java 在 java8 中禁用 TLSv1.0
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/41181696/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Disabling TLSv1.0 in java8
提问by Prakhash
I'm trying to disable TLSv1.0 in Java 8
我正在尝试在 Java 8 中禁用 TLSv1.0
I have included TLSv1.0 in the following line as follow in the JRE/lib/security/java.security
我在 JRE/lib/security/java.security 中的以下行中包含了 TLSv1.0
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1.0
jdk.tls.disabledAlgorithms=SSLv3、RC4、MD5withRSA、DH、TLSv1.0
still, I'm getting the ciphers from the TLSv1.0 when I tested, but when I configured other versions like TLSv1.1, I was able to successfully remove the respective ciphers
仍然,我在测试时从 TLSv1.0 获取密码,但是当我配置其他版本(如 TLSv1.1)时,我能够成功删除相应的密码
What might be the issue for this ?
这可能是什么问题?
Is there is any way to remove a specific ciphers in JRE level?
有没有办法删除 JRE 级别的特定密码?
回答by Prakhash
for the first part question I was able to disable TLSv1.0 by modifying the line as below(used TLSv1 instead of TLSv1.0)
对于第一部分问题,我能够通过修改如下行来禁用 TLSv1.0(使用 TLSv1 而不是 TLSv1.0)
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1
jdk.tls.disabledAlgorithms=SSLv3、RC4、MD5withRSA、DH、TLSv1
but I still want to get to know, is there are any possibilities that I can disable an entire cipher suite in JRE level, for example, removing below 3 ciphers
但我仍然想知道,是否有任何可能性我可以在 JRE 级别禁用整个密码套件,例如,删除以下 3 个密码
> RSA_WITH_3DES_EDE_CBC_SHA
> RSA_WITH_AES_128_CBC_SHA
> RSA_WITH_AES_256_CBC_SHA
回答by Brad Parks
You can disable TLSv1 and whatever ciphers you want using command line args, like so:
您可以使用命令行参数禁用 TLSv1 和任何您想要的密码,如下所示:
java -Djava.security.properties=disabled_tlsv1.properties
The file disabled_tlsv1.propertieshas a list of ciphers to disable, and supports protocols as well, e.g. TLSv1. The rest of the ciphers I list below are deemed insecure for TLSv1.1.
该文件disabled_tlsv1.properties包含要禁用的密码列表,并且还支持协议,例如TLSv1. 我在下面列出的其余密码对于 TLSv1.1 被认为是不安全的。
This still leaves TLSv1.1 workable though, as some ciphers for it are still enabled. Note that you can also do this in the JRE itself, to affect the entire server if you prefer, as detailed in the question itself.
尽管如此,这仍然使 TLSv1.1 可行,因为它的一些密码仍然启用。请注意,您也可以在 JRE 本身中执行此操作,如果您愿意,可以影响整个服务器,如问题本身所述。
disabled_tlsv1.properties
disabled_tlsv1.properties
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768,TLSv1,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA
A git repo showing this, and how to verify that TLSv1 is disabled can be found here
可以在此处找到显示此内容以及如何验证 TLSv1 已禁用的 git repo
回答by wofei
Replace TLSv1.0 with TLSv1:
用 TLSv1 替换 TLSv1.0:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1
How to test?
如何测试?
openssl s_client -connect ip:port -tls1
回答by Roshith
You could force the client to use a specific protocol by setting the java option
您可以通过设置 java 选项强制客户端使用特定协议
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
Or if are looking for disabling a specific cipher you could try setting
或者,如果正在寻找禁用特定密码,您可以尝试设置
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
in java.security file
在 java.security 文件中
