禁用无secp256为TLS所有椭圆曲线? [英] Disable all elliptic curves except secp256 for TLS?
问题描述
是Android 5.0使用OpenSSL和它提供TLS 1.2支持(从 AOSP补丁和的diff ,它看起来像OpenSSL的1.0.0)。 Android客户端提供了椭圆曲线动物园(所有的人,包括总理和二进制,弱者和伤员曲线)。我想限制曲线仅secp256进行测试。
Android 5.0 uses OpenSSL and it provides TLS 1.2 support (from the AOSP patches and diffs, it looks like OpenSSL 1.0.0). The Android client offers the elliptic curve zoo (all of them, including prime and binary, and the weak and wounded curves). I'd like to limit the curves to only secp256 for testing.
我无法在定位类的设置如 SSLSocketFactory的。
I'm having trouble locating the setting in classes like SSLSocketFactory.
我如何禁用TLS使用,除非secp256所有曲线?
How do I disable all curves except secp256 used in TLS?
推荐答案
在OpenSSL库,该曲线是在静态数组定义的:
in openssl library, the curves are defined at a static array :
的https://android.googlesource.com/platform/external/openssl/+/master/crypto/ec/ec_curve.c行1832
在静态数组 curve_list ;
OpenSSL库不提供任何API来处理这个数组,
所以,如果你使用libcrypt.so提供的Android系统,有操纵这个数组没有正常的途径。
openssl library does not provide any api to manipulate this array, so if you use android system provided libcrypt.so , there is no normal way to manipulate this array.
如果使用JNI,你可以重新编译自定义的OpenSSL,删除 curve_list
if use jni , you can recompile a custom openssl,delete other curves in curve_list
如果使用Java,
因为欧盟是ECDH和ECDSA主要用于,
if use java, since EC is mostly used in ECDH and ECDSA ,
1.in ECDSA使用由证书决定的曲线,你只需要使用secp256生成EC证书。
1.in ECDSA the curve used is decided by the certificate , you just need to use secp256 to generate a EC certificate.
2.in ECDH的OpenSSL有一个API SSL_CTX_set_tmp_ecdh()设置ECDH曲线。
请参阅: https://github.com/nginx/nginx /blob/master/src/event/ngx_event_openssl.c#L976
我很抱歉,我不熟悉Java,我哈瓦不知道如何访问这个在Java在Android上。
2.in ECDH openssl has a api SSL_CTX_set_tmp_ecdh () to set ECDH curve.
see : https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl.c#L976
i am sorry, i am not familiar with java, i hava no idea how to access this in java on android.
这篇关于禁用无secp256为TLS所有椭圆曲线?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
