Java 在 JRE 级别限制密码套件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18589761/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Restrict cipher suites on JRE level
提问by Jk1
Our Java application exposes a lot of different interfaces (SMTP, FTP, HTTP), secured by SSL/TLS. The goal now is to limit cipher suites allowed on these interfaces to include only "strong" ones. I already have a list and it's clear how to make it working for a particular socket
我们的 Java 应用程序公开了许多不同的接口(SMTP、FTP、HTTP),由 SSL/TLS 保护。现在的目标是将这些接口上允许的密码套件限制为仅包含“强”密码套件。我已经有了一个列表,很清楚如何使它适用于特定的套接字
socket.setEnabledCipherSuites(ENABLED_SECURE_CIPHER_SUITES);
or for Tomcat connector
或 Tomcat 连接器
<Connector port="443" ciphers="..."/>
The problem is that there are already 5 places in the application where I should apply this limitation manualy. Common SocketFactory does not seem to help, as it's not always feasible to supply custom SocketFactory to third-party API or framework. Is it possible to somehow introduce this limitation on JRE level, e.g. with JCE providers configuration or policy file?
问题是应用程序中已经有 5 个地方我应该手动应用这个限制。Common SocketFactory 似乎没有帮助,因为向第三方 API 或框架提供自定义 SocketFactory 并不总是可行的。是否有可能以某种方式在 JRE 级别引入此限制,例如使用 JCE 提供程序配置或策略文件?
JRE: Oracle JRE 1.7.0_17
JRE:Oracle JRE 1.7.0_17
采纳答案by Jk1
Well, I managed to get that working. Thanks to EJP for pointing in the right direction. Since Java 1.7 there are two additional properties in $JRE_HOME/lib/security/java.security:
好吧,我设法让它发挥作用。感谢 EJP 指出了正确的方向。从 Java 1.7 开始,$JRE_HOME/lib/security/java.security 中有两个额外的属性:
jdk.certpath.disabledAlgorithms=MD2
Controls algorithms for certification path building and validation.
控制用于认证路径构建和验证的算法。
jdk.tls.disabledAlgorithms=MD5, SHA1, RC4, RSA keySize < 1024
JVM-wide algorithm restrictions for SSL/TLS processing, the one I was looking for. Notation is quite obvious here; it's possible to disallow certain algorithms or limit key sizes. Both properties are supported in Oracle JRE 7, Open JRE 7 and (surprisingly) IBM Java v7
SSL/TLS 处理的 JVM 范围的算法限制,这是我正在寻找的。符号在这里很明显;可以禁止某些算法或限制密钥大小。Oracle JRE 7、Open JRE 7 和(令人惊讶的)IBM Java v7支持这两个属性
