使用Java 6和BouncyCastle的Jboss 5.1.0 GA上的TLSv1.2 [英] TLSv1.2 on Jboss 5.1.0 GA using Java 6 and BouncyCastle

问题描述

我遇到了在Java 6上运行的Jboss服务器和https连接器的问题。
我想只使用TLSv1.2并使用密码套件 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256，TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384制作服务器

I'm facing a problem with a Jboss server and the https connector, running on Java 6. I want to make my server using only TLSv1.2 and using the cipher suites "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" for decoding the certificate.

我知道Java 6不支持TLSv1.2，但是我在JDK中添加了Bouncy Castle JCE和JSSE提供程序（ https://www.bouncycastle.org/latest_releases.html ）：

I know that Java 6 does not support TLSv1.2, but I added the Bouncy Castle JCE and JSSE provider to the JDK (https://www.bouncycastle.org/latest_releases.html) :

• 添加了JAR文件（ bcprov-jdk15on-159.jar 和 bctls-jdk15on -159.jar ）放在 path_to_jdk / jre / lib / ext 文件夹

已编辑文件 path_to_jdk / jre / lib / security / java.security 来添加行：

Edited file path_to_jdk/jre/lib/security/java.security to add lines :

security.provider。 10 = org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.11 = org.boun cycastle.jsse.provider.BouncyCastleJsseProvider

java指令： SSLContext。如果我在小型测试类上进行测试，则getInstance（ TLSv1.2）; 不会再引发NoSuchAlgorithmException。

The java instruction : SSLContext.getInstance("TLSv1.2"); does not throw a NoSuchAlgorithmException anymore if I test it on a small test class.

在Jboss上：

• 编辑的文件 path_to_jboss / server / default / deploy / jbossweb.sar / server.xml 具有：

• Edited file path_to_jboss/server/default/deploy/jbossweb.sar/server.xml to have :

<连接器协议= HTTP / 1.1 SSLEnabled = true
port = 8443 address = $ {jboss.bind.address}
keystoreFile = $ {jboss.server.home.dir } /conf/jboss.pfx
keystorePass =密码 sslProtocols = TLSv1.2 maxThreads = 170 />

< Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" keystoreFile="${jboss.server.home.dir}/conf/jboss.pfx" keystorePass="password" sslProtocols="TLSv1.2" maxThreads="170"/>

此后，jboss仍然仅提供SSLv3和TLSv1协议用于https连接。

After that, jboss is still providing only SSLv3 and TLSv1 protocols for https connection.

任何解决方案？

谢谢

推荐答案

我相信'sslProtocols'属性会转换为对SSLParameters.setProtocols的调用（由SSLSocket.setParameters赋予的最新作用），并且不会影响SSLContext.getInstance的调用。因此，您仍然获得SunJSSE SSLContext，因为您以较低的优先级添加了BCJSSE。

I believe the 'sslProtocols' attribute translates to a call to SSLParameters.setProtocols (later given effect by SSLSocket.setParameters), and doesn't affect the SSLContext.getInstance call. So you are still getting a SunJSSE SSLContext because you added BCJSSE at lower priority.

我建议将java.security中的BouncyCastleJsseProvider条目移到更高的优先级（比com.sun高） .net.ssl.internal.ssl.Provider）。

I suggest moving the BouncyCastleJsseProvider entry in java.security to a higher priority (than com.sun.net.ssl.internal.ssl.Provider).

在java.security中，您还需要将默认的KMF类型从SunX509设置为PKIX（更改现有条目） ）：

Also in java.security you will need to set the default KMF type from SunX509 to PKIX (change the existing entry):

ssl.KeyManagerFactory.algorithm=PKIX

这是因为BCJSSE当前仅适用于自己的KMF实现。

This is because BCJSSE currently only works with its own KMF implementation.

这篇关于使用Java 6和BouncyCastle的Jboss 5.1.0 GA上的TLSv1.2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！