根据OpenSSL,以下是它支持的密码:
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
我正在端口443上运行一个简单的node.jshttps服务器。运行SSLScan时,以下是接受的密码:
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
我不明白的是,为什么实际支持的密码列表要短那么多?
更令人困惑的是,当我在node中获得支持的密码列表tls.getCiphers()时,我会发现一个很长的列表:
['AES128-GCM-SHA256','AES128-SHA','AES128-SHA256','AES256-GCM-SHA384','AES256-SHA','AES256-SHA256','Camellia128-Sha','Camellia256-Sha',“DES-CBC-SHA”,'DES-CBC3-SHA',“DHE-DSS-AES128-GCM-SHA256”,“DHE-DSS-AES128-SHA”,“DHE-DSS-AES128-SHA256”,“DHE-DSS-AES256-GCM-SHA384”,“DHE-DSS-AES256-SHA”,“DHE-DSS-AES256-SHA256”,'DHE-DSS-Camellia128-SHA','DHE-DSS-Camellia256-SHA','DHE-DSS-SEED-SHA',“DHE-RSA-AES128-GCM-SHA256”,“DHE-RSA-AES128-SHA”,“DHE-RSA-AES128-SHA256”,“DHE-RSA-AES256-GCM-SHA384”,'DHE-RSA-AES256-SHA',“DHE-RSA-AES256-SHA256”,'DHE-RSA-Camellia128-SHA','DHE-RSA-Camellia256-SHA','DHE-RSA-SEED-SHA','ECDH-ECDSA-AES128-GCM-SHA256','ECDH-ECDSA-AES128-SHA','ECDH-ECDSA-AES128-SHA256','ECDH-ECDSA-AES256-GCM-SHA384','ECDH-ECDSA-AES256-SHA','ECDH-ECDSA-AES256-SHA384','ECDH-ECDSA-DES-CBC3-SHA','ECDH-ECDSA-RC4-SHA','ECDH-RSA-AES128-GCM-SHA256','ECDH-RSA-AES128-SHA','ECDH-RSA-AES128-SHA256','ECDH-RSA-AES256-GCM-SHA384','ECDH-RSA-AES256-SHA','ECDH-RSA-AES256-SHA384','ECDH-RSA-DES-CBC3-SHA','ECDH-RSA-RC4-SHA','ECDHE-ECDSA-AES128-GCM-SHA256','ECDHE-ECDSA-AES128-SHA','ECDHE-ECDSA-AES128-SHA256','ECDHE-ECDSA-AES256-GCM-SHA384','ECDHE-ECDSA-AES256-SHA','ECDHE-ECDSA-AES256-SHA384','ECDHE-ECDSA-DES-CBC3-SHA','ECDHE-ECDSA-RC4-SHA','ECDHE-RSA-AES128-GCM-SHA256','ECDHE-RSA-AES128-SHA','ECDHE-RSA-AES128-SHA256','ECDHE-RSA-AES256-GCM-SHA384','ECDHE-RSA-AES256-SHA','ECDHE-RSA-AES256-SHA384','ECDHE-RSA-DES-CBC3-SHA','ECDHE-RSA-RC4-SHA','EDH-DSS-DES-CBC-SHA','EDH-DSS-DES-CBC-SHA','EDH-RSA-DES-CBC-SHA','EDH-RSA-DES-CBC-SHA','EXP-DES-CBC-SHA','EXP-EDH-DSS-DES-CBC-SHA','EXP-RC2-CBC-MD5','EXP-RC4-MD5','IDEA-CBC-SHA','PSK-3DES-EDE-CBC-SHA','PSK-AES256-CBC-SHA','PSK-RC4-SHA','RC4-MD5','RC4-SHA'
第一个列表是SSLv3的所有密码。目前已经定义了TLS1.0、TLS1.1和TLS.2。所以这些是更古老的密码。
第二个列表是握手时客户端(sslscan)和服务器中可用的密码列表。
最后,最后一个似乎是存在的密码的完整列表(但可能没有配置?)在Nodejs中。
请注意,OpenSSL文档是出了名的稀疏而且经常过时,而NodeJS做得稍微好一点。
