如何在Jetty中禁用SSLv3协议以防止Poodle攻击 [英] How to disable the SSLv3 protocol in Jetty to prevent Poodle Attack
本文介绍了如何在Jetty中禁用SSLv3协议以防止Poodle攻击的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
是否有任何特定的排除列表可用,仅禁用SSLv3密码不是TLSv1 / 2.
Is there any specific exclusion list available which disables only SSLv3 ciphers are not TLSv1/2.
我有码头8,现在升级到9不是一个选项。我当前的jetty-ssl.xml如下所示
I have jetty 8, and upgrading to 9 is not an option now. My current jetty-ssl.xml looks as follows
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
.........
</New>
</Arg>
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>SSL_RSA_WITH_NULL_MD5</Item>
<Item>SSL_RSA_WITH_NULL_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
<Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
<Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item>
<Item>SSL_FORTEZZA_KEA_WITH_RC4_128_SHA</Item>
<Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
当我运行sslscan时--no-failed --ssl3 localhost:443我得到
still when i run "sslscan --no-failed --ssl3 localhost:443" i get
Supported Server Cipher(s):
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Prefered Server Cipher(s):
SSLv3 128 bits DHE-RSA-AES128-SHA
推荐答案
我必须在我们集成的应用程序中禁用SSLv3 Jetty源代码。根据我在代码中更改的内容,我猜您会添加以下内容:
I had to disable SSLv3 in an application where we integrate Jetty source code. Based on what I changed in code, I would guess you add the following:
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
试一试,让我知道它是否适合你。
Give it a shot and let me know if it works for you.
这篇关于如何在Jetty中禁用SSLv3协议以防止Poodle攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文