如何强制 java 服务器只接受 tls 1.2 并拒绝 tls 1.0 和 tls 1.1 连接 [英] How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
问题描述
我有一个在 Java 7 上运行的 HTTPS Web 服务.我需要进行更改,以便该服务只接受 TLS1.2 连接并拒绝 SSL3、TLS1.0 和 TLS1.1.
I have a HTTPS web service running on Java 7. I need to make changes so that this service only accepts TLS1.2 connection and reject SSL3, TLS1.0 and TLS1.1.
我添加了以下 Java 参数,以便 TLS1.2 具有最高优先级.
I have added the following Java parameter so that TLS1.2 is the highest priority.
-Dhttps.protocols=TLSv1.2
但它也接受来自 Java 客户端的 TLS1.0 连接.如果客户端也使用上述 Java 参数运行,则连接为 TLS1.2,但如果客户端未使用此参数运行,则连接为 TLS1.0.
but it also accepts the TLS1.0 connections from Java clients. If the client is also running with above Java parameter, the connection is TLS1.2 but if the client is running without this parameter, the connections is TLS1.0.
我对 jdk/jre/lib/security 文件夹中的 java.security 文件做了一些尝试.
I did some play around the java.security file in jdk/jre/lib/security folder.
我目前有以下禁用的算法:
I currently have following disabled algorithms:
jdk.certpath.disabledAlgorithms= MD2, MD4, MD5, SHA224, DSA, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224
jdk.tls.disabledAlgorithms=DSA, DHE, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224
我使用的是 Java 7 update 79.我不倾向于拦截每个连接并检查 TLS 版本.
I am using Java 7 update 79. I am not inclined towards intercepting each connection and checking the TLS version.
我的服务器证书是 2048 位的,使用 MD5 和 RSA 算法生成.
My server certificate is 2048 bit generated with MD5 with RSA algorithm.
如果禁用的算法列表有 RSA 代替 RSA keySize <2048,我收到带有错误消息的 SSLHandShakeError:
If the disabled algorithm list has RSA in place of RSA keySize < 2048, I get the SSLHandShakeError with error message:
没有共同的密码套件.
我的测试程序正在从以下 URL 运行 HTTP 服务器:http://www.herongyang.com/JDK/HTTPS-HttpsEchoer-Better-HTTPS-Server.html
My test program is running the HTTP server from following URL: http://www.herongyang.com/JDK/HTTPS-HttpsEchoer-Better-HTTPS-Server.html
请帮助如何让java只接受TLS1.2连接.
Please help how to make java accept only TLS1.2 connections.
推荐答案
我找到了解决方案.我设置了
I found a solution for this. I set the
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1
在服务器上的文件 jre/lib/security/java.security 中.
in the file jre/lib/security/java.security on the server.
设置后,服务器只接受TLS1.2连接,拒绝低安全协议版本.
After setting this, server only accepts the TLS1.2 connection and reject lower security protocol versions.
这篇关于如何强制 java 服务器只接受 tls 1.2 并拒绝 tls 1.0 和 tls 1.1 连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
