Google Git
Sign in
apache / apisix-website / refs/heads/asf-site / . / zh / docs / apisix / ssl-protocol / index.html
blob: 2910507578f02d81e3368f10d426f170fbb6f330 [file] [log] [blame]
<!doctype html>
<html class="docs-version-3.14" lang="zh" dir="ltr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="ahrefs-site-verification" content="c2f7370ecf46173f4fb25f114e74c97e0a2976d4f02f61c9b00a9d7d34e34698">
<meta name="generator" content="Docusaurus v2.0.0-beta.6">
<link rel="search" type="application/opensearchdescription+xml" title="Apache APISIX® -- Cloud-Native API Gateway and AI Gateway" href="/zh/opensearch.xml">
<script type="application/ld+json">{"@context":"https://schema.org","@type":"WebSite","name":"Apache APISIX","url":"https://apisix.apache.org"}</script>
<script src="https://widget.kapa.ai/kapa-widget.bundle.js" data-website-id="24b59d9a-682e-4c3d-9e83-bf2ee85cdc19" data-project-name="APISIX" data-project-color="#E8442E" data-project-logo="https://static.apiseven.com/202202/apache-apisix.png" data-modal-disclaimer="This is a custom LLM for APISIX with access to all developer documentation, GitHub issues and discussions." data-modal-example-questions="How to set up canary release in APISIX?,How to develop a custom APISIX plugin?,How to use custom NGINX configuration in APISIX?,How to configure mTLS between clients and APISIX?,How to only allow a specific APISIX consumer to access special services or routes?" async></script><title data-react-helmet="true">SSL 协议 | Apache APISIX® -- Cloud-Native API Gateway and AI Gateway</title><meta data-react-helmet="true" property="og:image" content="https://static.apiseven.com/202202/apache-apisix.png"><meta data-react-helmet="true" name="twitter:image" content="https://static.apiseven.com/202202/apache-apisix.png"><meta data-react-helmet="true" property="og:url" content="https://apisix.apache.org/zh/docs/apisix/ssl-protocol/"><meta data-react-helmet="true" name="docsearch:language" content="zh"><meta data-react-helmet="true" name="docsearch:version" content="3.14"><meta data-react-helmet="true" name="docsearch:docusaurus_tag" content="docs-docs-apisix-3.14"><meta data-react-helmet="true" name="robots" content="index,follow"><meta data-react-helmet="true" name="twitter:card" content="summary"><meta data-react-helmet="true" property="og:title" content="SSL 协议 | Apache APISIX® -- Cloud-Native API Gateway and AI Gateway"><meta data-react-helmet="true" name="description" content="APISIX 支持 TLS 协议,还支持动态的为每一个 SNI 指定不同的 TLS 协议版本。"><meta data-react-helmet="true" property="og:description" content="APISIX 支持 TLS 协议,还支持动态的为每一个 SNI 指定不同的 TLS 协议版本。"><link data-react-helmet="true" rel="shortcut icon" href="https://static.apiseven.com/202202/favicon.png"><link data-react-helmet="true" rel="canonical" href="https://apisix.apache.org/zh/docs/apisix/ssl-protocol/"><link data-react-helmet="true" rel="alternate" href="https://apisix.apache.org/docs/apisix/ssl-protocol/" hreflang="en"><link data-react-helmet="true" rel="alternate" href="https://apisix.apache.org/zh/docs/apisix/ssl-protocol/" hreflang="zh"><link data-react-helmet="true" rel="alternate" href="https://apisix.apache.org/docs/apisix/ssl-protocol/" hreflang="x-default"><link data-react-helmet="true" rel="preconnect" href="https://38VC84A2WJ-dsn.algolia.net" crossorigin="anonymous"><link rel="preload" href="https://static.apiseven.com/202202/MaisonNeue-Medium.otf" as="font" type="font/otf" crossorigin>
<link rel="preload" href="https://static.apiseven.com/202202/MaisonNeue-Bold.otf" as="font" type="font/otf" crossorigin>
<link rel="preload" href="https://static.apiseven.com/202202/MaisonNeue-Light.otf" as="font" type="font/otf" crossorigin>
<link rel="preload" href="https://static.apiseven.com/202202/MaisonNeue-Demi.otf" as="font" type="font/otf" crossorigin>
<link rel="preload" href="https://static.apiseven.com/202202/MaisonNeue-ExtraBold.otf" as="font" type="font/otf" crossorigin>
<link rel="preload" href="https://apisix-website-static.apiseven.com/zh/assets/js/runtime~main.66da1f7c.js" as="script">
<link rel="preload" href="https://apisix-website-static.apiseven.com/zh/assets/js/main.b16de395.js" as="script">
<link rel="stylesheet" href="https://apisix-website-static.apiseven.com/zh/assets/css/styles.8de0825e.css">
<script>var _paq=window._paq=window._paq||[];_paq.push(["disableCookies"]),_paq.push(["trackPageView"]),_paq.push(["enableLinkTracking"]),function(){var a="https://analytics.apache.org/";_paq.push(["setTrackerUrl",a+"matomo.php"]),_paq.push(["setSiteId","17"]);var e=document,p=e.createElement("script"),t=e.getElementsByTagName("script")[0];p.async=!0,p.src=a+"matomo.js",t.parentNode.insertBefore(p,t)}()</script>
</head>
<body>
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}(),document.documentElement.setAttribute("data-announcement-bar-initially-dismissed",function(){try{return"true"===localStorage.getItem("docusaurus.announcement.dismiss")}catch(t){}return!1}())</script><div id="__docusaurus">
<div><a href="#" class="skipToContent_OuoZ">Skip to main content</a></div><div class="announcementBar_axC9" style="background-color:#e8433e;color:white" role="banner"><div class="announcementBarPlaceholder_xYHE"></div><div class="announcementBarContent_6uhP">🤔 Introducing APISIX AI Gateway – Built for LLMs and AI workloads. <a target="_blank" rel="noopener noreferrer" href="/ai-gateway/"> Learn More</a></div><button type="button" class="clean-btn close announcementBarClose_A3A1" aria-label="Close"><svg viewBox="0 0 24 24" width="14" height="14" fill="currentColor"><path d="M24 20.188l-8.315-8.209 8.2-8.282-3.697-3.697-8.212 8.318-8.31-8.203-3.666 3.666 8.321 8.24-8.206 8.313 3.666 3.666 8.237-8.318 8.285 8.203z"></path></svg></button></div><nav class="navbar navbar--fixed-top navbarHideable_RReh"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Navigation bar toggle" class="navbar__toggle clean-btn" type="button" tabindex="0"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a target="_parent" class="navbar__brand" href="/zh/"><img src="/zh/img/logo2.svg" alt="Apache APISIX®" class="themedImage_TMUO themedImage--light_4Vu1 navbar__logo"><img src="/zh/img/logo2.svg" alt="Apache APISIX®" class="themedImage_TMUO themedImage--dark_uzRr navbar__logo"><b class="navbar__title">Apache APISIX®</b></a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a aria-current="page" class="navbar__link" target="_parent" href="/zh/docs/">文档</a><ul class="dropdown__menu"><li><a class="dropdown__link" target="_parent" href="/zh/docs/apisix/getting-started/">Apache APISIX®️</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/apisix/next/dashboard/">Apache APISIX®️ Dashboard</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/ingress-controller/overview/">Apache APISIX®️ Ingress Controller</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/helm-chart/apisix/">Apache APISIX®️ Helm Charts</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/docker/build/">Apache APISIX®️ Docker</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/java-plugin-runner/development/">Apache APISIX®️ Java Plugin Runner</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/go-plugin-runner/getting-started/">Apache APISIX®️ Go Plugin Runner</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/python-plugin-runner/getting-started/">Apache APISIX®️ Python Plugin Runner</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/general/join/">General</a></li></ul></div><a class="navbar__item navbar__link" target="_parent" href="/zh/blog/">博客</a><a class="navbar__item navbar__link" target="_parent" href="/zh/blog/tags/case-studies/">用户案例</a><a class="navbar__item navbar__link" target="_parent" href="/zh/downloads/">下载</a><a class="navbar__item navbar__link" target="_parent" href="/zh/help/">帮助</a><a class="navbar__item navbar__link" target="_parent" href="/zh/team/">团队</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link">相关资源</a><ul class="dropdown__menu"><li><a class="dropdown__link" target="_parent" href="/zh/showcase/">使用案例</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/general/code-samples/">Code Samples</a></li><li><a class="dropdown__link" target="_parent" href="/zh/plugins/">插件市场</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/general/join/">加入社区</a></li><li><a class="dropdown__link" target="_parent" href="/zh/docs/general/events/">社区活动</a></li><li><a href="https://github.com/apache/apisix/milestones" target="_parent" rel="noopener noreferrer" class="dropdown__link">Roadmap</a></li></ul></div><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" class="navbar__link"><span><svg viewBox="0 0 20 20" width="20" height="20" aria-hidden="true" class="iconLanguage_zID8"><path fill="currentColor" d="M19.753 10.909c-.624-1.707-2.366-2.726-4.661-2.726-.09 0-.176.002-.262.006l-.016-2.063 3.525-.607c.115-.019.133-.119.109-.231-.023-.111-.167-.883-.188-.976-.027-.131-.102-.127-.207-.109-.104.018-3.25.461-3.25.461l-.013-2.078c-.001-.125-.069-.158-.194-.156l-1.025.016c-.105.002-.164.049-.162.148l.033 2.307s-3.061.527-3.144.543c-.084.014-.17.053-.151.143.019.09.19 1.094.208 1.172.018.08.072.129.188.107l2.924-.504.035 2.018c-1.077.281-1.801.824-2.256 1.303-.768.807-1.207 1.887-1.207 2.963 0 1.586.971 2.529 2.328 2.695 3.162.387 5.119-3.06 5.769-4.715 1.097 1.506.256 4.354-2.094 5.98-.043.029-.098.129-.033.207l.619.756c.08.096.206.059.256.023 2.51-1.73 3.661-4.515 2.869-6.683zm-7.386 3.188c-.966-.121-.944-.914-.944-1.453 0-.773.327-1.58.876-2.156a3.21 3.21 0 011.229-.799l.082 4.277a2.773 2.773 0 01-1.243.131zm2.427-.553l.046-4.109c.084-.004.166-.01.252-.01.773 0 1.494.145 1.885.361.391.217-1.023 2.713-2.183 3.758zm-8.95-7.668a.196.196 0 00-.196-.145h-1.95a.194.194 0 00-.194.144L.008 16.916c-.017.051-.011.076.062.076h1.733c.075 0 .099-.023.114-.072l1.008-3.318h3.496l1.008 3.318c.016.049.039.072.113.072h1.734c.072 0 .078-.025.062-.076-.014-.05-3.083-9.741-3.494-11.04zm-2.618 6.318l1.447-5.25 1.447 5.25H3.226z"></path></svg><span>简体中文</span></span></a><ul class="dropdown__menu"><li><a href="/docs/apisix/ssl-protocol/" target="_self" rel="noopener noreferrer" class="dropdown__link" style="text-transform:capitalize">English</a></li><li><a href="/zh/docs/apisix/ssl-protocol/" target="_self" rel="noopener noreferrer" class="dropdown__link dropdown__link--active" style="text-transform:capitalize">简体中文</a></li></ul></div><div class="react-toggle toggle_2i4l react-toggle--disabled"><div class="react-toggle-track" role="button" tabindex="-1"><div class="react-toggle-track-check"><span class="toggle_iYfV">🌜</span></div><div class="react-toggle-track-x"><span class="toggle_iYfV">🌞</span></div><div class="react-toggle-thumb"></div></div><input type="checkbox" class="react-toggle-screenreader-only" aria-label="Switch between dark and light mode"></div><div class="searchBox_fBfG"><button type="button" class="DocSearch DocSearch-Button" aria-label="Search"><span class="DocSearch-Button-Container"><svg width="20" height="20" class="DocSearch-Search-Icon" viewBox="0 0 20 20"><path d="M14.386 14.386l4.0877 4.0877-4.0877-4.0877c-2.9418 2.9419-7.7115 2.9419-10.6533 0-2.9419-2.9418-2.9419-7.7115 0-10.6533 2.9418-2.9419 7.7115-2.9419 10.6533 0 2.9419 2.9418 2.9419 7.7115 0 10.6533z" stroke="currentColor" fill="none" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round"></path></svg><span class="DocSearch-Button-Placeholder">Search</span></span><span class="DocSearch-Button-Keys"></span></button></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div class="main-wrapper docs-wrapper docs-doc-page"><div class="docPage_GMj9"><button class="clean-btn backToTopButton_i9tI" type="button"><svg viewBox="0 0 24 24" width="28"><path d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z" fill="currentColor"></path></svg></button><aside class="docSidebarContainer_k0Pq"><div class="sidebar_LIo8 sidebarWithHideableNavbar_CMI-"><a target="_parent" tabindex="-1" class="sidebarLogo_P87M" href="/zh/"><img src="/zh/img/logo2.svg" alt="Apache APISIX®" class="themedImage_TMUO themedImage--light_4Vu1"><img src="/zh/img/logo2.svg" alt="Apache APISIX®" class="themedImage_TMUO themedImage--dark_uzRr"><b>Apache APISIX®</b></a><div class="sidebarVersionSwitch_0QIZ">Version:<div class="navbar__item dropdown dropdown--hoverable"><a class="navbar__link" href="/zh/docs/apisix/getting-started/README/">3.14</a><ul class="dropdown__menu"><li><a class="dropdown__link" href="/zh/docs/apisix/next/ssl-protocol/"><div>Next</div></a></li><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/zh/docs/apisix/ssl-protocol/"><div>3.14<div class="badge_6FVu Latest_oyqS">Latest</div></div></a></li><li><a class="dropdown__link" href="/zh/docs/apisix/3.13/ssl-protocol/"><div>3.13</div></a></li><li><a class="dropdown__link" href="/zh/docs/apisix/3.12/ssl-protocol/"><div>3.12</div></a></li><li><a class="dropdown__link" href="/zh/docs/apisix/3.11/ssl-protocol/"><div>3.11</div></a></li><li><a class="dropdown__link" href="/zh/docs/apisix/3.10/ssl-protocol/"><div>3.10</div></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.9/getting-started/readme/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.9<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.8/getting-started/readme/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.8<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.7/getting-started/readme/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.7<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.6/getting-started/readme/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.6<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.5/getting-started/readme/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.5<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.4/getting-started/readme/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.4<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.3/getting-started/readme/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.3<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.2/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.2<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.1/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.1<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/3.0/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>3.0<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.15/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.15<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.14/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.14<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.13/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.13<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.12/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.12<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.11/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.11<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.10/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.10<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.9/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.9<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.8/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.8<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.7/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.7<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.6/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.6<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.5/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.5<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li><a href="https://apache-apisix.netlify.app/docs/apisix/2.4/getting-started/" target="_blank" rel="noopener noreferrer" class="dropdown__link"><span>2.4<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li></ul></div></div><nav class="menu thin-scrollbar menu_oAhv menuWithAnnouncementBar_IVfW"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#">Getting Started</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" href="/zh/docs/apisix/installation-guide/">APISIX 安装指南</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" href="/zh/docs/apisix/architecture-design/apisix/">软件架构</a></li><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#">Tutorials</a></li><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#">Terminology</a></li><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#">Plugins</a></li><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#">API</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" href="/zh/docs/apisix/dashboard/">Apache APISIX Dashboard</a></li><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#">Development</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" href="/zh/docs/apisix/deployment-modes/">Deployment modes</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" href="/zh/docs/apisix/FAQ/">常见问题</a></li><li class="theme-doc-sidebar-item-category menu__list-item"><a class="menu__link menu__link--sublist menu__link--active" href="#">Others</a><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#" tabindex="0">Discovery</a></li><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#" tabindex="0">PubSub</a></li><li class="theme-doc-sidebar-item-category menu__list-item menu__list-item--collapsed"><a class="menu__link menu__link--sublist" href="#" tabindex="0">xRPC</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/router-radixtree/">路由 RadixTree</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/stream-proxy/">TCP/UDP 动态代理</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/grpc-proxy/">gRPC 代理</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/customize-nginx-configuration/">自定义 Nginx 配置</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/certificate/">证书</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/batch-processor/">批处理器</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/benchmark/">压力测试</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/install-dependencies/">安装依赖</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/apisix-variable/">APISIX 变量</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/aws/">Running APISIX in AWS with AWS CDK</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/mtls/">TLS 双向认证</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/debug-function/">调试功能</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/profile/">基于环境变量进行配置文件切换</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/zh/docs/apisix/ssl-protocol/">SSL 协议</a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" tabindex="0" href="/zh/docs/apisix/http3/">HTTP3 协议</a></li></ul></li><li class="theme-doc-sidebar-item-link menu__list-item"><a href="https://github.com/apache/apisix/blob/master/CHANGELOG.md" target="_blank" rel="noopener noreferrer" class="menu__link"><span>CHANGELOG<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_wgqa"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></span></a></li><li class="theme-doc-sidebar-item-link menu__list-item"><a class="menu__link" href="/zh/docs/apisix/upgrade-guide-from-2.15.x-to-3.0.0/">升级指南</a></li></ul></nav><button type="button" title="Collapse sidebar" aria-label="Collapse sidebar" class="button button--secondary button--outline collapseSidebarButton_EBxv"><svg width="20" height="20" aria-hidden="true" class="collapseSidebarButtonIcon_AF9Q"><g fill="#7a7a7a"><path d="M9.992 10.023c0 .2-.062.399-.172.547l-4.996 7.492a.982.982 0 01-.828.454H1c-.55 0-1-.453-1-1 0-.2.059-.403.168-.551l4.629-6.942L.168 3.078A.939.939 0 010 2.528c0-.548.45-.997 1-.997h2.996c.352 0 .649.18.828.45L9.82 9.472c.11.148.172.347.172.55zm0 0"></path><path d="M19.98 10.023c0 .2-.058.399-.168.547l-4.996 7.492a.987.987 0 01-.828.454h-3c-.547 0-.996-.453-.996-1 0-.2.059-.403.168-.551l4.625-6.942-4.625-6.945a.939.939 0 01-.168-.55 1 1 0 01.996-.997h3c.348 0 .649.18.828.45l4.996 7.492c.11.148.168.347.168.55zm0 0"></path></g></svg></button></div></aside><main class="docMainContainer_Q970"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_zHA2"><div class="docItemContainer_oiyr"><article><span class="theme-doc-version-badge badge badge--secondary">Version: 3.14</span><div class="tocCollapsible_aw-L theme-doc-toc-mobile tocMobile_Tx6Y"><button type="button" class="clean-btn tocCollapsibleButton_zr6a">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>SSL 协议</h1></header><p><code>APISIX</code> 支持 TLS 协议,还支持动态的为每一个 SNI 指定不同的 TLS 协议版本。</p><p><strong>为了安全考虑,APISIX 默认使用的加密套件不支持 TLSv1.1 以及更低的版本。</strong>
<strong>如果你需要启用 TLSv1.1 协议,请在 config.yaml 的配置项 apisix.ssl.ssl_ciphers 增加 TLSv1.1 协议所支持的加密套件。</strong></p><h2><a aria-hidden="true" tabindex="-1" class="anchor anchor__h2 anchorWithHideOnScrollNavbar_3ly5" id="ssl_protocols-配置"></a>ssl_protocols 配置<a class="hash-link" href="#ssl_protocols-配置" title="Direct link to heading">#</a></h2><h3><a aria-hidden="true" tabindex="-1" class="anchor anchor__h3 anchorWithHideOnScrollNavbar_3ly5" id="静态配置"></a>静态配置<a class="hash-link" href="#静态配置" title="Direct link to heading">#</a></h3><p>静态配置中 config.yaml 的 ssl_protocols 参数会作用于 APISIX 全局,但是不能动态修改,仅当匹配的 SSL 资源未设置 <code>ssl_protocols</code>,静态配置才会生效。</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 yaml"><pre tabindex="0" class="prism-code language-yaml codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token key atrule" style="color:#00a4db">apisix</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token key atrule" style="color:#00a4db">ssl</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token key atrule" style="color:#00a4db">ssl_protocols</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> TLSv1.2 TLSv1.3 </span><span class="token comment" style="color:#999988;font-style:italic"># default TLSv1.2 TLSv1.3</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><h3><a aria-hidden="true" tabindex="-1" class="anchor anchor__h3 anchorWithHideOnScrollNavbar_3ly5" id="动态配置"></a>动态配置<a class="hash-link" href="#动态配置" title="Direct link to heading">#</a></h3><p>使用 ssl 资源中 ssl_protocols 字段动态的为每一个 SNI 指定不同的 TLS 协议版本。</p><p>指定 test.com 域名使用 TLSv1.2 TLSv1.3 协议版本:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 bash"><pre tabindex="0" class="prism-code language-bash codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token punctuation" style="color:#393A34">{</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;cert&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;</span><span class="token string variable" style="color:#36acaa">$cert</span><span class="token string" style="color:#e3116c">&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;key&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;</span><span class="token string variable" style="color:#36acaa">$key</span><span class="token string" style="color:#e3116c">&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;snis&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;test.com&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;ssl_protocols&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;TLSv1.2&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;TLSv1.3&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token punctuation" style="color:#393A34">}</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><h3><a aria-hidden="true" tabindex="-1" class="anchor anchor__h3 anchorWithHideOnScrollNavbar_3ly5" id="注意事项"></a>注意事项<a class="hash-link" href="#注意事项" title="Direct link to heading">#</a></h3><ul><li>动态配置优先级比静态配置更高,当 ssl 资源配置项 ssl_protocols 不为空时 静态配置将会被覆盖。</li><li>静态配置作用于全局需要重启 apisix 才能生效。</li><li>动态配置可细粒度的控制每个 SNI 的 TLS 协议版本,并且能够动态修改,相比于静态配置更加灵活。</li></ul><h2><a aria-hidden="true" tabindex="-1" class="anchor anchor__h2 anchorWithHideOnScrollNavbar_3ly5" id="使用示例"></a>使用示例<a class="hash-link" href="#使用示例" title="Direct link to heading">#</a></h2><h3><a aria-hidden="true" tabindex="-1" class="anchor anchor__h3 anchorWithHideOnScrollNavbar_3ly5" id="如何指定-tlsv11-协议"></a>如何指定 TLSv1.1 协议<a class="hash-link" href="#如何指定-tlsv11-协议" title="Direct link to heading">#</a></h3><p>存在一些老旧的客户端,仍然采用较低级别的 TLSv1.1 协议版本,而新的产品则使用较高安全级别的 TLS 协议版本。如果让新产品支持 TLSv1.1 可能会带来一些安全隐患。为了保证 API 的安全性,我们需要在协议版本之间进行灵活转换。
例如:test.com 是老旧客户端所使用的域名,需要将其配置为 TLSv1.1 而 test2.com 属于新产品,同时支持了 TLSv1.2,TLSv1.3 协议。</p><ol><li>config.yaml 配置。</li></ol><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 yaml"><pre tabindex="0" class="prism-code language-yaml codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token key atrule" style="color:#00a4db">apisix</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token key atrule" style="color:#00a4db">ssl</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token key atrule" style="color:#00a4db">ssl_protocols</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> TLSv1.3</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token comment" style="color:#999988;font-style:italic"># ssl_ciphers is for reference only</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token key atrule" style="color:#00a4db">ssl_ciphers</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain"> ECDHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">ECDSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES128</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">GCM</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA256</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">ECDHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">RSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES128</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">GCM</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA256</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">ECDHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">ECDSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES256</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">GCM</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA384</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">ECDHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">RSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES256</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">GCM</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA384</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">ECDHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">ECDSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">CHACHA20</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">POLY1305</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">ECDHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">RSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">CHACHA20</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">POLY1305</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">DHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">RSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES128</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">GCM</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA256</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">DHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">RSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES256</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">GCM</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA384</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">ECDHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">RSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES256</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">ECDHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">ECDSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES256</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">DHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">RSA</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES256</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA</span><span class="token punctuation" style="color:#393A34">:</span><span class="token plain">DHE</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">DSS</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">AES256</span><span class="token punctuation" style="color:#393A34">-</span><span class="token plain">SHA</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><ol start="2"><li>为 test.com 域名指定 TLSv1.1 协议版本。</li></ol><div class="admonition admonition-note alert alert--secondary"><div class="admonition-heading"><h5><span class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" width="14" height="16" viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</h5></div><div class="admonition-content"><p>您可以这样从 <code>config.yaml</code> 中获取 <code>admin_key</code> 并存入环境变量:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 bash"><pre tabindex="0" class="prism-code language-bash codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token assign-left variable" style="color:#36acaa">admin_key</span><span class="token operator" style="color:#393A34">=</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable" style="color:#36acaa">yq </span><span class="token variable string" style="color:#e3116c">&#x27;.deployment.admin.admin_key[0].key&#x27;</span><span class="token variable" style="color:#36acaa"> conf/config.yaml </span><span class="token variable operator" style="color:#393A34">|</span><span class="token variable" style="color:#36acaa"> </span><span class="token variable function" style="color:#d73a49">sed</span><span class="token variable" style="color:#36acaa"> </span><span class="token variable string" style="color:#e3116c">&#x27;s/&quot;//g&#x27;</span><span class="token variable" style="color:#36acaa">)</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div></div></div><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 bash"><pre tabindex="0" class="prism-code language-bash codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> http://127.0.0.1:9180/apisix/admin/ssls/1 </span><span class="token punctuation" style="color:#393A34">\</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">-H </span><span class="token string" style="color:#e3116c">&quot;X-API-KEY: </span><span class="token string variable" style="color:#36acaa">$admin_key</span><span class="token string" style="color:#e3116c">&quot;</span><span class="token plain"> -X PUT -d </span><span class="token string" style="color:#e3116c">&#x27;</span><br></span><span class="token-line" style="color:#393A34"><span class="token string" style="color:#e3116c">{</span><br></span><span class="token-line" style="color:#393A34"><span class="token string" style="color:#e3116c"> &quot;cert&quot; : &quot;&#x27;</span><span class="token plain">&quot;</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable function" style="color:#d73a49">cat</span><span class="token variable" style="color:#36acaa"> server.crt</span><span class="token variable" style="color:#36acaa">)</span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;key&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable function" style="color:#d73a49">cat</span><span class="token variable" style="color:#36acaa"> server.key</span><span class="token variable" style="color:#36acaa">)</span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;snis&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;test.com&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;ssl_protocols&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;TLSv1.1&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token punctuation" style="color:#393A34">}</span><span class="token plain">&#x27;</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><ol start="3"><li>为 test.com 创建 SSL 对象,未指定 TLS 协议版本,将默认使用静态配置。</li></ol><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 bash"><pre tabindex="0" class="prism-code language-bash codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> http://127.0.0.1:9180/apisix/admin/ssls/1 </span><span class="token punctuation" style="color:#393A34">\</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">-H </span><span class="token string" style="color:#e3116c">&quot;X-API-KEY: </span><span class="token string variable" style="color:#36acaa">$admin_key</span><span class="token string" style="color:#e3116c">&quot;</span><span class="token plain"> -X PUT -d </span><span class="token string" style="color:#e3116c">&#x27;</span><br></span><span class="token-line" style="color:#393A34"><span class="token string" style="color:#e3116c">{</span><br></span><span class="token-line" style="color:#393A34"><span class="token string" style="color:#e3116c"> &quot;cert&quot; : &quot;&#x27;</span><span class="token plain">&quot;</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable function" style="color:#d73a49">cat</span><span class="token variable" style="color:#36acaa"> server2.crt</span><span class="token variable" style="color:#36acaa">)</span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;key&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable function" style="color:#d73a49">cat</span><span class="token variable" style="color:#36acaa"> server2.key</span><span class="token variable" style="color:#36acaa">)</span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;snis&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;test2.com&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token punctuation" style="color:#393A34">}</span><span class="token plain">&#x27;</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><ol start="4"><li>访问验证</li></ol><p>使用 TLSv1.3 访问 test.com 失败:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 shell"><pre tabindex="0" class="prism-code language-shell codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token plain">$ </span><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> --tls-max </span><span class="token number" style="color:#36acaa">1.3</span><span class="token plain"> --tlsv1.3 https://test.com:9443 -v -k -I</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Trying </span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1:9443</span><span class="token punctuation" style="color:#393A34">..</span><span class="token plain">.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connected to test.com </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> port </span><span class="token number" style="color:#36acaa">9443</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token comment" style="color:#999988;font-style:italic">#0)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering http/1.1</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* successfully </span><span class="token builtin class-name">set</span><span class="token plain"> certificate verify locations:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CAfile: /etc/ssl/certs/ca-certificates.crt</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CApath: /etc/ssl/certs</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS alert, protocol version </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">582</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Closing connection </span><span class="token number" style="color:#36acaa">0</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">curl: </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">35</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><p>使用 TLSv1.1 访问 test.com 成功:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 shell"><pre tabindex="0" class="prism-code language-shell codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token plain">$ </span><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> --tls-max </span><span class="token number" style="color:#36acaa">1.1</span><span class="token plain"> --tlsv1.1 https://test.com:9443 -v -k -I</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Trying </span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1:9443</span><span class="token punctuation" style="color:#393A34">..</span><span class="token plain">.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connected to test.com </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> port </span><span class="token number" style="color:#36acaa">9443</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token comment" style="color:#999988;font-style:italic">#0)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering http/1.1</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* successfully </span><span class="token builtin class-name">set</span><span class="token plain"> certificate verify locations:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CAfile: /etc/ssl/certs/ca-certificates.crt</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CApath: /etc/ssl/certs</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Server hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">2</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Certificate </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">11</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Server key exchange </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">12</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Server finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">14</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client key exchange </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">16</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS change cipher, Change cipher spec </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">20</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">20</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* SSL connection using TLSv1.1 / ECDHE-RSA-AES256-SHA</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><p>使用 TLSv1.3 访问 test2.com 成功:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 shell"><pre tabindex="0" class="prism-code language-shell codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token plain">$ </span><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> --tls-max </span><span class="token number" style="color:#36acaa">1.3</span><span class="token plain"> --tlsv1.3 https://test2.com:9443 -v -k -I</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Trying </span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1:9443</span><span class="token punctuation" style="color:#393A34">..</span><span class="token plain">.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connected to test2.com </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> port </span><span class="token number" style="color:#36acaa">9443</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token comment" style="color:#999988;font-style:italic">#0)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering http/1.1</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* successfully </span><span class="token builtin class-name">set</span><span class="token plain"> certificate verify locations:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CAfile: /etc/ssl/certs/ca-certificates.crt</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CApath: /etc/ssl/certs</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Server hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">2</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Encrypted Extensions </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">8</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Certificate </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">11</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, CERT verify </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">15</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">20</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS change cipher, Change cipher spec </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">20</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><p>使用 TLSv1.1 访问 test2.com 失败:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 shell"><pre tabindex="0" class="prism-code language-shell codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> --tls-max </span><span class="token number" style="color:#36acaa">1.1</span><span class="token plain"> --tlsv1.1 https://test2.com:9443 -v -k -I</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Trying </span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1:9443</span><span class="token punctuation" style="color:#393A34">..</span><span class="token plain">.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connected to test2.com </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> port </span><span class="token number" style="color:#36acaa">9443</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token comment" style="color:#999988;font-style:italic">#0)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering http/1.1</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* successfully </span><span class="token builtin class-name">set</span><span class="token plain"> certificate verify locations:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CAfile: /etc/ssl/certs/ca-certificates.crt</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CApath: /etc/ssl/certs</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.1 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS alert, protocol version </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">582</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Closing connection </span><span class="token number" style="color:#36acaa">0</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">curl: </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">35</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><h3><a aria-hidden="true" tabindex="-1" class="anchor anchor__h3 anchorWithHideOnScrollNavbar_3ly5" id="证书关联多个域名但域名之间使用不同的-tls-协议"></a>证书关联多个域名,但域名之间使用不同的 TLS 协议<a class="hash-link" href="#证书关联多个域名但域名之间使用不同的-tls-协议" title="Direct link to heading">#</a></h3><p>有时候,我们可能会遇到这样一种情况,即一个证书关联了多个域名,但是它们需要使用不同的 TLS 协议来保证安全性。例如 test.com 域名需要使用 TlSv1.2 协议,而 test2.com 域名则需要使用 TLSv1.3 协议。在这种情况下,我们不能简单地为所有的域名创建一个 SSL 对象,而是需要为每个域名单独创建一个 SSL 对象,并指定相应的协议版本。这样,我们就可以根据不同的域名和协议版本来进行正确的 SSL 握手和加密通信。示例如下:</p><ol><li>使用证书为 test.com 创建 ssl 对象,并指定 TLSv1.2 协议。</li></ol><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 bash"><pre tabindex="0" class="prism-code language-bash codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> http://127.0.0.1:9180/apisix/admin/ssls/1 </span><span class="token punctuation" style="color:#393A34">\</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">-H </span><span class="token string" style="color:#e3116c">&quot;X-API-KEY: </span><span class="token string variable" style="color:#36acaa">$admin_key</span><span class="token string" style="color:#e3116c">&quot;</span><span class="token plain"> -X PUT -d </span><span class="token string" style="color:#e3116c">&#x27;</span><br></span><span class="token-line" style="color:#393A34"><span class="token string" style="color:#e3116c">{</span><br></span><span class="token-line" style="color:#393A34"><span class="token string" style="color:#e3116c"> &quot;cert&quot; : &quot;&#x27;</span><span class="token plain">&quot;</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable function" style="color:#d73a49">cat</span><span class="token variable" style="color:#36acaa"> server.crt</span><span class="token variable" style="color:#36acaa">)</span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;key&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable function" style="color:#d73a49">cat</span><span class="token variable" style="color:#36acaa"> server.key</span><span class="token variable" style="color:#36acaa">)</span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;snis&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;test.com&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;ssl_protocols&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;TLSv1.2&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token punctuation" style="color:#393A34">}</span><span class="token plain">&#x27;</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><ol start="2"><li>使用与 test.com 同一证书,为 test2.com 创建 ssl 对象,并指定 TLSv1.3 协议。</li></ol><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 bash"><pre tabindex="0" class="prism-code language-bash codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> http://127.0.0.1:9180/apisix/admin/ssls/2 </span><span class="token punctuation" style="color:#393A34">\</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">-H </span><span class="token string" style="color:#e3116c">&quot;X-API-KEY: </span><span class="token string variable" style="color:#36acaa">$admin_key</span><span class="token string" style="color:#e3116c">&quot;</span><span class="token plain"> -X PUT -d </span><span class="token string" style="color:#e3116c">&#x27;</span><br></span><span class="token-line" style="color:#393A34"><span class="token string" style="color:#e3116c">{</span><br></span><span class="token-line" style="color:#393A34"><span class="token string" style="color:#e3116c"> &quot;cert&quot; : &quot;&#x27;</span><span class="token plain">&quot;</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable function" style="color:#d73a49">cat</span><span class="token variable" style="color:#36acaa"> server.crt</span><span class="token variable" style="color:#36acaa">)</span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;key&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token variable" style="color:#36acaa">$(</span><span class="token variable function" style="color:#d73a49">cat</span><span class="token variable" style="color:#36acaa"> server.key</span><span class="token variable" style="color:#36acaa">)</span><span class="token string" style="color:#e3116c">&quot;&#x27;&quot;</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;snis&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token string" style="color:#e3116c">&quot;test2.com&quot;</span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain">,</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;ssl_protocols&quot;</span><span class="token builtin class-name">:</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">[</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token string" style="color:#e3116c">&quot;TLSv1.3&quot;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">]</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token punctuation" style="color:#393A34">}</span><span class="token plain">&#x27;</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><ol start="3"><li>访问验证</li></ol><p>使用 TLSv1.2 访问 test.com 成功:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 shell"><pre tabindex="0" class="prism-code language-shell codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token plain">$ </span><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> --tls-max </span><span class="token number" style="color:#36acaa">1.2</span><span class="token plain"> --tlsv1.2 https://test.com:9443 -v -k -I</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Trying </span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1:9443</span><span class="token punctuation" style="color:#393A34">..</span><span class="token plain">.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connected to test.com </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> port </span><span class="token number" style="color:#36acaa">9443</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token comment" style="color:#999988;font-style:italic">#0)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering http/1.1</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* successfully </span><span class="token builtin class-name">set</span><span class="token plain"> certificate verify locations:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CAfile: /etc/ssl/certs/ca-certificates.crt</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CApath: /etc/ssl/certs</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Server hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">2</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Certificate </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">11</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Server key exchange </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">12</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Server finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">14</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client key exchange </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">16</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS change cipher, Change cipher spec </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">20</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">20</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, server accepted to use h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Server certificate:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* subject: </span><span class="token assign-left variable" style="color:#36acaa">C</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">AU</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">ST</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">Some-State</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">O</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">Internet Widgits Pty Ltd</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">CN</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">test.com</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* start date: Jul </span><span class="token number" style="color:#36acaa">20</span><span class="token plain"> </span><span class="token number" style="color:#36acaa">15</span><span class="token plain">:50:08 </span><span class="token number" style="color:#36acaa">2023</span><span class="token plain"> GMT</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* expire date: Jul </span><span class="token number" style="color:#36acaa">17</span><span class="token plain"> </span><span class="token number" style="color:#36acaa">15</span><span class="token plain">:50:08 </span><span class="token number" style="color:#36acaa">2033</span><span class="token plain"> GMT</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* issuer: </span><span class="token assign-left variable" style="color:#36acaa">C</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">AU</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">ST</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">Some-State</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">O</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">Internet Widgits Pty Ltd</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">CN</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">test.com</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* SSL certificate verify result: EE certificate key too weak </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">66</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, continuing anyway.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Using HTTP2, server supports multi-use</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connection state changed </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">HTTP/2 confirmed</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Copying HTTP/2 data </span><span class="token keyword" style="color:#00009f">in</span><span class="token plain"> stream buffer to connection buffer after upgrade: </span><span class="token assign-left variable" style="color:#36acaa">len</span><span class="token operator" style="color:#393A34">=</span><span class="token number" style="color:#36acaa">0</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Using Stream ID: </span><span class="token number" style="color:#36acaa">1</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">easy handle 0x5608905ee2e0</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"> HEAD / HTTP/2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"> Host: test.com:9443</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"> user-agent: curl/7.74.0</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"> accept: */*</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain" style="display:inline-block"></span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><p>使用 TLSv1.3 协议访问 test.com 失败:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 shell"><pre tabindex="0" class="prism-code language-shell codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token plain">$ </span><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> --tls-max </span><span class="token number" style="color:#36acaa">1.3</span><span class="token plain"> --tlsv1.3 https://test.com:9443 -v -k -I</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Trying </span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1:9443</span><span class="token punctuation" style="color:#393A34">..</span><span class="token plain">.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connected to test.com </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> port </span><span class="token number" style="color:#36acaa">9443</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token comment" style="color:#999988;font-style:italic">#0)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering http/1.1</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* successfully </span><span class="token builtin class-name">set</span><span class="token plain"> certificate verify locations:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CAfile: /etc/ssl/certs/ca-certificates.crt</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CApath: /etc/ssl/certs</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS alert, protocol version </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">582</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Closing connection </span><span class="token number" style="color:#36acaa">0</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">curl: </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">35</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain" style="display:inline-block"></span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><p>使用 TLSv1.3 协议访问 test2.com 成功:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 shell"><pre tabindex="0" class="prism-code language-shell codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token plain">$ </span><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> --tls-max </span><span class="token number" style="color:#36acaa">1.3</span><span class="token plain"> --tlsv1.3 https://test2.com:9443 -v -k -I</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Trying </span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1:9443</span><span class="token punctuation" style="color:#393A34">..</span><span class="token plain">.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connected to test2.com </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> port </span><span class="token number" style="color:#36acaa">9443</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token comment" style="color:#999988;font-style:italic">#0)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering http/1.1</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* successfully </span><span class="token builtin class-name">set</span><span class="token plain"> certificate verify locations:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CAfile: /etc/ssl/certs/ca-certificates.crt</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CApath: /etc/ssl/certs</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Server hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">2</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Encrypted Extensions </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">8</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Certificate </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">11</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, CERT verify </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">15</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">20</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS change cipher, Change cipher spec </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Finished </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">20</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, server accepted to use h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Server certificate:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* subject: </span><span class="token assign-left variable" style="color:#36acaa">C</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">AU</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">ST</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">Some-State</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">O</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">Internet Widgits Pty Ltd</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">CN</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">test2.com</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* start date: Jul </span><span class="token number" style="color:#36acaa">20</span><span class="token plain"> </span><span class="token number" style="color:#36acaa">16</span><span class="token plain">:05:47 </span><span class="token number" style="color:#36acaa">2023</span><span class="token plain"> GMT</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* expire date: Jul </span><span class="token number" style="color:#36acaa">17</span><span class="token plain"> </span><span class="token number" style="color:#36acaa">16</span><span class="token plain">:05:47 </span><span class="token number" style="color:#36acaa">2033</span><span class="token plain"> GMT</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* issuer: </span><span class="token assign-left variable" style="color:#36acaa">C</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">AU</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">ST</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">Some-State</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">O</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">Internet Widgits Pty Ltd</span><span class="token punctuation" style="color:#393A34">;</span><span class="token plain"> </span><span class="token assign-left variable" style="color:#36acaa">CN</span><span class="token operator" style="color:#393A34">=</span><span class="token plain">test2.com</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* SSL certificate verify result: EE certificate key too weak </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">66</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, continuing anyway.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Using HTTP2, server supports multi-use</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connection state changed </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">HTTP/2 confirmed</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Copying HTTP/2 data </span><span class="token keyword" style="color:#00009f">in</span><span class="token plain"> stream buffer to connection buffer after upgrade: </span><span class="token assign-left variable" style="color:#36acaa">len</span><span class="token operator" style="color:#393A34">=</span><span class="token number" style="color:#36acaa">0</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Using Stream ID: </span><span class="token number" style="color:#36acaa">1</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">easy handle 0x55569cbe42e0</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"> HEAD / HTTP/2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"> Host: test2.com:9443</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"> user-agent: curl/7.74.0</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"> accept: */*</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token operator" style="color:#393A34">&gt;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Newsession Ticket </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">4</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.3 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Newsession Ticket </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">4</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* old SSL session ID is stale, removing</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div><p>使用 TLSv1.2 协议访问 test2.com 失败:</p><div class="codeBlockContainer_EiTO"><div class="codeBlockContent_X2I6 shell"><pre tabindex="0" class="prism-code language-shell codeBlock_UxnK thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_W6UD"><span class="token-line" style="color:#393A34"><span class="token plain">$ </span><span class="token function" style="color:#d73a49">curl</span><span class="token plain"> --tls-max </span><span class="token number" style="color:#36acaa">1.2</span><span class="token plain"> --tlsv1.2 https://test2.com:9443 -v -k -I</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Trying </span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1:9443</span><span class="token punctuation" style="color:#393A34">..</span><span class="token plain">.</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Connected to test2.com </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">127.0</span><span class="token plain">.0.1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> port </span><span class="token number" style="color:#36acaa">9443</span><span class="token plain"> </span><span class="token punctuation" style="color:#393A34">(</span><span class="token comment" style="color:#999988;font-style:italic">#0)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering h2</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* ALPN, offering http/1.1</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* successfully </span><span class="token builtin class-name">set</span><span class="token plain"> certificate verify locations:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CAfile: /etc/ssl/certs/ca-certificates.crt</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* CApath: /etc/ssl/certs</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">OUT</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS handshake, Client hello </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">1</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* TLSv1.2 </span><span class="token punctuation" style="color:#393A34">(</span><span class="token plain">IN</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">, TLS alert, protocol version </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">582</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain">:</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">* Closing connection </span><span class="token number" style="color:#36acaa">0</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">curl: </span><span class="token punctuation" style="color:#393A34">(</span><span class="token number" style="color:#36acaa">35</span><span class="token punctuation" style="color:#393A34">)</span><span class="token plain"> error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version</span><br></span></code></pre><button type="button" aria-label="Copy code to clipboard" class="copyButton_V-PD clean-btn">Copy</button></div></div></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="/zh/edit#https://github.com/apache/apisix/edit/release/3.14/docs/zh/latest/ssl-protocol.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_mS5F" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_mt2f"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages navigation"><div class="pagination-nav__item"><a class="pagination-nav__link" href="/zh/docs/apisix/profile/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">« 基于环境变量进行配置文件切换</div></a></div><div class="pagination-nav__item pagination-nav__item--next"><a class="pagination-nav__link" href="/zh/docs/apisix/http3/"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">HTTP3 协议 »</div></a></div></nav></div></div><div class="col col--3"><div class="tableOfContents_vrFS thin-scrollbar"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#ssl_protocols-配置" class="table-of-contents__link">ssl_protocols 配置</a><ul><li><a href="#静态配置" class="table-of-contents__link">静态配置</a></li><li><a href="#动态配置" class="table-of-contents__link">动态配置</a></li><li><a href="#注意事项" class="table-of-contents__link">注意事项</a></li></ul></li><li><a href="#使用示例" class="table-of-contents__link">使用示例</a><ul><li><a href="#如何指定-tlsv11-协议" class="table-of-contents__link">如何指定 TLSv1.1 协议</a></li><li><a href="#证书关联多个域名但域名之间使用不同的-tls-协议" class="table-of-contents__link">证书关联多个域名,但域名之间使用不同的 TLS 协议</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="container_MP5Z"><div class="linksRow_iwpv"><div class="linksCol_a1ec"><div>ASF</div><ul><li class="footer__item"><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer"><span></span><span>Foundation</span></a></li><li class="footer__item"><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer"><span></span><span>License</span></a></li><li class="footer__item"><a href="https://www.apache.org/events/" target="_blank" rel="noopener noreferrer"><span></span><span>Events</span></a></li><li class="footer__item"><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer"><span></span><span>Security</span></a></li><li class="footer__item"><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer"><span></span><span>Sponsorship</span></a></li><li class="footer__item"><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer"><span></span><span>Thanks</span></a></li></ul></div><div class="linksCol_a1ec"><div>Community</div><ul><li class="footer__item"><a href="https://github.com/apache/apisix/issues" target="_blank" rel="noopener noreferrer"><span></span><span>GitHub</span></a></li><li class="footer__item"><a href="/zh/docs/general/join/"><span></span><span>Slack</span></a></li><li class="footer__item"><a href="https://twitter.com/ApacheAPISIX" target="_blank" rel="noopener noreferrer"><span></span><span>Twitter</span></a></li><li class="footer__item"><a href="https://www.youtube.com/channel/UCgPD18cMhOg5rmPVnQhAC8g" target="_blank" rel="noopener noreferrer"><span></span><span>YouTube</span></a></li></ul></div><div class="linksCol_a1ec"><div>More</div><ul><li class="footer__item"><a target="_parent" href="/zh/blog/"><span></span><span>Blog</span></a></li><li class="footer__item"><a target="_parent" href="/zh/showcase/"><span></span><span>Showcase</span></a></li><li class="footer__item"><a target="_parent" href="/zh/plugins/"><span></span><span>Plugin Hub</span></a></li><li class="footer__item"><a href="https://github.com/apache/apisix/milestones" target="_parent" rel="noopener noreferrer"><span></span><span>Roadmap</span></a></li></ul></div></div><div class="copyright_ZfFh"><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer"><span style="display:inline-block;width:231.25px;height:40px"></span></a><div>Copyright © 2019-2025 The Apache Software Foundation. Apache APISIX, APISIX®, Apache, the Apache feather logo, and the Apache APISIX project logo are either registered trademarks or trademarks of the Apache Software Foundation.</div></div></footer></div>
<script src="https://apisix-website-static.apiseven.com/zh/assets/js/runtime~main.66da1f7c.js"></script>
<script src="https://apisix-website-static.apiseven.com/zh/assets/js/main.b16de395.js"></script>
</body>
</html>