SSL/TLS性能优化
HTTPS 通信对性能有显著影响,合理优化 SSL/TLS 配置可有效降低延迟。
会话缓存优化
启用 SSL Session 缓存
YAML
server:
ssl:
enabled: true
session-cache-size: 1000
session-timeout: 3600
Tomcat 配置
Java
@Configuration
public class TomcatSslConfig {
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> sslCustomizer() {
return factory -> factory.addConnectorCustomizers(connector -> {
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
protocol.setSSLEnabled(true);
protocol.setSslSessionCacheSize(1000);
protocol.setSslSessionTimeout(3600);
});
}
}
协议与密码套件优化
推荐协议配置
YAML
server:
ssl:
enabled-protocols: TLSv1.2,TLSv1.3
ciphers: TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256
禁用弱协议
Java
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> protocolCustomizer() {
return factory -> factory.addConnectorCustomizers(connector -> {
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
protocol.setSslEnabledProtocols("TLSv1.2,TLSv1.3");
});
}
证书优化
使用 ECDSA 证书
Bash
# ECDSA 证书比 RSA 更高效
openssl ecparam -genkey -name prime256v1 -out ecdsa.key
openssl req -new -x509 -key ecdsa.key -out ecdsa.crt -days 365
证书链优化
YAML
server:
ssl:
key-store: classpath:keystore.p12
key-store-password: ${SSL_PASSWORD}
key-alias: tomcat
key-store-type: PKCS12
OCSP Stapling
启用 OCSP Stapling
Java
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> ocspCustomizer() {
return factory -> factory.addConnectorCustomizers(connector -> {
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
protocol.setSslEnabledProtocol("TLSv1.3");
// 启用 OCSP Stapling 减少证书验证延迟
});
}
Undertow SSL 配置
Undertow 优化配置
Java
@Bean
public WebServerFactoryCustomizer<UndertowServletWebServerFactory> undertowSslCustomizer() {
return factory -> {
factory.addDeploymentInfoCustomizers(deploymentInfo -> {
deploymentInfo.setSSLContext(
new UndertowSSLContext()
.setSessionCacheSize(1000)
.setSessionTimeout(3600)
);
});
};
}
性能对比
| 优化项 | 优化前 | 优化后 | 提升 |
|---|---|---|---|
| 会话缓存 | 每次完整握手 | 复用会话 | 60%+ |
| TLS 1.3 | TLS 1.2 | TLS 1.3 | 30%+ |
| ECDSA 证书 | RSA 2048 | ECDSA P256 | 40%+ |
| OCSP Stapling | 客户端验证 | 服务端推送 | 20%+ |
注意:生产环境必须使用 TLS 1.2+,禁用 SSLv3、TLSv1.0、TLSv1.1。
要点总结
- 启用 SSL Session 缓存避免重复握手
- 优先使用 TLS 1.3 协议减少 RTT
- ECDSA 证书比 RSA 性能更优
- OCSP Stapling 减少证书验证延迟
- 合理配置密码套件平衡安全与性能
📝 发现内容有误?点击此处直接编辑