{"id":378,"date":"2013-07-11T02:24:36","date_gmt":"2013-07-11T02:24:36","guid":{"rendered":"http:\/\/www.selinuxplus.com\/?p=378"},"modified":"2013-07-11T02:30:04","modified_gmt":"2013-07-11T02:30:04","slug":"linux%e7%b3%bb%e7%bb%9f%e5%ae%89%e5%85%a8_pfsecdh","status":"publish","type":"post","link":"http:\/\/www.selinuxplus.com\/?p=378","title":{"rendered":"Linux\u7cfb\u7edf\u5b89\u5168_PFS\/ECDH"},"content":{"rendered":"

\u6570\u767e\u4e07\u7f51\u7ad9\u548c\u6570\u5341\u4ebf\u7f51\u6c11\u90fd\u4f9d\u9760SSL\u4fdd\u62a4\u654f\u611f\u6570\u636e\u5982\u5bc6\u7801\u3001\u4fe1\u7528\u5361\u53f7\u7801\u548c\u4e2a\u4eba\u4fe1\u606f\u7684\u4f20\u8f93\u3002\u4f46\u6700\u8fd1\u6cc4\u6f0f\u7684\u673a\u5bc6\u6587\u6863\u663e\u793a\uff0c\u7f8e\u56fd\u56fd\u5bb6\u5b89\u5168\u5c40\u4f1a\u8bb0\u5f55\u5927\u91cf\u4e92\u8054\u7f51\u6d41\u91cf\uff0c\u50a8\u5b58\u52a0\u5bc6\u6570\u636e\u4ee5\u7528\u4e8e\u4ee5\u540e\u7684\u5bc6\u7801\u5206\u6790\u3002\u7f8e\u56fd\u5f53\u7136\u5e76\u4e0d\u662f\u552f\u4e00\u4e00\u4e2a\u8fd9\u4e48\u505a\u7684\u56fd\u5bb6\uff0c\u6c99\u7279\u3001\u4e2d\u56fd\u548c\u4f0a\u6717\u90fd\u662f\u5982\u6b64\u3002\u4fdd\u7559\u7684\u52a0\u5bc6\u6570\u636e\u53ef\u4ee5\u901a\u8fc7\u5404\u79cd\u65b9\u6cd5\u89e3\u5bc6\uff0c\u4f8b\u5982\u6cd5\u5ead\u547d\u4ee4\uff0c\u793e\u4f1a\u5de5\u7a0b\uff0c\u7f51\u7ad9\u653b\u51fb\uff0c\u4e43\u81f3\u5bc6\u7801\u5206\u6790\u3002\u5982\u679c\u5f97\u5230\u4e86\u5bc6\u94a5\uff0c\u6240\u6709\u76f8\u5173\u7f51\u7ad9\u7684\u5386\u53f2\u6d41\u91cf\u53ef\u4ee5\u4e00\u6b21\u6027\u89e3\u5bc6\u3002\u8fd9\u5c31\u50cf\u6253\u5f00\u4e86\u6f58\u591a\u62c9\u7684\u76d2\u5b50\u3002\u7136\u800c\uff0c\u4e92\u8054\u7f51\u5b9e\u9645\u4e0a\u5b58\u5728\u5e94\u5bf9\u4e4b\u7b56\u2014\u2014\u5bc6\u94a5\u534f\u5546\u534f\u8baePerfect Forward Secrecy(PFS)\uff0c\u5982\u679cSSL\u7f51\u7ad9\u7684\u79c1\u94a5\u6cc4\u6f0f\uff0cPFS\u53ef\u4ee5\u4fdd\u62a4\u4ee5\u524d\u7684\u52a0\u5bc6\u6d41\u91cf\u4e0d\u4f1a\u56e0\u6b64\u53d7\u5230\u5f71\u54cd\uff0c\u56e0\u4e3aPFS\u53ef\u4ee5\u4e3a\u6bcf\u6b21\u4f1a\u8bdd\u5206\u914d\u4e0d\u540c\u5bc6\u94a5\u52a0\u5bc6\u901a\u4fe1\u3002PFS\u9700\u8981\u5ba2\u6237\u7aef\u6d4f\u89c8\u5668\u548c\u670d\u52a1\u5668\u7aef\u540c\u65f6\u652f\u6301\u624d\u9002\u7528\u3002–solidot.org<\/p>\n

\u4f46\u95ee\u9898\u4e5f\u4e0d\u6b62\u5982\u6b64\uff0c\u5f53HTTPS\u7684\u7f51\u7ad9\u7684\u79c1\u94a5\u88ab\u653b\u7834\uff0c\u90a3\u4e48\u653b\u51fb\u8005\u4fbf\u53ef\u4ee5\u5f88\u5bb9\u6613\u7684\u5236\u9020\u51fa\u4e86\u4e2d\u95f4\u4eba\u653b\u51fb\u3002 \u8fd9\u4fbf\u9700\u8981\u4e00\u79cd\u5411\u524d\u7684\u4fdd\u5bc6\u534f\u8bae\u3002<\/p>\n

\u8be5\u534f\u8bae\u8981\u6c42\uff0c\u4eca\u5929\u7684\u79d8\u5bc6\u5373\u4f7f\u5728\u5c06\u6765\u7684\u5bc6\u94a5\u88ab\u6cc4\u9732\uff0c\u800c\u79d8\u5bc6\u4e5f\u662f\u4e0d\u88ab\u6cc4\u9732\u7684\u3002\u8981\u7406\u89e3\u8fd9\u4e2a\u534f\u8bae\uff0c\u6211\u4eec\u9996\u5148\u53ef\u4ee5\u4ece\u7ecf\u5178\u7684TLS\u4e09\u6b21\u63e1\u624bAES128-SHA\u52a0\u5bc6\u5957\u4ef6\u5f00\u59cb\uff0c\u5728\u63e1\u624b\u671f\u95f4\uff0c\u670d\u52a1\u5668\u51fa\u793a\u8bc1\u4e66\uff0c\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u540c\u610f\u4e3b\u5bc6\u94a5\u3002<\/p>\n

\"\"<\/a><\/p>\n

\u8fd9\u4e2a\u8fc7\u7a0b\u662f\u5efa\u7acb\u572848\u4e2a\u5b57\u8282\u7684\u9884\u7f6e\u5bc6\u7801\uff0c\u662f\u7531\u5ba2\u6237\u7aef\u4f7f\u7528\u670d\u52a1\u5668\u516c\u5f00\u7684\u5bc6\u94a5\u8fdb\u884c\u751f\u6210\u548c\u52a0\u5bc6\u3002\u7136\u540e\u5728\u4e09\u6b21\u63e1\u624b\u7684\u8fc7\u7a0b\u4e2d\uff0c\u5ba2\u6237\u7aef\u5c06\u5bc6\u94a5\u4fe1\u606f\u4ea4\u6362\u53d1\u9001\u7ed9\u670d\u52a1\u5668\u3002\u4e3b\u5bc6\u94a5\u6765\u81ea\u5ba2\u6237\u7aef\u4e0e\u670d\u52a1\u5668\u8fdb\u884chello\u4f1a\u8bdd\u7684\u516c\u94a5\u4e0e\u968f\u673a\u503c\u3002\u8fd9\u4e2a\u65b9\u6848\u662f\u5b89\u5168\uff0c\u53ea\u8981\u670d\u52a1\u5668\u80fd\u591f\u5bf9\u9884\u7f6e\u7684\u5bc6\u7801\u89e3\u5bc6\uff08\u81ea\u5df1\u7684\u79c1\u94a5\uff09\u5ba2\u6237\u7aef\u53d1\u9001\u7684\u6570\u636e\u3002\u5047\u8bbe\uff0c\u653b\u51fb\u8005\u8bb0\u5f55\u8be5\u670d\u52a1\u56681\u5e74\u5185\u7684\u6240\u6709\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u4ea4\u6d41\u6570\u636e\u30022\u5e74\u540e\uff0c\u670d\u52a1\u5668\u9000\u5f79\uff0c\u5e76\u9001\u5f80\u5faa\u73af\u518d\u9020\uff0c\u653b\u51fb\u8005\u662f\u80fd\u591f\u6062\u590d\u51fa\u78c1\u76d8\u9a71\u52a8\u5668\u7684\u79c1\u94a5\u3002\u6839\u636e\u8fd9\u4e2a\u79c1\u94a5\uff0c\u4fbf\u53ef\u4ee5\u5bf9\u4f1a\u8bdd\u8fdb\u884c\u89e3\u5bc6\u3002\u653b\u51fb\u8005\u4f9d\u7136\u53ef\u4ee5\u6062\u590d\u5bc6\u7801\u548c\u5176\u4ed6\u654f\u611f\u4fe1\u606f\u3002<\/p>\n

\u73b0\u5728\u4e3b\u8981\u7684\u95ee\u9898\u4e00\u4e2a\u4e8b\u5b9e\uff0c\u79c1\u94a5\u88ab\u7528\u4e8e2\u4e2a\u76ee\u7684\uff0c\u8ba4\u8bc1\u670d\u52a1\u5668\u52a0\u5bc6\u670d\u52a1\u5171\u4eab\u540c\u4e00\u4e2a\u5bc6\u94a5\u3002\u8ba4\u8bc1\u53ea\u662f\u5728\u5efa\u7acb\u901a\u4fe1\u65f6\uff0c\u800c\u52a0\u5bc6\u5219\u6301\u7eed\u6570\u5e74\u4e4b\u4e45\u3002<\/p>\n

\u4e3a\u4e86\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u7684\u65b9\u6cd5\u4e4b\u4e00\u4fbf\u662f\u4fdd\u6301\u4f7f\u7528\u79c1\u94a5\u8fdb\u884c\u9a8c\u8bc1\uff0c\u4f46\u662f\u8981\u4f7f\u7528\u4e00\u4e2a\u5171\u4eab\u5bc6\u94a5\u7684\u72ec\u7acb\u673a\u5236\u3002Diffie-Hellam\u5bc6\u94a5\u4ea4\u6362\u534f\u8bae\uff0c\u5728TLS\u662f\u5982\u4f55\u5de5\u4f5c\u7684\u5462\uff0c\u670d\u52a1\u5668\u53ea\u9700\u8981\u751f\u62101\u6b21\uff1a<\/p>\n

1 P\uff0c\u662f\u4e00\u4e2a\u5f88\u5927\u7684\u7d20\u6570,<\/p>\n

2 g\uff0c\u662f\u4e00\u4e2a\u539f\u6839primitive root\uff08\u5b83\u80fd\u751f\u4ea71~P-1\u6240\u6709\u6570\u7684\u4e00\u4e2a\u6570\uff09<\/p>\n

3 \u73b0\u8bbeg\u4e3ap\u7684\u539f\u59cb\u6839\uff0c\u5219\uff1a g mod p\uff0cg^2 mod p,\u2026g^p-1 mod p;\u4e24\u4e24\u4e92\u4e0d\u76f8\u540c\uff0c\u6784\u6210\u4e00\u4e2a1~p-1\u7684\u5168\u4f53\u6570\u7684\u4e00\u4e2a\u6392\u5217\u3002<\/p>\n

4 \u5bf9\u4e8e\u4efb\u610f\u6570b\u4ee5\u53ca\u7d20\u6570p\u7684\u539f\u59cb\u6839g\uff0c\u53ef\u4ee5\u627e\u5230\u4e00\u4e2a\u552f\u4e00\u7684\u6307\u6570i\uff0c\u6ee1\u8db3b = g^I mod p,0C=i<=p-1,\u5219\u79f0\u6307\u6570i\u4e3a\u4ee5g\u4e3a\u5e95\uff0c\u6a21p\u7684b\u7684\u79bb\u6563\u5bf9\u6570\u3002<\/p>\n

\u7b97\u6cd5\u63cf\u8ff0\u4e3a\uff1a<\/p>\n

\u5047\u5982A\u548cB\u5728\u4e0d\u5b89\u5168\u7684\u7f51\u7edc\u4e0a\u8fdb\u884c\u534f\u5546\u5171\u540c\u7684\u5bc6\u7801\uff1a<\/p>\n

1\u3000\uff21\u548c\uff22\u9884\u5148\u9009\u62e9\u4e00\u4e2a\u5927\u7d20\u6570\uff30\u548c\u4e00\u4e2a\u539f\u59cb\u6839g\uff1b\r\n\r\n2\u00a0\u00a0\u00a0A\u968f\u673a\u9009\u62e9\u4e00\u4e2a\u968f\u673a\u6570Xa\uff0cXa&lt;p,\u8ba1\u7b97 Ya = g^Xa mod p ,\u7136\u540e\u628aYa\u53d1\u9001\u7ed9B\u3002\r\n\r\n3\u00a0\u00a0\u00a0B\u968f\u673a\u9009\u62e9\u4e00\u4e2a\u968f\u673a\u4e66Xb\uff0cXb&lt;p,\u8ba1\u7b97 Yb = g^Xb mod p,\u7136\u540e\u628aYb\u53d1\u9001\u7ed9A\u3002\r\n\r\n4 \u00a0\u00a0\u6bcf\u4e00\u65b9\u4fdd\u5b58X\u503c\uff0c\u628aY\u503c\u4ea4\u7ed9\u5bf9\u65b9\u3002\r\n\r\n5\u00a0\u00a0\u00a0A \u7528\u6237\u8ba1\u7b97\u51fak = Yb^Xa mod p;\r\n\r\n6\u00a0\u00a0\u00a0B \u7528\u6237\u8ba1\u7b97\u51fa k\u2019 = Ya^Xb mod p;<\/pre>\n
k = Yb^Xa mod p =(g^Xb)^Xa mod p = (g^Xa)^Xb mod p = Ya^Xb mod p = k\u2019;<\/pre>\n
\u56e0\u4e3a\u4e0d\u5b89\u5168\u7684\u7ebf\u8def\u4e0a\uff0c\u7a83\u542c\u8005\u53ea\u80fd\u5f97\u5230a\uff0cp\uff0cX\uff0cY\uff0c\u9664\u975e\u80fd\u591f\u8ba1\u7b97\u79bb\u6563\u5bf9\u6570x\u548cy\uff0c\u5426\u5219\u5c06\u65e0\u6cd5\u5f97\u5230\u5bc6\u94a5k\uff0c\u56e0\u4e3ak\u662fA\u548cB\u72ec\u7acb\u8ba1\u7b97\u51fa\u7684\u5bc6\u94a5\u3002\u6709Xa\uff0cXb\u8ba1\u7b97\u51faYa\uff0cYb\u5bb9\u6613\uff0c\u4f46\u53cd\u8fc7\u6765\u7531Ya\uff0cYb\u8ba1\u7b97\u51faXa\uff0cXb\u5f88\u96be\u3002\u5b89\u5168\u6027\u4e0a\u57fa\u4e8e\u6c42\u6709\u9650\u57df\u4e0a\u6c42\u79bb\u6563\u5bf9\u6570\u7684\u96be\u5ea6\u3002<\/p>\n
\u4f46DH\u7b97\u6cd5\u5374\u5bb9\u6613\u906d\u4e2d\u95f4\u4eba\u653b\u51fb\u3002<\/p>\n
\"\"<\/a><\/p>\n
\u4e3a\u4e86\u907f\u514d\u4e2d\u95f4\u4eba\u7684\u653b\u51fb\uff0c\u6784\u9020\u51fa\u4e86\u57fa\u4e8e\u6709\u9650\u57df\u4e0a\u692d\u5706\u66f2\u7ebf\u4e4b\u95f4\u7684\u540c\u6e90\u8ba1\u7b97\u95ee\u9898\u6784\u9020\u7ec6\u817b\u7684\u516c\u94a5\u5bc6\u7801\u7cfb\u7edf\u3002<\/p>\n
\u5047\u8bbey^2 = X^3 + ax +b,\u7d20\u6570p\u548c\u539f\u59cb\u6839g\uff0c\u8fd9\u4e9b\u53c2\u6570\u90fd\u662f\u516c\u5f00\u7684\uff0c\u4e8b\u5b9e\u4e0a\uff0c\u5b83\u53ef\u4ee5\u6709\u670d\u52a1\u5668\u751f\u6210\u3002<\/p>\n
\u5229\u7528\u692d\u5706\u66f2\u7ebf\u662f\u5728RFC-4492\u4e2dTLS\u5ef6\u4f38\u7684\u90e8\u5206\u63cf\u8ff0\u7684\u3002\u4e0e\u7ecf\u5178\u7684DH\u4ea4\u6362\u5bc6\u94a5\u7684\u65b9\u6cd5\u4e0d\u540c\uff0c\u5728\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u7aef\u9700\u8981\u540c\u610f\u5404\u53c2\u6570\u3002\u5b8c\u6210\u672c\u534f\u8bae\u662f\u5728\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u53d1\u9001hello\u7684\u6d88\u606f\u5185\uff0c\u867d\u7136\u53ef\u4ee5\u5b9a\u4e49\u4efb\u610f\u4e00\u4e2a\u53c2\u6570\uff0cWEB\u6d4f\u89c8\u5668\u5c06\u53ea\u652f\u6301\u5c11\u6570\u7684\u9884\u5b9a\u4e49\u7684\u66f2\u7ebf\uff0c\u901a\u5e38\u4e3aNIST P-256,P-384,P-521.<\/p>\n
\u4e0b\u9762\u7b80\u8981\u8bf4\u4e00\u4e0b\uff0cDH\u7684\u5bc6\u94a5\u4ea4\u6362\u692d\u5706\u66f2\u7ebf\uff1a<\/p>\n
1 \u670d\u52a1\u5668\u968f\u673a\u9009\u62e9\u4e00\u4e2a\u6574\u6570a\uff0c\u548c\u8ba1\u7b97\u4e00\u4e2aag\uff0c\u672a\u52a0\u5bc6\uff0c\u4f46\u7528\u81ea\u5df1\u7684\u79c1\u94a5\u8fdb\u884c\u7b7e\u540d\uff0c\u5728\u670d\u52a1\u5668\u4ea4\u6362\u6d88\u606f\u7684\u65f6\u5019\uff0c\u53d1\u9001\u51fa\u53bb\u3002\r\n\r\n2 \u5ba2\u6237\u7aef\u68c0\u6d4b\u7b7e\u540d\u662f\u5426\u6b63\u786e\uff0c\u7136\u540e\uff0c\u968f\u673a\u9009\u62e9\u4e00\u4e2a\u6574\u6570b\uff0c\u8ba1\u7b97\u51fabg\uff0c\u5229\u7528\u5ba2\u6237\u7aef\u5bc6\u94a5\u8fdb\u884c\u6d88\u606f\u4ea4\u6362\u3002\u5ba2\u6237\u7aef\u4e5f\u4f1a\u8ba1\u7b97b * ag = abg\uff1b\u8fd9\u4e2a\u9884\u7f6e\u7684\u5bc6\u7801\u6765\u81ea\u670d\u52a1\u5668\u4e3b\u5bc6\u94a5\u7684\u6d3e\u751f\u3002\r\n\r\n3 \u670d\u52a1\u5668\u7aef\u63a5\u6536bg,\u8ba1\u7b97a *bg = abg\u3002\u5ba2\u6237\u7aef\u77e5\u9053\u8fd9\u4e2a\u662f\u76f8\u540c\u7684\u9884\u7f6e\u5bc6\u94a5\u3002\r\n\r\n4 \u7a83\u542c\u8005\u5c06\u53ea\u80fd\u83b7\u5f97ag\u6216bg\uff0c\u800c\u65e0\u6cd5\u6709\u6548\u7684\u8ba1\u7b97\u51faabg;<\/pre>\n
 <\/p>\n
\u4f7f\u7528ECDHE-RSA-AES128-SHA\u52a0\u5bc6\u5957\u4ef6\uff08\u4f8b\u5982P-256\uff09\u5df2\u7ecf\u662f\u5f88\u7a0b\u5ea6\u4e0a\u63d0\u9ad8\u4e86\u901f\u5ea6\u3002\u4e5f\u662f\u56e0\u4e3aDHE-RSA-AES128-SHA\u7f29\u5c0f\u6240\u6d89\u53ca\u7684\u5404\u79cd\u53c2\u6570\u7684\u89c4\u6a21\u3002<\/p>\n
\u4f46\u4e0d\u662f\u6240\u6709\u6d4f\u89c8\u5668\u90fd\u652f\u6301\u692d\u5706\u66f2\u7ebf\u52a0\u5bc6\uff0c\u6700\u8fd1\u7684chrome\u548cfirefox\u652f\u6301\u4e86NIST P-256, P-384, P-521.\u4f46\u5927\u591a\u6570\u7684IE\u6d4f\u89c8\u5668\u8fd8\u652f\u6301\u7684\u4e0d\u662f\u5f88\u597d\u3002\uff0c\u6700\u8fd1\u7684openssl\u5df2\u7ecf\u52a0\u5165\u4e86ECDHE\u5bc6\u7801\u670d\u52a1\u5957\u4ef6\uff0c\u5982\u679c\u8981\u4f7f\u752864\u4f4d\u7684\u4f18\u5316\u672c\u7248\u672c\uff0c\u9700\u8981\u9009\u62e9OPENSSL 1.0.1,\u542f\u7528ec_nistp_64_gcc_128\u9009\u9879\u3002<\/p>\n
\u5728\u9009\u62e9\u5957\u4ef6\u4e0a\uff0cECDHE-RSA-AES128-SHA\uff1aAES128-SHA\uff1aRC4-SHA\u662f\u5927\u591a\u6d4f\u89c8\u5668\u6240\u517c\u5bb9\u7684\u3002\u5982\u679c\u8981\u9009\u62e9PFS\u7684\u65b9\u5f0f\uff0cECDHE-RSA-AES128-SHA\uff0cDHE-RSA-AES128-SHA\uff0cEDH-DSS-DES-CBC3-SHA\u3002\u4f46\u9700\u8981\u786e\u4fdd\u5bc6\u7801\u5957\u4ef6\u7684\u987a\u5e8f\u3002Nginx (1.0.6\/1.1.0)\u662fssl_prefer_server_ciphers\u3002Apache\uff082.3.3\uff09\u5219\u662fSSLHonorCipherOrder\u3002<\/p>\n
\u4f46\u5728\u4f7f\u7528PFS\u7684\u65f6\u5019\uff0c\u4e5f\u8981\u6ce8\u610f\u670d\u52a1\u5668\u7aef\u5b9a\u671f\u66f4\u65b0\u6240\u751f\u6210\u7684\u968f\u673a\u5bc6\u94a5\u3002<\/p>\n
Openssl\u7684\u68c0\u6d4b\u4f7f\u7528\u6307\u4ee4:openssl s_client -tls1 -cipher ECDH -connect 127.0.0.1:443<\/p>\n
\n
Nginx \u5173\u4e8ePFS\u7684\u4ee3\u7801\uff1a<\/p>\n
\/* a temporary 512-bit RSA key is required for export versions of MSIE *\/\r\n494 SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback); \r\n495 \r\n496 if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {\r\n497 return NGX_CONF_ERROR;\r\n498 } \r\n499 \r\n500 if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {\r\n501 return NGX_CONF_ERROR;\r\n502 }\r\n\r\nSSL_CTX_set_tmp_rsa_callback \u8bbe\u7f6ecallback for ssl\r\n\r\nngx_ssl_dhparam \uff08\uff09<\/pre>\n
\u4f7f\u7528RSA\u7b97\u6cd5\u7684\u65f6\u5019\uff0c\u4ea7\u751f\u4e00\u4e2a\u4e34\u65f6\u7684DH\u5bc6\u94a5\u78cb\u5546\u53d1\u751f\uff0c\u8fd9\u6837\u4f1a\u8bdd\u5c06\u6839\u636e\u8fd9\u4e2a\u4e34\u65f6\u7684\u5bc6\u94a5\u52a0\u5bc6\u3002\u800c\u8bc1\u4e66\u4e2d\u7684\u5bc6\u94a5\u4f5c\u4e3a\u7b7e\u540d\u3002\u8fd9\u6837\u589e\u52a0\u4e86\u5b89\u5168\u6027\u3002<\/p>\n
\u8be5\u65b9\u6cd5\u5b9e\u73b0\u4e86OPENSSL\u63d0\u4f9b\u7684\u9ed8\u8ba4DH_METHD,\u5b9e\u73b0\u4e86\u6839\u636e\u5bc6\u94a5\u53c2\u6570\u751f\u6210DH\u516c\u79c1\u94a5\uff0c\u4ee5\u53ca\u6839\u636eDH\u516c\u94a5(\u4e00\u65b9)\u4ee5\u53caDH\u79c1\u94a5(\u53e6\u4e00\u65b9)\u6765\u751f\u6210\u4e00\u4e2a\u5171\u4eab\u5bc6\u94a5\uff0c\u7528\u4e8e\u5bc6\u94a5\u4ea4\u6362\u3002<\/p>\n
ngx_int_t\r\n420 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) \r\n421 {\r\n422 DH *dh;\r\n423 BIO *bio;\r\n424 \r\n425 \/*\r\n426 * -----BEGIN DH PARAMETERS-----\r\n427 * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc\r\n428 * y7qokiYUxb7spWWl\/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl\r\n429 * 7OZicMyaUDXYzs7vnqAnSmOrHlj6\/UmI0PZdFGdX2gcd8EXP4WubAgEC\r\n430 * -----END DH PARAMETERS-----\r\n431 *\/\r\n432 \r\n433 static unsigned char dh1024_p[] = {\r\n434 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,\r\n435 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,\r\n436 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,\r\n437 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,\r\n438 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,\r\n439 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,\r\n440 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,\r\n441 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,\r\n442 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,\r\n443 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,\r\n444 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B\r\n445 };\r\n446 \r\n447 static unsigned char dh1024_g[] = { 0x02 };\r\n\r\nif (file->len == 0) {\r\n451 \r\n452 dh = DH_new();\r\n453 if (dh == NULL) {\r\n454 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, \"DH_new() failed\");\r\n455 return NGX_ERROR;\r\n456 }\r\n457 \r\n458 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);\/\/\u4fdd\u5b58\u516c\u94a5\r\n459 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);\/\/\u4fdd\u5b58\u79c1\u94a5\r\n460 \r\n461 if (dh->p == NULL || dh->g == NULL) {\r\n462 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, \"BN_bin2bn() failed\");\r\n463 DH_free(dh);\r\n464 return NGX_ERROR;\r\n465 }\r\n466 \r\n467 SSL_CTX_set_tmp_dh(ssl->ctx, dh);\/\/\u88c5\u8f7d\r\n468 \r\n469 DH_free(dh);\r\n470 \r\n471 return NGX_OK;\r\n472 }\r\n\r\n503 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)\r\n504 { \r\n505 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL\r\n506 #ifndef OPENSSL_NO_ECDH\r\n507 int nid;\r\n508 EC_KEY *ecdh;\r\n509 \r\n510 \/*\r\n511 * Elliptic-Curve Diffie-Hellman parameters are either \"named curves\"\r\n512 * from RFC 4492 section 5.1.1, or explicitly described curves over\r\n513 * binary fields. OpenSSL only supports the \"named curves\", which provide\r\n514 * maximum interoperability.\r\n515 *\/\r\n516 \/\/ #define NGX_DEFAULT_ECDH_CURVE  \"prime256v1\"\r\n517 nid = OBJ_sn2nid((const char *) name->data); \/\/\u6709\u540d\u79f0\u67e5\u4ee3\u53f7 \r\n518 if (nid == 0) {\r\n519 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,\r\n520 \"Unknown curve name \\\"%s\\\"\", name->data);\r\n521 return NGX_ERROR;\r\n522 }\r\n523 \r\n524 ecdh = EC_KEY_new_by_curve_name(nid); \/\/\u521b\u5efaec_key,\u5177\u4f53\u53c2\u6570\u5728ec_key.c\u6587\u4ef6\u4e2dEC_KEY_new().\r\n525 if (ecdh == NULL) {\r\n526 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,\r\n527 \"Unable to create curve \\\"%s\\\"\", name->data);\r\n528 return NGX_ERROR;\r\n529 }\r\n530 \r\n531 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);\r\n532 \r\n533 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); \/\/\u88c5\u8f7d\r\n534 \r\n535 EC_KEY_free(ecdh);\r\n\r\nreturn\r\n\r\n}<\/pre>\n
ECDH\u53c2\u6570\u4e0d\u5b8c\u5168\u548cDH\u4e00\u6837\uff0c\u5bf9\u4e0eDH\u6240\u4ea7\u751f\u53c2\u6570\u662f\u4e00\u4e2a\u8017\u65f6\u7684\u8fc7\u7a0b\uff0c\u6240\u4ee5\u670d\u52a1\u5668\u5141\u8bb8\u901a\u8fc7\u5916\u90e8\u6587\u4ef6\u52a0\u8f7dDH\u53c2\u6570\u3002ECDH\u7684\u53c2\u6570\u7684\u5f62\u6210\u662f\u4e00\u5957\u786c\u7f16\u7801\u7684\u66f2\u7ebf\uff0c\u6240\u4ee5\u53c2\u6570\u7684\u5f62\u6210\u53ea\u662f\u5bfb\u627e\u4ed6\u4eec\uff0c\u5f53\u670d\u52a1\u5668\u4f7f\u7528\u65f6\uff0c\u4fbf\u53ef\u4ee5\u52a0\u8f7d\u4ed6\u4eec\u3002\u4f46\u5728openssl1.0.2\u4e4b\u524d\u662f\u4e0d\u652f\u6301\u7684\u3002<\/p>\n
\u53ef\u4ee5\u505a\u7684\u662f\uff0c\u63d0\u4f9bECDH\u53c2\u6570\u4ece\u4e00\u4e2a\u6587\u4ef6\u91cc\u8bfb\u53d6\uff0c\u4e3a\u4e86\u4e00\u4e2a\u5171\u540c\u7684\u7ec4\u7684\u4e00\u4e2a\u540e\u5907\u3002P-256\u662f\u4e00\u4e2a\u4e0d\u9519\u7684\u9009\u62e9\u5219\u3002<\/p>\n
EC_KEY *ecdh;\r\n\r\necdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)\uff1b\r\n\r\nif(echd == NULL) \/*error *\/\r\n\r\nSSL_CTX_set_tmp_ecdh(ctx,ecdx);<\/pre>\n
\u800c\u8fd9\u4e2a\u8bbe\u7f6e\u4e0d\u9700\u8981\u5728\u670d\u52a1\u5668\u7aef\u8fdb\u884c\u8bbe\u7f6e\uff0c\u800c\u4f7f\u7528\u7684\u53c2\u6570\u662f\u6709\u670d\u52a1\u5668\u7aef\u6307\u5b9a\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u6570\u767e\u4e07\u7f51\u7ad9\u548c\u6570\u5341\u4ebf\u7f51\u6c11\u90fd\u4f9d\u9760SSL\u4fdd\u62a4\u654f\u611f\u6570\u636e\u5982\u5bc6…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[70,51],"tags":[68,69,67,66],"_links":{"self":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/378"}],"collection":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=378"}],"version-history":[{"count":3,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/378\/revisions"}],"predecessor-version":[{"id":384,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/378\/revisions\/384"}],"wp:attachment":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=378"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}