支持ATS和微信小程序的前提条件 (对SSL品牌无要求,仅仅是服务器web版本和配置需要设置):
- 服务器支持 TLSv 1.2 协议
- PFS(完全正向保密)ECDHE
要支持TLS1.2 和 PFS 需要服务器操作系统支持
WIN 2008 R2 IIS 7 以上版本
CentOS 6+ OpenSSL 1.0.1c+
Apache 2.4 +
Nginx 1.0.6+
JDK1.7
tomcat7.0.56+
连接必须使用 AES-128 或者 AES-256 加密,并且支持PFS(完全正向保密)ECDHE , Apple 推荐以下加密套件:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Apache 设置方法(必须满足上面服务器版本要求):
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCompression off SSLSessionTickets Off
Nginx 设置方法(必须满足上面服务器版本要求):
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_session_cache shared:SSL:10m; ssl_session_tickets off;
Lighttpd设置方法(openssl 必须符合要求)
ssl.honor-cipher-order = "enable" ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" ssl.use-compression = "disable" ssl.use-sslv2 = "disable" ssl.use-sslv3 = "disable"
Apple 官方文档
https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html
Was this helpful?
0 / 0