TLSv1.3相比TLSv1.2性能更好,安全性更高。
参考文章:《TLS 1.3 VS TLS 1.2,让你明白 TLS 1.3 的强大》
TLS 1.3 与之前的协议有较大差异,主要在于:
关键点是版本号,Netty版本使用4.1.54以上,SSL模块使用boringssl 2.0.34以上。如下所示:
<dependency> <groupId>io.netty</groupId> <artifactId>netty-all</artifactId> <version>4.1.54.Final</version> </dependency> <dependency> <groupId>io.netty</groupId> <artifactId>netty-tcnative-boringssl-static</artifactId> <version>2.0.34.Final</version> </dependency>
netty输出
io.netty.handler.ssl.SslHandler - [id: 0x35537343, L:/127.0.0.1:26911 - R:/127.0.0.1:9443] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_128_GCM_SHA256
可以看到它用的是TLSv1.3,加密套件为TLS_AES_128_GCM_SHA256
wireshark抓包
可以看到,在第2个报文中就出现了Application Data,这就是0-RTT。TLSv1.3跟TLSv1.2的一个重要区别是它缩短了握手时间。
Netty在github上的相关提交说明:
Netty 4.1.52-Final version has supported TLSv1.3 as default, refer here for more info
https://github.com/netty/netty/commit/b1d3aad404a39143da7a86c121d60f35c0d21108
Motiviation:When TLSv1.3 was introduced almost 2 years ago, it was decided to disable it by default, even when it's supported by the underlying TLS implementation.TLSv13 is pretty stable now in Java (out of the box in Java 11, OpenJSSE for Java 8, BoringSSL and OpenSSL) and may be enabled by default.Modifications:Ensure TLSv13 is enabled by default when the underyling JDK SSLEngine implementation enables it as wellResult:TLSv1.3 is now enabled by default, so users don't have to explicitly enable it.