Java http 客户端和贵宾犬
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26429751/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java http clients and POODLE
提问by ykaganovich
Regarding the POODLE vulnerability, if I understand it correctly, it requires a client that automatically downgrades TLS protocol to SSLv3 when failing to establish a secure channel with a server using higher version protocol advertised by the server.
关于POODLE漏洞,如果我理解正确的话,它需要一个客户端,当无法与使用服务器公布的更高版本协议的服务器建立安全通道时,它会自动将TLS协议降级为SSLv3。
Do the common java HTTP client libraries, specifically javax.net.ssl.HttpsURLConnection and Apache HttpClient, automatically downgrade the TLS protocol when failing to establish TLS session with a server? If not, am I correct that they are immune from he POODLE attack unless either (a) the server only supports SSLv3, or (b) a logic at a higher level performs the downgrade?
常见的 java HTTP 客户端库,特别是 javax.net.ssl.HttpsURLConnection 和 Apache HttpClient,在与服务器建立 TLS 会话失败时会自动降级 TLS 协议吗?如果不是,除非 (a) 服务器仅支持 SSLv3,或 (b) 更高级别的逻辑执行降级,否则我是否正确地认为它们不受 POODLE 攻击?
I'm looking for something like http://blog.hagander.net/archives/222-A-few-short-notes-about-PostgreSQL-and-POODLE.htmlbut for Java clients.
我正在寻找类似http://blog.hagander.net/archives/222-A-few-short-notes-about-PostgreSQL-and-POODLE.html 之类的东西,但适用于 Java 客户端。
采纳答案by ok2c
Apache HttpClient does not implement any of the TLS protocol aspects. It relies on JSSE APIs to do TLS/SSL handshaking and to establish secure SSL sessions. With the exception of SSL hostname verification logic, as far as TLS/SSL is concerned Apache HttpClient is as secure (or as vulnerable) as the JRE it is running in.
Apache HttpClient 不实现任何 TLS 协议方面。它依赖 JSSE API 进行 TLS/SSL 握手并建立安全的 SSL 会话。除了 SSL 主机名验证逻辑之外,就 TLS/SSL 而言,Apache HttpClient 与其运行的 JRE 一样安全(或一样易受攻击)。
Update:HttpClient 4.3 by default always uses TLS, so, unless one explicitly configures it to use SSLv3 HttpClient shouldnot be vulnerable to exploits based on POODLE.
更新:默认情况下 HttpClient 4.3 始终使用 TLS,因此,除非明确将其配置为使用 SSLv3,否则 HttpClient不应容易受到基于 POODLE 的攻击。
This turned out to be wrong. One MUSTexplicitly remove SSLv3 from the list of supported protocols!
结果证明这是错误的。一个必须明确地从所支持的协议列表中删除的SSLv3!
SSLContext sslContext = SSLContexts.custom()
.useTLS() // Only this turned out to be not enough
.build();
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
sslContext,
new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"},
null,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
CloseableHttpClient client = HttpClients.custom()
.setSSLSocketFactory(sf)
.build();
Update 2:As of version 4.3.6 HttpClient disables all versions of SSL (including SSLv3) by default.
更新 2:从 4.3.6 版开始,HttpClient 默认禁用所有版本的 SSL(包括 SSLv3)。
回答by yyvess
You MUST disable SSL v3.0 on java clients if you use https.
如果您使用 https,则必须在 Java 客户端上禁用 SSL v3.0。
This can be done by adding this property on java 6/7:
这可以通过在 java 6/7 上添加此属性来完成:
-Dhttps.protocols="TLSv1"
-Dhttps.protocols="TLSv1"
And for Java 8 :
对于 Java 8 :
-Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"
-Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"
-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"
-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"
Source : http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
来源:http: //www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
回答by Dungeon Hunter
Apache HttpClient 4.3.6 disables SSLv3 by default.
Apache HttpClient 4.3.6 默认禁用 SSLv3。
Here's an excerpt from Apache HC 4.3.6 release notes
这是Apache HC 4.3.6 发行说明的摘录
Release 4.3.6
HttpClient 4.3.6 (GA) is a maintenance release that fixes several problems with HttpClient OSGi bundle as well as some other issues reported since release 4.3.5.
Please note that as of this release HttpClient disables all versions of SSL (including SSLv3) in favor of the TLS protocol by default. Those users who wish to continue using SSLv3 need to explicitly enable support for it.
Users of all HttpClient versions are advised to upgrade.
Changelog:
- SSLv3 protocol is disabled by default Contributed by Oleg Kalnichevski
版本 4.3.6
HttpClient 4.3.6 (GA) 是一个维护版本,修复了 HttpClient OSGi 包的几个问题以及自 4.3.5 版以来报告的一些其他问题。
请注意,从这个版本开始,HttpClient 默认禁用所有版本的 SSL(包括 SSLv3)以支持 TLS 协议。希望继续使用 SSLv3 的用户需要明确启用对它的支持。
建议所有HttpClient版本的用户升级。
变更日志:
- 默认情况下禁用 SSLv3 协议由 Oleg Kalnichevski 提供
Update:If you are running on JVM having version >= Java 1.8 Update 31 SSLv3 is disabled by default.Check out the release notes
更新:如果您在 JVM 上运行版本 >= Java 1.8 Update 31 默认情况下禁用 SSLv3。查看发行说明
回答by edge66
After spending considerable time trying to figure out why TLSv1.2 was being used despite setting -Dhttps.protocols="TLSv1" we finally found this post. The magic flag is indeed -Djdk.tls.client.protocols="TLSv1" and our Apache Axis 1.4 client works again. So in case you move from Java 7 to Java 8 you may need to add this flag as pre JAVA 8 used TLSv1 as default whereas JAVA 8 uses TLSv1.2
在花了大量时间试图弄清楚为什么尽管设置了 -Dhttps.protocols="TLSv1" 仍然使用了 TLSv1.2 之后,我们终于找到了这篇文章。神奇的标志确实是 -Djdk.tls.client.protocols="TLSv1" 并且我们的 Apache Axis 1.4 客户端再次工作。因此,如果您从 Java 7 迁移到 Java 8,您可能需要添加此标志,因为 JAVA 8 之前默认使用 TLSv1,而 JAVA 8 使用 TLSv1.2
Thanks!
谢谢!
