仅在 apache-tomcat-9 和 Java 8 中启用 TLS 1.2
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/52857932/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Enable TLS 1.2 only in apache-tomcat-9 and Java 8
提问by lab bhattacharjee
I have deployed my web application in Apache Tomcat 9.x.x and I have two options for Java
我已经在 Apache Tomcat 9.xx 中部署了我的 Web 应用程序,并且我有两个 Java 选项
- Openjdk version 1.8.x
- Oracle Java 1.8.x
- Openjdk 版本 1.8.x
- 甲骨文 Java 1.8.x
I need to allow TLS 1.2 only.
我只需要允许 TLS 1.2。
Please help guide me to achieve this.
请帮助指导我实现这一目标。
I have tried to follow the following links(Not sure if they are outdated).
我试图遵循以下链接(不确定它们是否已过时)。
But https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled.
但是https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> 说:TLS 1.1 和 TLS 1.0 仍然启用。
how to enable TLS v1.2 in Apache tomcat 8 , I am using Java 8
如何在 Apache tomcat 8 中启用 TLS v1.2,我使用的是 Java 8
How do I disable SSLv3 in tomcat?
Does Tomcat support TLS v1.2?(The two steps mentioned by oraclesoondoesn't seem to work)
Tomcat 是否支持 TLS v1.2?(oraclesoon提到的两个步骤好像不行)
How do I disable SSLv3 support in Apache Tomcat?
如何在 Apache Tomcat 中禁用 SSLv3 支持?
Also HOW TO -- Disable weak ciphers in Tomcat 7 & 8says sslProtocolis no longer used in java 8
还有如何 - 在 Tomcat 7 和 8 中禁用弱密码说sslProtocol在 java 8 中不再使用
回答by Ravindra Ranwala
You have to configure the Connector in the $CATALINA_BASE/conf/server.xml file. An example of an APR configuration is:
您必须在 $CATALINA_BASE/conf/server.xml 文件中配置连接器。APR 配置的一个例子是:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1.2"/>
Please refer this configuration guideand try that out.
请参阅此配置指南并尝试一下。
回答by user3699842
I use tomcat 9.0.14 and JSSE. it works fine. (using TLSV1.1 and TLSV1.2)
我使用 tomcat 9.0.14 和 JSSE。它工作正常。(使用 TLSV1.1 和 TLSV1.2)
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.1,TLSv1.2">
<Certificate certificateKeystoreFile="conf/keystore.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
See: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
请参阅:https: //tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
回答by Bill
If you need to check on a request by request basis to ensure that someone hasn't misconfigured your server, you can add a ContainerRequestFilterand then inside the filter(RequestContext requestContext)method insert a check that verifies that the TLS connection adhere's to your requirement.
如果您需要逐个请求检查请求以确保有人没有错误配置您的服务器,您可以添加一个ContainerRequestFilter,然后在filter(RequestContext requestContext)方法中插入一个检查以验证 TLS 连接是否符合您的要求.
if("TLSv1.2".equals(requestContext.getProperty("org.apache.tomcat.util.net.secure_protocol_version"))
{
throw new IllegalStateException("Invalid TLS version");
}
This example is from Tomcat 8, but I suspect an option may be available for other containers.
这个例子来自 Tomcat 8,但我怀疑其他容器可能有一个选项。
