 | TLSv1.2 |
| ECDHE-RSA-AES256-SHA384 | TLSv1.2 |
| ECDHE-ECDSA-CAMELLIA256-SHA384 | TLSv1.2 |
| ECDHE-RSA-CAMELLIA256-SHA384 | TLSv1.2 |
| ECDHE-ECDSA-AES128-SHA256 | TLSv1.2 |
| ECDHE-RSA-AES128-SHA256 | TLSv1.2 |
| ECDHE-ECDSA-CAMELLIA128-SHA256 | TLSv1.2 |
| ECDHE-RSA-CAMELLIA128-SHA256 | TLSv1.2 |
| AES256-GCM-SHA384 | TLSv1.2 |
| AES256-CCM8 | TLSv1.2 |
| AES256-CCM | TLSv1.2 |
| ARIA256-GCM-SHA384 | TLSv1.2 |
| AES128-GCM-SHA256 | TLSv1.2 |
| AES128-CCM8 | TLSv1.2 |
| AES128-CCM | TLSv1.2 |
| ARIA128-GCM-SHA256 | TLSv1.2 |
| AES256-SHA256 | TLSv1.2 |
| CAMELLIA256-SHA256 | TLSv1.2 |
| AES128-SHA256 | TLSv1.2 |
| CAMELLIA128-SHA256 | TLSv1.2 |
注意事项
配置加密套件前,请确保已成功配置HTTPS证书,操作方法详情请见:新增证书。
TLS版本默认开启 TLS v1.0、TLS v1.1、TLS v1.2、TLS v1.3。
配置说明
登录CDN控制台。
单击左侧导航栏【域名管理】-【域名列表】。
在【域名列表】页面,找到目标域名,单击【操作】列的【编辑】。
单击右侧【请求协议】。
在【请求协议】模块,勾选【HTTPS】。
单击右侧【HTTPS配置】。
在【证书】模块,选择域名对应的证书。如果已经在证书管理上传证书,可直接选择对应域名证书。如果还未上传证书,可单击【点击上传】,添加自有证书。添加完毕后,再选择对应证书。
在【加密套件】模块,根据需求选择加密套件。
