如何使用Spring Boot和嵌入式tomcat禁用TLSv1.0? [英] How can I disable TLSv1.0 with spring boot and embedded tomcat?
问题描述
我想通过春季启动(版本1.3.3)停用TLSv1.0,但如果application.yml如下所示,则无效:
I want to de-activate TLSv1.0 with spring boot(release 1.3.3), but it doesn't work if application.yml as below:
ssl:
protocol: TLSv1.2
key-store: /E:/key/server.jks
key-store-password: serverpkcs12
ssl:
protocol: TLSv1.2
key-store: /E:/key/server.jks
key-store-password: serverpkcs12
如果仅在IE中选择使用TLS 1.0",我仍然可以访问网页. 查看此图片-不起作用.
I still can access web page if only choose "USE TLS 1.0" in IE. See this pic--not work.
但是,如果不使用嵌入式tomcat,并在server.xml中为Connector添加这些参数,则对我来说效果很好-IE阻止了该网页. 查看此图片-为我工作
However, if doesn't use embedded tomcat, and add these arguments for Connector located in server.xml, it works fine for me--web page blocked by IE. See this pic--worked for me
sslProtocols="TLSv1.2" sslEnabledProtocols="TLSv1.2"
我还尝试了一些VM参数,例如 -Dhttps.protocols ="TLSv1.2" ,它们都是无用的.
And I also tried some VM arguments, for exmaple -Dhttps.protocols="TLSv1.2", all of them are useless.
那我该怎么办?
推荐答案
最透明和易读的方法是,通过排除-当然-不需要的协议,在应用程序配置文件中显式配置有效的TLS协议.
The most transparent and readable way is to explicitly configure the valid TLS protocols in your application configuration file by excluding - of course - the unwanted ones.
例如在YAML中
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
然后您可以通过执行以下操作来启动服务器并检查TLSv1.0是否正常工作
You can then start your server and check whether TLSv1.0 is working by peforming the following
openssl s_client -connect localhost:443 -tls1
应拒绝上述连接,而将接受以下两个连接并打印证书的详细信息
The above connections should be rejected whereas the following two will be accepted and print the certificate's details
openssl s_client -connect localhost:443 -tls1_1
openssl s_client -connect localhost:443 -tls1_2
这篇关于如何使用Spring Boot和嵌入式tomcat禁用TLSv1.0?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!