如何强制使用 TLS1.0/TLS1.1 加载 Java 小程序 [英] How to force Java applet to load using TLS1.0 / TLS1.1

问题描述

我有一个 Web 应用程序，多个用户可以从中加载一个 Java 小程序.现在有一个问题，负载均衡器不支持Java8默认的TLS1.2，似乎Java8不会自动尝试低版本.

I have an web application from which multiple users loads a Java applet. Now there is a problem that the loadbalancer does not support TLS1.2 which is the default for Java8 and it seems that Java8 does not automatically try lower version.

如何强制使用 TLS 1.0/1.1 加载小程序?我试图把它放到 <applet> 中:

How can I force the applet to be loaded using TLS 1.0/1.1? I have tried to put this into the <applet>:

<PARAM name="java_arguments" value="-Dhttps.protocols=TLSv1">

感谢任何帮助，但对数百名用户需要配置其 Java 客户端的解决方案并不十分热衷.

Any help is appreciated, not very keen on solution where hundreds of users need to configure their Java clients.

这是提出这个问题的起点:Java 小程序未在 Java8/HTTPS 上加载

This the starting point from which this question was brought up: Java applet not loading on Java8/HTTPS

推荐答案

我有一个 Web 应用程序，多个用户从中加载一个 Java 小程序...如何强制使用 TLS 1.0/1.1 加载小程序?

I have an web application from which multiple users loads a Java applet... How can I force the applet to be loaded using TLS 1.0/1.1?

小程序由浏览器加载，而不是由Java加载.所以在这里做任何Java相关的设置都无济于事.这些设置仅在小程序本身与服务器通信时才相关.下载是由 Java 插件完成的.这不会影响答案的其余部分，即问题必须在负载均衡器上解决.

The applet is loaded by the browser, not by Java. So it does not help to make any Java related settings here. These settings are only relevant if the applet itself communicates with the server. The download is done by the Java plugin. This does not affect the rest of the answer i.e. that the problem must be fixed at the load balancer.

现在出现负载均衡器不支持TLS1.2的问题

Now there is a problem that the loadbalancer does not support TLS1.2

除非负载平衡器损坏，否则它将协商到较低的协议版本.双方都同意双方支持的最佳版本是 TLS 的固有行为.但是，那里有一些损坏的负载均衡器，它们根本不理解 TLS1.2，或者在遇到更可能使用 TLS1.2 的较大数据包时表现得很奇怪(较旧的 F5，长期固定).

Unless the load balancer is broken it will negotiate to a lower protocol version. It is inherent behavior of TLS that both parties agree to the best version both support. But, there are broken load balancers out there which simply do not understand TLS1.2 or behave strange when confronted with larger packets which are more likely with TLS1.2 (older F5, long fixed).

不幸的是，如果这恰好是一个旧的损坏的 F5，你可能会倒霉，因为这些负载均衡器中的错误导致数据包被丢弃，因此连接将保持打开状态直到超时.在这种情况下，大多数浏览器不会降级到较低的 TLS 版本，因为它们只会在立即发生错误时降级，例如从对等方关闭连接.在这种情况下，您所能做的就是修复损坏的负载平衡器.

Unfortunately, if this happens to be such an old broken F5 you might be out of luck because a bug in these load balancers caused the packet to be dropped, so that the connection would stay open until timeout. In this case most browsers do not downgrade to a lower TLS version, because they only downgrade on immediate errors like a connection close from the peer. All you can do in this case is to fix the broken load balancer.

这篇关于如何强制使用 TLS1.0/TLS1.1 加载 Java 小程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！