如何强制 java 服务器只接受 tls 1.2 并拒绝 tls 1.0 和 tls 1.1 连接
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/32466407/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
提问by PankajSays
I have a https web service running on java 7. I need to make changes so that this service only accepts tls1.2 connection and reject ssl3, tls1.0 and tls1.1.
我有一个在 java 7 上运行的 https Web 服务。我需要进行更改,以便该服务只接受 tls1.2 连接并拒绝 ssl3、tls1.0 和 tls1.1。
I have added the following java parameter so that tls1.2 is highest priority.
我添加了以下 java 参数,以便 tls1.2 具有最高优先级。
-Dhttps.protocols=TLSv1.2
but it also accepts the tls1.0 connections from java clients. if the client is also running with above java parameter, the connection is tls1.2 but if the client is running without this parameter, the connections is tls1.0.
但它也接受来自 java 客户端的 tls1.0 连接。如果客户端也使用上述 java 参数运行,则连接为 tls1.2,但如果客户端在没有此参数的情况下运行,则连接为 tls1.0。
I did some play around the java.security file in jdk/jre/lib/security folder.
我对 jdk/jre/lib/security 文件夹中的 java.security 文件做了一些操作。
i currently have following disabled algorithms:
我目前有以下禁用算法:
jdk.certpath.disabledAlgorithms= MD2, MD4, MD5, SHA224, DSA, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224
jdk.tls.disabledAlgorithms=DSA, DHE, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224
I am using java 7, update 79. I am not inclined towards intercepting each connection and checking the tls version.
我正在使用 java 7,更新 79。我不倾向于拦截每个连接并检查 tls 版本。
My server certificate is 2048 bit generated with MD5 with RSA algorithm.
我的服务器证书是 2048 位的,使用 MD5 和 RSA 算法生成。
If the disabled algorithm list has RSA in place of RSA keySize < 2048, I get the SSLHandShakeError with error message : no cipher suites in common.
如果禁用的算法列表使用 RSA 代替 RSA keySize < 2048,我会收到 SSLHandShakeError 错误消息:没有共同的密码套件。
My test program is running the http server from following URL: http://www.herongyang.com/JDK/HTTPS-HttpsEchoer-Better-HTTPS-Server.html
我的测试程序正在从以下 URL 运行 http 服务器:http: //www.herongyang.com/JDK/HTTPS-HttpsEchoer-Better-HTTPS-Server.html
please help how to make java accept only tls 1.2 connections.
请帮助如何让java只接受tls 1.2连接。
采纳答案by PankajSays
I found a solution for this. I set the
我为此找到了解决方案。我设置了
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1
in the file jre/lib/security/java.security on the server.
在服务器上的文件 jre/lib/security/java.security 中。
After setting this, server only accepts the TLS1.2 connection and reject lower security protocol versions.
设置此项后,服务器只接受 TLS1.2 连接并拒绝较低安全协议版本。
回答by TyGp
Just a small remark;
只是一个小小的评论;
In the question you stated that you generated a 2048 size certificate with MD5. But in the cert path alg you disabled MD5 so this normally should not work. Secondly Server certificates generated with a MD5 hash are banned from modern browsers such as Internet Explorer 10/Edge.
在您提到的问题中,您使用 MD5 生成了一个 2048 大小的证书。但是在证书路径 alg 中,您禁用了 MD5,因此这通常不起作用。其次,现代浏览器(例如 Internet Explorer 10/Edge)禁止使用 MD5 哈希生成的服务器证书。
I would like to advice you to generate your Server certificate at least with a SHA256 or < hash.
我建议您至少使用 SHA256 或 < 哈希生成服务器证书。
回答by Abhimanyu Kumar
I have also done the same changes in "/java/jdk1.7.0_79/jre/lib/security"-java.security file but some of clients are still able to call my services with SSL protocol.
我还在“/java/jdk1.7.0_79/jre/lib/security”-java.security 文件中进行了相同的更改,但某些客户端仍然能够使用 SSL 协议调用我的服务。
----Changes jdk.tls.disabledAlgorithms=SSL,SSLv2,SSLv3, TLSv1, TLSv1.1,MD5, SSLv3, DSA, RSA keySize < 2048
----更改 jdk.tls.disabledAlgorithms=SSL,SSLv2,SSLv3, TLSv1, TLSv1.1,MD5, SSLv3, DSA, RSA keySize < 2048
