安全性注意事项

在线编辑

WebSphere Automation 支持用于保护环境的不同机制。

防止 HTTP 主机标头攻击

指定客户端想要访问的域的强制请求标头可以作为利用型攻击的一部分进行更改。 要启用 HTTP 主机标头采集保护:
  1. 确保 HTTP与 configmap product-configmap 中的 URL_PREFIX 值匹配。 (如有必要,请指定项目名称 websphere-automation)。
  2. configmap product-configmap中,添加或编辑 HOST_INJECTION_CHECK_ENABLED 条目并将其值设置为 true

    要使用 Red Hat® OpenShift® 控制台设置条目,请为 websphere-automation 项目选择 product-configmap 。 从菜单中,选择 Edit configmap。 在 YAML 页面上,查找或添加 HOST_INJECTION_CHECK_ENABLED 条目,并将值设置为 true

  3. 重新启动 ibm-nginx-* pod。
    • 如果您正在使用 Red Hat OpenShift 控制台,请选择 pod 并使用 delete pod 操作。
    • 如果要使用 CLI ,请使用 oc delete <pod-name> -n websphere-automation 命令。

如果您出于任何原因需要禁用此保护,请移除 HOST_INJECTION_CHECK_ENABLED 条目,或者将其值设置为 false,然后重新启动 Nginx pod。

使用 ResourceQuota 资源

对 Kubernetes 命名空间可以使用的资源设置限制可以防止诸如拒绝服务 (DOS) 攻击等安全问题。 有关使用 ResourceQuota 资源设置限制的更多信息,请参阅 Kubernetes Hardening Guidance 外部链接图标 (由国家安全局和网络安全与基础设施安全局发布)或 Red Hat OpenShift 文档中的 Resource quotas 外部链接图标

网络提供者和网络策略

WebSphere Automation 未安装网络提供程序。 WebSphere Automation 支持 Red Hat OpenShift Container Platform支持的两个网络提供程序; 您可以使用其中任一网络提供程序。 更多信息,请参阅 Red Hat OpenShift Container Platform 文档中的 OVN- Kubernetes 网络插件 外部链接图标OpenShift-SVN 网络插件 外部链接图标

WebSphere Automation 提供了安全通信所需的网络策略。 请勿对缺省网络策略进行更改。 您对网络策略所作的任何更改都将由 WebSphere Automation 操作员复原为缺省值。

更多安全强化信息

有关高级安全加固信息,请参阅 IBM Cloud Pak for AIOps 文档中的安全注意事项

受支持的密码套件列表

在安全套接字层 (SSL) 握手期间,客户机和服务器协商使用哪个密码套件来交换数据。 密码套件是一组用来提供认证、加密和数据完整性的算法。

WebSphere Automation 使用 TLS v1.2 来加密和保护摄入集群网络和集群网络中的数据,但不指定所使用的密码套件。 列出了用于加密的缺省密码套件。 缺省密码套件不可配置。

每个密码套件的名称都指定它用于认证、加密和数据完整性检查的算法。 例如,密码套件 TLS_RSA_WITH_AES_256_CBC_SHA 将 RSA 用于认证、将 AES 256 位和 CBC 用作加密算法以及将 SHA-1 用作检查数据完整性的散列函数。

对于管理器容器

对于管理器容器,以下列表中显示了受支持的客户机密码套件。

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C)
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B)
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F)
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA)
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3)
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E)
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2)
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028)
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B)
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A)
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067)
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040)
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E)
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032)
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D)
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031)
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026)
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A)
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025)
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029)
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014)
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039)
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038)
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033)
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032)
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005)
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F)
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004)
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E)
  • TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D)
  • TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C)
  • TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D)
  • TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C)
  • TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)
  • TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00FF)

受支持的服务器密码为 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)

通信的首选密码套件是 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)

对于 Liberty 容器

此处列出了 Liberty 容器 REST 服务所使用的密码套件。

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9)
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8)
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013)
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014)
  • TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C)
  • TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D)
  • TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)
  • TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(0xC012)
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A)
  • TLS_AES_128_GCM_SHA256(0x1301)
  • TLS_AES_256_GCM_SHA384(0x1302)
  • TLS_CHACHA20_POLY1305_SHA256(0x1303)

受支持的服务器密码为 TLS_AES_128_GCM_SHA256(0x1301)。

通信的首选密码套件是 TLS_AES_128_GCM_SHA256(0x1301)。

对于入口控制器

此处列出了入口控制器服务所使用的受支持客户机密码套件。

  • tls_null_with_null_null
  • TLS_RSA_WITH_NULL_MD5
  • tls_rsa_with_null_sha
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  • tls_rsa_with_idea_cbc_sha
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
  • tls_dh_dss_with_des_cbc_sha
  • TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
  • tls_dh_rsa_with_des_cbc_sha
  • TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • tls_dhe_dss_with_des_cbc_sha
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • tls_dhe_rsa_with_des_cbc_sha
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
  • TLS_DH_anon_WITH_RC4_128_MD5
  • TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_anon_WITH_DES_CBC_SHA
  • TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
  • TLS_KRB5_WITH_DES_CBC_SHA
  • TLS_KRB5_WITH_3DES_EDE_CBC_SHA
  • TLS_KRB5_WITH_RC4_128_SHA
  • TLS_KRB5_WITH_IDEA_CBC_SHA
  • TLS_KRB5_WITH_DES_CBC_MD5
  • TLS_KRB5_WITH_3DES_EDE_CBC_MD5
  • TLS_KRB5_WITH_RC4_128_MD5
  • TLS_KRB5_WITH_IDEA_CBC_MD5
  • TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
  • TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
  • TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  • TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
  • TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
  • TLS_KRB5_EXPORT_WITH_RC4_40_MD5
  • tls_psk_with_null_sha
  • tls_dhe_psk_with_null_sha
  • tls_rsa_psk_with_null_sha
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_DH_DSS_WITH_AES_128_CBC_SHA
  • TLS_DH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DH_anon_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_DH_DSS_WITH_AES_256_CBC_SHA
  • TLS_DH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DH_anon_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_NULL_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DH_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DH_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DH_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DH_anon_WITH_AES_128_CBC_SHA256
  • TLS_DH_anon_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
  • TLS_PSK_WITH_RC4_128_SHA
  • TLS_PSK_WITH_3DES_EDE_CBC_SHA
  • TLS_PSK_WITH_AES_128_CBC_SHA
  • TLS_PSK_WITH_AES_256_CBC_SHA
  • TLS_DHE_PSK_WITH_RC4_128_SHA
  • TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_PSK_WITH_AES_128_CBC_SHA
  • TLS_DHE_PSK_WITH_AES_256_CBC_SHA
  • TLS_RSA_PSK_WITH_RC4_128_SHA
  • TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_PSK_WITH_AES_128_CBC_SHA
  • TLS_RSA_PSK_WITH_AES_256_CBC_SHA
  • tls_rsa_with_seed_cbc_sha
  • tls_dh_dss_with_seed_cbc_sha
  • tls_dh_rsa_with_seed_cbc_sha
  • tls_dhe_dss_with_seed_cbc_sha
  • tls_dhe_rsa_with_seed_cbc_sha
  • TLS_DH_anon_WITH_SEED_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DH_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DH_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DH_anon_WITH_AES_128_GCM_SHA256
  • TLS_DH_anon_WITH_AES_256_GCM_SHA384
  • TLS_PSK_WITH_AES_128_GCM_SHA256
  • TLS_PSK_WITH_AES_256_GCM_SHA384
  • TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
  • TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
  • TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
  • TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
  • TLS_PSK_WITH_AES_128_CBC_SHA256
  • TLS_PSK_WITH_AES_256_CBC_SHA384
  • TLS_PSK_WITH_NULL_SHA256
  • TLS_PSK_WITH_NULL_SHA384
  • TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
  • TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
  • TLS_DHE_PSK_WITH_NULL_SHA256
  • TLS_DHE_PSK_WITH_NULL_SHA384
  • TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
  • TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
  • TLS_RSA_PSK_WITH_NULL_SHA256
  • TLS_RSA_PSK_WITH_NULL_SHA384
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_SM4_GCM_SM3
  • TLS_SM4_CCM_SM3
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • tls_ecdh_ecdsa_with_null_sha
  • TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_NULL_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • tls_ecdh_rsa_with_null_sha
  • TLS_ECDH_RSA_WITH_RC4_128_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_NULL_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_anon_WITH_NULL_SHA
  • TLS_ECDH_anon_WITH_RC4_128_SHA
  • TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  • TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  • TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA
  • TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_SRP_SHA_WITH_AES_128_CBC_SHA
  • TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
  • TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
  • TLS_SRP_SHA_WITH_AES_256_CBC_SHA
  • TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
  • TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_PSK_WITH_RC4_128_SHA
  • TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
  • tls_ecdhe_psk_with_null_sha
  • TLS_ECDHE_PSK_WITH_NULL_SHA256
  • TLS_ECDHE_PSK_WITH_NULL_SHA384
  • TLS_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256
  • TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384
  • TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_DH_anon_WITH_ARIA_128_CBC_SHA256
  • TLS_DH_anon_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384
  • TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256
  • TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384
  • TLS_DH_anon_WITH_ARIA_128_GCM_SHA256
  • TLS_DH_anon_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_PSK_WITH_ARIA_128_CBC_SHA256
  • TLS_PSK_WITH_ARIA_256_CBC_SHA384
  • TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
  • TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
  • TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
  • TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
  • TLS_PSK_WITH_ARIA_128_GCM_SHA256
  • TLS_PSK_WITH_ARIA_256_GCM_SHA384
  • TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
  • TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
  • TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
  • TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_RSA_WITH_AES_128_CCM
  • TLS_RSA_WITH_AES_256_CCM
  • TLS_DHE_RSA_WITH_AES_128_CCM
  • TLS_DHE_RSA_WITH_AES_256_CCM
  • TLS_RSA_WITH_AES_128_CCM_8
  • TLS_RSA_WITH_AES_256_CCM_8
  • TLS_DHE_RSA_WITH_AES_128_CCM_8
  • TLS_DHE_RSA_WITH_AES_256_CCM_8
  • TLS_PSK_WITH_AES_128_CCM
  • TLS_PSK_WITH_AES_256_CCM
  • TLS_DHE_PSK_WITH_AES_128_CCM
  • TLS_DHE_PSK_WITH_AES_256_CCM
  • TLS_PSK_WITH_AES_128_CCM_8
  • TLS_PSK_WITH_AES_256_CCM_8
  • TLS_PSK_DHE_WITH_AES_128_CCM_8
  • TLS_PSK_DHE_WITH_AES_256_CCM_8
  • TLS_ECDHE_ECDSA_WITH_AES_128_CCM
  • TLS_ECDHE_ECDSA_WITH_AES_256_CCM
  • TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
  • TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
  • TLS_ECCPWD_WITH_AES_128_GCM_SHA256
  • TLS_ECCPWD_WITH_AES_256_GCM_SHA384
  • TLS_ECCPWD_WITH_AES_128_CCM_SHA256
  • TLS_ECCPWD_WITH_AES_256_CCM_SHA384
  • TLS_SHA256_SHA256
  • TLS_SHA384_SHA384
  • TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
  • TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
  • TLS_GOSTR341112_256_WITH_28147_CNT_IMIT
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
  • TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256
  • TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256

此处列出了受支持的服务器密码套件。

  • ECDHE-RSA-AES128-GCM-SHA256 曲线 25519 DHE 253
  • ECDHE-RSA-AES256-GCM-SHA384 曲线 25519 DHE 253
  • ECDHE-RSA-CHACHA20-POLY1305 曲线 25519 DHE 253
  • DHE-RSA-AES128-GCM-SHA256 DHE 2048 位
  • DHE-RSA-AES256-GCM-SHA384 DHE 2048 位

通信的首选密码套件是 ECDHE-RSA-AES128-GCM-SHA256。

对于支持 FIPS 的集群

以下列表中显示了支持 FIPS 的集群的受支持服务器密码套件。

  • 支持 TLS 1.2
    • 128 位加密-基于 Rivest-Shamir-Adleman (RSA)
      • ECDHE-RSA-AES128-GCM-SHA256 曲线 P-256 DHE 256
      • DHE-RSA-AES128-GCM-SHA256 DHE 2048 位
    • 256 位加密-基于 Rivest-Shamir-Adleman (RSA)
      • ECDHE-RSA-AES256-GCM-SHA384 曲线 P-256 DHE 256
      • DHE-RSA-AES256-GCM-SHA384 DHE 2048 位
  • 支持 TLS 1.3
    • 128 位加密-基于高级加密标准 (AES)
      • TLS_AES_128_GCM_SHA256 曲线 P-256 DHE 256
    • 256 位加密-基于高级加密标准 (AES)
      • TLS_AES_256_GCM_SHA384 曲线 P-256 DHE 256