Java-如何使用JVM Config仅对某些协议禁用TLS密码? [英] Java - How can I disable a TLS cipher for only some protocols using JVM Config?
问题描述
I've seen lots of examples of disabling TLS ciphers in java using jdk.tls.disabledAlgorithms, for example:
jdk.tls.disabledAlgorithms=MD2, RSA keySize < 1024, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
但是如何使用jdk.tls.disabledAlgorithms或类似的配置仅对某些协议禁用密码?
But how can I disable a cipher for only certain protocols, using jdk.tls.disabledAlgorithms or a similar config?
例如,如何仅对TLSv1.1禁用TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256?
似乎不支持opensssl这样做,就像这样:
It doesn't seem to support the opensssl way of doing this, which is like so:
TLSv1.1:!TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
它不会引起任何错误,但是仍然允许使用密码.
It doesnt cause any errors, but the cipher is still allowed.
请注意,我只对基于JVM config的答案非常感兴趣,因为我不控制许多这类服务器上的代码,仅控制JVM和JVM配置.有些甚至是第三方服务器,因此更多的是运维级别的事情.
Note that I'm only really interested in JVM config based answers, as I don't control the code that's on lots of these servers, just the JVM and JVM configurations. Some are even 3rd party servers, so more of an ops level thing than anything.
请注意,您可以运行Java应用并提供参数,以更改所使用的协议和密码,例如java -server -Djava.security.properties=./my/custom/java.security -jar myapp.jar会做到这一点-但它不能让您从协议中按协议(仅密码或协议)筛选密码.该文件将包含一个属性条目,例如jdk.tls.disabledAlgorithms
EDIT 2: Note that you can run a java app and supply arguments that change which protocols and ciphers are used, e.g. java -server -Djava.security.properties=./my/custom/java.security -jar myapp.jar will do it - but it wont let you filter ciphers by protocol, only ciphers, or protocols, from what I can see. The file would contain a property entry like jdk.tls.disabledAlgorithms
推荐答案
将我的评论发布为答案,因为为什么不这样做.
Posting my comment as an answer because why not.
其他答案,以及我在网上找到的所有文档,似乎都同意,您所要求的功能不可能在Java中完成,至少现在还不能.您可以全局启用/禁用协议,也可以全局启用/禁用密码类型,但是不能基于另一种进行加密.
Other answers, and every doc I've found online, seems to agree that what you are asking for is not possible to do within Java, not yet at least. You can enable / disable protocols globally, and you can enable / disable cipher types globally, but you cannot do one based on the other.
但是,由于您在DevOps方面,因此也许可以使用非Java解决方案.您可以运行该应用程序的单独实例,每个实例仅启用TLSv1.1,仅启用TLSv1.2等,然后将所需的密码过滤器应用于每个实例.然后让nginx(或您使用的任何设备)根据检测到的协议将流量重定向到适当的实例.
However, since you are on the DevOps side, maybe a non-Java solution is possible. You could run separate instances of the app, each one having only TLSv1.1, only TLSv1.2 etc. enabled, and apply the desired cipher filter to each one; and then have nginx (or whatever you use) redirect traffic to the appropriate instance depending on the detected protocol.
因此,NODE1的一个实例具有:
So, one instance at NODE1 with:
jdk.tls.client.protocols=TLSv1.1
jdk.tls.disabledAlgorithms=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
NODE2上的另一个实例,具有:
Another instance at NODE2 with:
jdk.tls.client.protocols=TLSv1.2
jdk.tls.disabledAlgorithms=...
和一些nginx规则(根据需要使用return或rewrite):
And some nginx rules (use return or rewrite as you see fit):
server {
[...]
if ( $ssl_protocol = TLSv1.1 ) {
return 302 $scheme://NODE1.yourhost.com$request_uri;
}
if ( $ssl_protocol = TLSv1.2 ) {
rewrite ^ $scheme://NODE2.yourhost.com$request_uri;
}
我只是一个Java开发人员,我对nginx的经验非常有限,因此您可能需要稍微调整一下配置.只是想帮助.
I'm just a Java dev, my experience with nginx is very limited so you might need to tweak the config a bit. Just trying to help.
这篇关于Java-如何使用JVM Config仅对某些协议禁用TLS密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
