java 如何在 Jetty 中禁用 SSLv3 协议以防止 Poodle Attack
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26382540/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack
提问by Atul Soman
Is there any specific exclusion list available which disables only SSLv3 ciphers are not TLSv1/2.
是否有任何特定的排除列表仅禁用 SSLv3 密码不是 TLSv1/2。
I have jetty 8, and upgrading to 9 is not an option now. My current jetty-ssl.xml looks as follows
我有码头 8,现在不能升级到码头 9。我当前的 jetty-ssl.xml 如下所示
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
.........
</New>
</Arg>
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>SSL_RSA_WITH_NULL_MD5</Item>
<Item>SSL_RSA_WITH_NULL_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
<Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
<Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_RC4_128_SHA</Item>
<Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
still when i run "sslscan --no-failed --ssl3 localhost:443" i get
仍然当我运行“sslscan --no-failed --ssl3 localhost:443”时我得到
Supported Server Cipher(s):
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Prefered Server Cipher(s):
SSLv3 128 bits DHE-RSA-AES128-SHA
采纳答案by Lars
I had to disable SSLv3 in an application where we integrate Jetty source code. Based on what I changed in code, I would guess you add the following:
我不得不在我们集成 Jetty 源代码的应用程序中禁用 SSLv3。根据我在代码中所做的更改,我猜您会添加以下内容:
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
Give it a shot and let me know if it works for you.
试一试,让我知道它是否适合你。
回答by Joakim Erdfelt
To expand on @Lars answer ..
要扩展@Lars 答案..
For Jetty 7, Jetty 8, and Jetty 9 you have to exclude the protocol SSLv3(not the cipher) on any SslContextFactoryyou are using to configure for an SSL based Connector.
对于 Jetty 7、Jetty 8 和 Jetty 9,您必须排除用于配置基于 SSL 的连接器的SSLv3任何协议(而不是密码)SslContextFactory。
For a Jetty Distribution
对于码头分布
Edit the ${jetty.home}/etc/jetty-ssl.xmland add the following XML snippet.
编辑${jetty.home}/etc/jetty-ssl.xml并添加以下 XML 片段。
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
Inside of any element that manages a org.eclipse.jetty.http.ssl.SslContextFactory
在管理一个的任何元素的内部 org.eclipse.jetty.http.ssl.SslContextFactory
For Jetty Embedded
对于 Jetty 嵌入式
Any SslContextFactory you create/manage for your SSL based Connectors you just need to set the excluded protocols.
您为基于 SSL 的连接器创建/管理的任何 SslContextFactory 您只需要设置排除的协议。
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.addExcludeProtocols("SSLv3");
sslContextFactory.setKeyStorePath(...);
...
回答by user2918934
I have configurated Jetty 8.1 whitout ssl3. You can see the complete structure of jetty-ssl.xml.
我已经配置了 Jetty 8.1 whitout ssl3。可以看到jetty-ssl.xml的完整结构。
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore">... </Set>
<Set name="keyStorePassword">... </Set>
<Set name="keyManagerPassword">... </Set>
<Set name="trustStore">... </Set>
<Set name="trustStorePassword>... </Set
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3 </Item>
</Array>
</Set>
</New>
</Arg>
<Set name="port">... </Set>
<Set name="maxIdleTime">... </Set>
</New>
</Arg>
</Call>
</Configure>
