boringssl

Cipher Suite

各版本的 TLS 都支持不同的的加密算法（Cipher Suite）。boringssl 支持的算法列表与配置方法见：

https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration

Intent to Remove: DHE-based ciphers

Envoy 相关的 Github Issues

• Unable to add particular ciphers (Eg. DHE-RSA-AES128-GCM-SHA256) #8848

错误码列表

https://github.com/google/boringssl/blob/master/crypto/err/ssl.errordata

实现支持 Cipher Suites 列表

hhttps://github.com/google/boringssl/blob/master/ssl/ssl_cipher.cc

static constexpr SSL_CIPHER kCiphers[] = {
    // The RSA ciphers
    // Cipher 02
    {
     SSL3_TXT_RSA_NULL_SHA,
     "TLS_RSA_WITH_NULL_SHA",
     SSL3_CK_RSA_NULL_SHA,
     SSL_kRSA,
     SSL_aRSA,
     SSL_eNULL,
     SSL_SHA1,
     SSL_HANDSHAKE_MAC_DEFAULT,
    },

    // Cipher 0A
    {
     SSL3_TXT_RSA_DES_192_CBC3_SHA,
     "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
     SSL3_CK_RSA_DES_192_CBC3_SHA,
     SSL_kRSA,
     SSL_aRSA,
     SSL_3DES,
     SSL_SHA1,
     SSL_HANDSHAKE_MAC_DEFAULT,
    },


    // New AES ciphersuites

    // Cipher 2F
    {
     TLS1_TXT_RSA_WITH_AES_128_SHA,
     "TLS_RSA_WITH_AES_128_CBC_SHA",
     TLS1_CK_RSA_WITH_AES_128_SHA,
     SSL_kRSA,
     SSL_aRSA,
     SSL_AES128,
     SSL_SHA1,
     SSL_HANDSHAKE_MAC_DEFAULT,
    },

    // Cipher 35
    {
     TLS1_TXT_RSA_WITH_AES_256_SHA,
     "TLS_RSA_WITH_AES_256_CBC_SHA",
     TLS1_CK_RSA_WITH_AES_256_SHA,
     SSL_kRSA,
     SSL_aRSA,
     SSL_AES256,
     SSL_SHA1,
     SSL_HANDSHAKE_MAC_DEFAULT,
    },