强制 JVM 使用特定密码进行 https 连接 [英] Force JVM to use certain Cipher for https connections
问题描述
我有 Java 客户端,它使用 https 连接到某些 Web 服务.客户端的要求之一是,我们应该能够从支持的密码套件列表中进行选择,然后强制客户端使用它们.
I have Java client which connects to certain web services using https. One of the requirement of the client is that, we should be able to select from the list of supported cipher suites and then force the client to use them.
来自以下页面
- https.cipherSuites 系统属性.这包含一个以逗号分隔的密码套件名称列表,用于指定要启用的密码套件用于此 HttpsURLConnection.请参阅 SSLSocketsetEnabledCipherSuites(String[]) 方法.
但是当我设置这个 JVM 属性并列出默认密码时.我得到标准启用的密码列表,与不使用此属性时相同.
But when I set this JVM attribute and list the default ciphers. I get the standard enabled Cipher list which is same as when not using this property.
我用来列出启用的密码的代码:
Code I am using to list the enabled ciphers:
SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket();
String[] enabledCiphers = socket.getEnabledCipherSuites();
for (String enabledCipher : enabledCiphers) {
System.out.println("Enabled Ciphers: " + enabledCipher);
}
使用以下方法设置属性:
Setting the property using:
-Dhttps.cipherSuites=SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA
有什么建议吗?
推荐答案
这个系统属性只影响默认的 https 客户端代码;不是密码的整体列表,即任何使用 HttpsURLConnection 的东西都将由 https.cipherSuites 值控制.
This system property only affects the default https client code; not the overall list of ciphers, i.e. anything that uses an HttpsURLConnection would be controlled by the https.cipherSuites value.
它没有特别详细的记录 - 它位于 sun.net.www.protocol.https,并在 jsse 参考指南:
It's not particularly well documented - it's in the source of sun.net.www.protocol.https, and it's explicitly called out in the jsse reference guide:
https.cipherSuites 系统属性.这包含一个以逗号分隔的密码套件名称列表,用于指定要在此 HttpsURLConnection 上使用的密码套件.
https.cipherSuitessystem property. This contains a comma-separated list of cipher suite names specifying which cipher suites to enable for use on thisHttpsURLConnection.
如果你想完全覆盖套接字工厂,你可以创建一个类来做同样的事情 - this answer 做出了合理的尝试.
If you want to override the socket factory in it's entirety, you could create a class to do the same - this answer makes a reasonable attempt.
这篇关于强制 JVM 使用特定密码进行 https 连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
