如何检测HttpServletRequest的TLS版本？ [英] How do I detect the TLS version of an HttpServletRequest?

问题描述

我正在逐步取消对网络应用程序的TLS 1.0和TLS 1.1的支持。

I am in the process of phasing out support for TLS 1.0 and TLS 1.1 for a web application.

我想检测用户是否会对此产生影响他们正在为我的服务器建立连接。

I would like to detect users this will impact based on the connections they are making to my servers.

我正在运行Tomcat 7和Java 8.

I am running Tomcat 7 and Java 8.

我如何检测HttpServletRequest的TLS版本？

How do I detect the TLS version of an HttpServletRequest?

推荐答案

这在Java中是不切实际的。它需要修改JSSE实现或插入替代方案。

This is not practical to do in Java. It requires modifying the JSSE implementation or plugging in an alternative.

我最终通过部署如何使用我的SSL 并使用客户端的跨域AJAX检查SSL状态并将其报告给我的应用服务器。

I eventually solved this by deploying How's My SSL and using cross-domain AJAX from the client-side to check the SSL state and report it to my app server.

您需要从客户端获得未经批准的直接请求才能正确评估其SSL状态。不要在如何使用我的SSL前面放置HTTPS负载均衡器。它会破坏它并给你不正确的结果。

You need to have unproxied direct requests from a client to properly assess the state of their SSL. Do NOT put an HTTPS load balancer in front of How's My SSL. It will break it and give you incorrect results.

这是一段客户端JavaScript，可以使用公共的How我的SSL服务（我建议部署你自己的） ）：

Here is a snippet of client-side JavaScript that should work using the public How's My SSL service (I recommend deploying your own):

$.getJson('https://www.howsmyssl.com/a/check')
.done(function (result) {
    $.post('/logs', {
                    name: 'howsmyssl',
                    level: 'info',
                    message: result
    });
})
.fail(function(err) {
    $.post('/logs', {
                    name: 'howsmyssl',
                    level: 'error',
                    message: 'could not reach howsmyssl'
    });
});

您需要在 / logs 上运行一个REST端点可以接收POST以捕获此内容的应用服务器。您可以将该路径和消息格式更改为您心中的内容。应该对此端点进行身份验证，并且应该使用事件时间，经过身份验证的主体（用户）以及可能的其他信息（如IP地址）来丰富日志。

You will need to have a REST endpoint running at /logs on your app server that can receive a POST to capture this. You can change that path and the format of the message to your heart's content. This endpoint should be authenticated and should enrich the logs with the event time, the authenticated principal (user), and possibly other information like the IP address.

结果的内容看起来像这样（漂亮的印刷使其更容易阅读）：

The contents of result look like this (pretty-printed to make it easier to read):

{
    "given_cipher_suites": [
        "TLS_GREASE_IS_THE_WORD_8A",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_RSA_WITH_AES_128_CBC_SHA",
        "TLS_RSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
    ],
    "ephemeral_keys_supported": true,
    "session_ticket_supported": true,
    "tls_compression_supported": false,
    "unknown_cipher_suite_supported": false,
    "beast_vuln": false,
    "able_to_detect_n_minus_one_splitting": false,
    "insecure_cipher_suites": {
    },
    "tls_version": "TLS 1.2",
    "rating": "Probably Okay"
}

您可以将其记录到日志聚合器或数据库，以便稍后查询以查找要呼叫或发送电子邮件的特定用户。您甚至可以提醒用户注意浏览器在您的应用中的TLS中的差距，并特别强调即将到来的TLS 1.2截止日期以及他们可以采取的更新浏览器以补偿的步骤。

You can log this to a log aggregator or a database to query it later to find specific users to call or email. You could even alert users to the gaps in their browser's TLS within your app and specifically highlight the approaching TLS 1.2 deadline and steps they can take to update their browser to compensate.

这篇关于如何检测HttpServletRequest的TLS版本？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！