如何在Spring Boot嵌入式tomcat中设置HTTPS SSL密码套件首选项 [英] How to set HTTPS SSL Cipher Suite Preference in Spring boot embedded tomcat
问题描述
我尝试根据服务器首选项设置HTTPS SSL密码套件首选项,而不是根据客户端和客户端自动选择服务器支持的具有最高强度的通用密码套件.
I trying to set HTTPS SSL cipher suite preference according to server preference rather than auto select based on client & server supported common cipher suite with highest strength.
我想让服务器选择服务器与服务器之间的共同点.具有"TLS_ECDHE ..."的客户端,以支持转发保密. 现在,我在"www.ssllabs.com"中进行了测试,客户端浏览器将更喜欢具有"TLS_RSA ..."的密码,而不是"TLS_ECDHE" ...
I like to let server choose for common between server & client having "TLS_ECDHE..." in order to support Forward Secrecy. Now I tested in "www.ssllabs.com", client browser will prefer cipher having "TLS_RSA..." rather than "TLS_ECDHE"...
我注意到Java 8支持设置密码套件首选项: http://docs.oracle. com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference
I noticed java 8 support set cipher suite preference: http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference
我假设Spring Boot嵌入式Tomcat将调用Java 8函数来选择密码
I assume spring boot embedded Tomcat will call Java 8 function to choose cipher
这是我在春季启动application.properties文件中所做的设置服务器支持密码集的操作:
Here is what I done in spring boot application.properties file to set server support ciphers set:
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
希望有人可以指导我如何覆盖默认的选择密码行为.
Hopefully someone can guide me how to override default choose cipher behaviour.
推荐答案
您需要告诉连接器的基础协议处理程序使用服务器的密码套件顺序.您可以使用EmbeddedServletContainerCustomizer
:
You need to tell the connector's underlying protocol handler to use the server's cipher suite order. You can do so with an EmbeddedServletContainerCustomizer
:
@Bean
public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
return (factory) -> {
((TomcatEmbeddedServletContainerFactory) factory)
.addConnectorCustomizers((connector) -> {
((AbstractHttp11Protocol<?>) connector.getProtocolHandler())
.setUseServerCipherSuitesOrder(Boolean.toString(true));
});
};
}
这篇关于如何在Spring Boot嵌入式tomcat中设置HTTPS SSL密码套件首选项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!