如何在Jetty中禁止特定的SSL协议？ [英] How do I disallow particular SSL protocols in Jetty?

问题描述

我在Debian 6.0.7上的Jetty 6 + Open JDK 7上运行了一个Web应用程序。当客户端启动HTTPS连接时，我有安全要求接受TLS握手但不 SSLv3.0握手。

I have a web application running on Jetty 6 + Open JDK 7 on Debian 6.0.7. I have a security requirement to accept a TLS handshake but not an SSLv3.0 handshake when a client initiates an HTTPS connection.

在我的码头.xml我将协议设置为TLS：

In my jetty.xml I set the protocol to TLS:

<New class="org.mortbay.jetty.security.SslSocketConnector">
    <Set name="protocol">TLS</Set>
    ...

使用此配置，Web服务器似乎仍然接受SSLv3。 0握手。这已通过'sslscan'工具验证并运行'curl -sslv3 -kv {host}'。

With this configuration, the web server still appears to accept an SSLv3.0 handshake. This has been verified with the 'sslscan' tool and running 'curl -sslv3 -kv {host}'.

是否可以将Jetty配置为仅接受TLS握手？如果需要，我愿意升级我的Jetty版本。

Is it possible to configure Jetty to only accept a TLS handshake? I would be willing to upgrade my Jetty version if needed.

推荐答案

我找到了两个解决方案：

I found two solutions:

升级到Jetty 9，它支持jetty.xml条目：

Upgrade to Jetty 9, which supports the jetty.xml entry:

<Arg name="sslContextFactory">
    ...
    <Set name="excludeProtocols">
      <Array type="java.lang.String">
        <Item>SSLv3</Item>
      </Array>
     </Set>

或者，Jetty 6为SslSocketConnector和SSLServerSocketFactory创建委托类：

Or, with Jetty 6 create delegate classes for SslSocketConnector and SSLServerSocketFactory:

jetty.xml:
  ...
  <New class="com.src.TlsSocketConnector">
    ...
  </New>

public class TlsSocketConnector extends SslSocketConnector  {
  @Override
  protected SSLServerSocketFactory createFactory() throws Exception {
    return new TlsServerSocketFactory( super.createFactory() );
  }
}

public class TlsServerSocketFactory extends SSLServerSocketFactory {

  private SSLServerSocketFactory delegate;

  public TlsServerSocketFactory( SSLServerSocketFactory delegate ) {
    this.delegate = delegate;
  }

  //Repeat this pattern for all createServerSocket() methods
  public ServerSocket createServerSocket() throws IOException {
    SSLServerSocket socket = (SSLServerSocket) delegate.createServerSocket();
    socket.setEnabledProtocols( new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
    return socket;
  }

  // Directly delegated methods from SSLServerSocketFactory
  public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); }
  public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); }
}

这篇关于如何在Jetty中禁止特定的SSL协议？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！