如何在Jetty中禁止特定的SSL协议? [英] How do I disallow particular SSL protocols in Jetty?
问题描述
我在Debian 6.0.7上的Jetty 6 + Open JDK 7上运行了一个Web应用程序。当客户端启动HTTPS连接时,我有安全要求接受TLS握手但不 SSLv3.0握手。
I have a web application running on Jetty 6 + Open JDK 7 on Debian 6.0.7. I have a security requirement to accept a TLS handshake but not an SSLv3.0 handshake when a client initiates an HTTPS connection.
在我的码头.xml我将协议设置为TLS:
In my jetty.xml I set the protocol to TLS:
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="protocol">TLS</Set>
...
使用此配置,Web服务器似乎仍然接受SSLv3。 0握手。这已通过'sslscan'工具验证并运行'curl -sslv3 -kv {host}'。
With this configuration, the web server still appears to accept an SSLv3.0 handshake. This has been verified with the 'sslscan' tool and running 'curl -sslv3 -kv {host}'.
是否可以将Jetty配置为仅接受TLS握手?如果需要,我愿意升级我的Jetty版本。
Is it possible to configure Jetty to only accept a TLS handshake? I would be willing to upgrade my Jetty version if needed.
推荐答案
我找到了两个解决方案:
I found two solutions:
升级到Jetty 9,它支持jetty.xml条目:
Upgrade to Jetty 9, which supports the jetty.xml entry:
<Arg name="sslContextFactory">
...
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
或者,Jetty 6为SslSocketConnector和SSLServerSocketFactory创建委托类:
Or, with Jetty 6 create delegate classes for SslSocketConnector and SSLServerSocketFactory:
jetty.xml:
...
<New class="com.src.TlsSocketConnector">
...
</New>
public class TlsSocketConnector extends SslSocketConnector {
@Override
protected SSLServerSocketFactory createFactory() throws Exception {
return new TlsServerSocketFactory( super.createFactory() );
}
}
public class TlsServerSocketFactory extends SSLServerSocketFactory {
private SSLServerSocketFactory delegate;
public TlsServerSocketFactory( SSLServerSocketFactory delegate ) {
this.delegate = delegate;
}
//Repeat this pattern for all createServerSocket() methods
public ServerSocket createServerSocket() throws IOException {
SSLServerSocket socket = (SSLServerSocket) delegate.createServerSocket();
socket.setEnabledProtocols( new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
return socket;
}
// Directly delegated methods from SSLServerSocketFactory
public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); }
public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); }
}
这篇关于如何在Jetty中禁止特定的SSL协议?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!