java 强制 JVM 使用特定密码进行 https 连接
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/34136168/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Force JVM to use certain Cipher for https connections
提问by Salman A. Kagzi
I have Java client which connects to certain web services using https. One of the requirement of the client is that, we should be able to select from the list of supported cipher suites and then force the client to use them.
我有 Java 客户端,它使用 https 连接到某些 Web 服务。客户端的要求之一是,我们应该能够从支持的密码套件列表中进行选择,然后强制客户端使用它们。
From the following page
从以下页面
- https.cipherSuites system property. This contains a comma-separated list of cipher suite names specifying which cipher suites to enable for use on this HttpsURLConnection. See the SSLSocket setEnabledCipherSuites(String[]) method.
- https.cipherSuites 系统属性。这包含一个以逗号分隔的密码套件名称列表,用于指定要在此 HttpsURLConnection 上使用的密码套件。请参阅 SSLSocket setEnabledCipherSuites(String[]) 方法。
But when I set this JVM attribute and list the default ciphers. I get the standard enabled Cipher list which is same as when not using this property.
但是当我设置这个 JVM 属性并列出默认密码时。我得到标准启用的密码列表,与不使用此属性时相同。
Code I am using to list the enabled ciphers:
我用来列出启用的密码的代码:
SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket();
String[] enabledCiphers = socket.getEnabledCipherSuites();
for (String enabledCipher : enabledCiphers) {
System.out.println("Enabled Ciphers: " + enabledCipher);
}
Setting the property using:
使用以下方法设置属性:
-Dhttps.cipherSuites=SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA
Any suggestions?
有什么建议?
采纳答案by Petesh
This system property only affects the default https client code; not the overall list of ciphers, i.e. anything that uses an HttpsURLConnectionwould be controlled by the https.cipherSuitesvalue.
这个系统属性只影响默认的 https 客户端代码;不是密码的整体列表,即任何使用 an 的东西都HttpsURLConnection将由该https.cipherSuites值控制。
It's not particularly well documented - it's in the source of sun.net.www.protocol.https, and it's explicitly called out in the jsse reference guide:
它没有特别好的文档记录 - 它位于sun.net.www.protocol.https的来源中 ,并且在jsse 参考指南中明确指出:
https.cipherSuitessystem property. This contains a comma-separated list of cipher suite names specifying which cipher suites to enable for use on thisHttpsURLConnection.
https.cipherSuites系统属性。这包含一个以逗号分隔的密码套件名称列表,指定要启用哪些密码套件可用于此HttpsURLConnection.
If you want to override the socket factory in it's entirety, you could create a class to do the same - this answermakes a reasonable attempt.
如果你想完全覆盖套接字工厂,你可以创建一个类来做同样的事情 -这个答案是一个合理的尝试。
