如何强制Java小程序使用TLS1.0 / TLS1.1加载 [英] How to force Java applet to load using TLS1.0 / TLS1.1

问题描述

我有多个用户加载Java小程序的Web应用程序。现在存在着负载均衡器不支持TLS1.2这是Java8默认的问题，似乎Java8不会自动尝试低版本

我怎么可以强制小程序使用TLS 1.0 / 1.1加载？我试图把这个进入的＆lt; APPLET>：

 ＆LT; PARAM NAME =java_argumentsVALUE = -  Dhttps.protocols =使用TLSv1＆GT;
 

任何帮助是AP preciated，不是很热衷于解决方案，其中数百个用户的需要来配置他们的Java客户端。

这从这个问​​题被带到了起点：
Java小程序不加载上Java8 / HTTPS

解决方案

  

我有多个用户加载Java小程序的Web应用程序......我如何可以强制小程序使用TLS装载1.0 / 1.1？

该小程序是由浏览器，Java不装载。所以，它不能帮助在这里提出任何Java相关的设置。这些设置仅相关的，如果该applet本身与服务器通信。
编辑：下载由Java插件完成。这不会影响的答案，即，这个问题必须固定在负载平衡器的其余部分。

  

现在存在的是，负载均衡器不支持TLS1.2问题

除非负载均衡被打破，将协商一个较低的协议版本。这是TLS的固有行为双方都同意最好的版本都支持。但是，有断负载均衡在那里它只是不明白TLS1.2或行为奇怪，当与更可能与TLS1.2（旧的F5，长期固定）的数据包遇到。

不幸的是，如果这恰好是这样一个破旧F5你可能是出于运气，因为在这些负载平衡器的错误引起的数据包被丢弃，以便连接将保持打开状态，直到超时。在这种情况下，大多数浏览器不降级到一个较低的TLS版本，因为它们只在像同行紧密的连接错误，立即降级。
所有你能在这种情况下，做的是修复损坏负载平衡器。

I have an web application from which multiple users loads a Java applet. Now there is a problem that the loadbalancer does not support TLS1.2 which is the default for Java8 and it seems that Java8 does not automatically try lower version.

How can I force the applet to be loaded using TLS 1.0/1.1? I have tried to put this into the <applet>:

<PARAM name="java_arguments" value="-Dhttps.protocols=TLSv1">

Any help is appreciated, not very keen on solution where hundreds of users need to configure their Java clients.

This the starting point from which this question was brought up: Java applet not loading on Java8/HTTPS

解决方案

I have an web application from which multiple users loads a Java applet... How can I force the applet to be loaded using TLS 1.0/1.1?

The applet is loaded by the browser, not by Java. So it does not help to make any Java related settings here. These settings are only relevant if the applet itself communicates with the server. Edit: The download is done by the Java plugin. This does not affect the rest of the answer i.e. that the problem must be fixed at the load balancer.

Now there is a problem that the loadbalancer does not support TLS1.2

Unless the load balancer is broken it will negotiate to a lower protocol version. It is inherent behavior of TLS that both parties agree to the best version both support. But, there are broken load balancers out there which simply do not understand TLS1.2 or behave strange when confronted with larger packets which are more likely with TLS1.2 (older F5, long fixed).

Unfortunately, if this happens to be such an old broken F5 you might be out of luck because a bug in these load balancers caused the packet to be dropped, so that the connection would stay open until timeout. In this case most browsers do not downgrade to a lower TLS version, because they only downgrade on immediate errors like a connection close from the peer. All you can do in this case is to fix the broken load balancer.

这篇关于如何强制Java小程序使用TLS1.0 / TLS1.1加载的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！