如何使用Spring Boot和嵌入式tomcat禁用TLSv1.0? [英] How can I disable TLSv1.0 with spring boot and embedded tomcat?

问题描述

我想通过春季启动(版本1.3.3)停用TLSv1.0，但如果application.yml如下所示，则无效:

I want to de-activate TLSv1.0 with spring boot(release 1.3.3), but it doesn't work if application.yml as below:

ssl: protocol: TLSv1.2 key-store: /E:/key/server.jks key-store-password: serverpkcs12

ssl: protocol: TLSv1.2 key-store: /E:/key/server.jks key-store-password: serverpkcs12

如果仅在IE中选择使用TLS 1.0"，我仍然可以访问网页. 查看此图片-不起作用.

I still can access web page if only choose "USE TLS 1.0" in IE. See this pic--not work.

但是，如果不使用嵌入式tomcat，并在server.xml中为Connector添加这些参数，则对我来说效果很好-IE阻止了该网页. 查看此图片-为我工作

However, if doesn't use embedded tomcat, and add these arguments for Connector located in server.xml, it works fine for me--web page blocked by IE. See this pic--worked for me

sslProtocols="TLSv1.2" sslEnabledProtocols="TLSv1.2"

我还尝试了一些VM参数，例如 -Dhttps.protocols ="TLSv1.2" ，它们都是无用的.

And I also tried some VM arguments, for exmaple -Dhttps.protocols="TLSv1.2", all of them are useless.

那我该怎么办?

推荐答案

最透明和易读的方法是，通过排除-当然-不需要的协议，在应用程序配置文件中显式配置有效的TLS协议.

The most transparent and readable way is to explicitly configure the valid TLS protocols in your application configuration file by excluding - of course - the unwanted ones.

例如在YAML中

server.ssl.enabled-protocols=TLSv1.1,TLSv1.2

然后您可以通过执行以下操作来启动服务器并检查TLSv1.0是否正常工作

You can then start your server and check whether TLSv1.0 is working by peforming the following

openssl s_client -connect localhost:443 -tls1

应拒绝上述连接，而将接受以下两个连接并打印证书的详细信息

The above connections should be rejected whereas the following two will be accepted and print the certificate's details

openssl s_client -connect localhost:443 -tls1_1
openssl s_client -connect localhost:443 -tls1_2

这篇关于如何使用Spring Boot和嵌入式tomcat禁用TLSv1.0?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！