SSLContext 初始化 [英] SSLContext initialization
问题描述
我正在查看 JSSE
参考指南,我需要获取一个 SSLContext
的实例以创建一个 SSLEngine
,所以我可以将它与 Netty
一起使用以启用安全性.
I'm looking at the JSSE
reference guide, I need to obtain an instance of SSLContext
in order to create a SSLEngine
, so I can use it with Netty
to enable security.
要获取SSLContext
的实例,我使用了SSLContext.getInstance()
.我看到该方法被多次覆盖,因此我可以选择要使用的协议和安全提供程序.
To obtain an instance of SSLContext
, I use SSLContext.getInstance()
. I see that the method is overridden multiple times, so I can chose the protocol and security provider to use.
这里,可以看到算法列表可以使用.我应该使用哪种算法来实现安全通信?
Here, I can see the list of algorithms that can be used. Which algorithm should I use to enable secure communication?
此外,由于可以指定要使用的安全提供程序,我应该使用哪个提供程序?
Also, since it is possible to specify the security provider to use, which provider should I use?
谢谢
推荐答案
正如您在 标准名称文档,所有条目(SSLv3、TLSv1.0、TLSv1.1、...)都表示它们可能支持其他版本.
As you can see in the standard names documentation, all entries (SSLv3, TLSv1.0, TLSv1.1, ...) say that they may support other versions.
实际上,在 Oracle JDK(和 OpenJDK)中,它们都可以.如果您查看源代码,TLS10Context
类用于 TLS、SSL、SSLv3 和 TLS10,TLS11Context
用于 TLSv1.1,TLS12Context
用于 TLSv1.2.都支持所有版本的 SSL/TLS,默认情况下启用的会有所不同.
In practice, in the Oracle JDK (and OpenJDK), they all do. If you look at the source code, the TLS10Context
class is what's used for TLS, SSL, SSLv3 and TLS10, TLS11Context
is used for TLSv1.1 and TLS12Context
for TLSv1.2. All support all versions of SSL/TLS, it's what's enabled by default that varies.
这可能与其他提供商或 JRE 供应商不同.您当然应该选择一个至少支持您要使用的协议版本的版本.
This may be different with another provider or JRE vendor. You should of course pick one that's at least going to support the protocol version you want to use.
请注意,使用的协议稍后使用 SSLSocket.setEnabledProtocols(...)
或其 SSLEngine
等效项.
Note that the protocol used is determined later on using SSLSocket.setEnabledProtocols(...)
or its SSLEngine
equivalent.
作为一般规则,请使用您可以使用的最高版本号(SSLv3
As a general rule, use the highest version number you can (SSLv3 < TLSv1.0 < TLSv1.1 ...), which may depend on what the parties with which you want to communicate support.
默认启用的协议因 Oracle JRE 的确切版本而异.
Which protocols are enabled by default varies depending on the exact version of the Oracle JRE.
查看OpenJDK 7u40-b43 中sun.security.ssl.SunJSSE
的源代码,TLS
只是一个TLSv1
的别名(SSL
和 SSLv3
也是如此),就 SSLContext
协议而言.查看各种 SSLContextImpl
的实现(它们是 SSLContextImpl
本身的内部类):
When looking at the source code for sun.security.ssl.SunJSSE
in OpenJDK 7u40-b43, TLS
is simply an alias for TLSv1
(and so are SSL
and SSLv3
), in terms of SSLContext
protocols. Looking at the various implementations of SSLContextImpl
(which are inner classes of SSLContextImpl
itself):
- 全部支持所有协议.
- 默认情况下,所有协议都在服务器端启用.
- 默认启用的客户端协议各不相同:
TLS10Context
(用于协议SSL
、SSLv3
、TLS
、TLSv1
) 在客户端默认启用 SSLv3 到 TLSv1.0.TLS11Context
(用于协议TLSv1.1
)也默认启用TLSv1.1.TLS12Context
(用于协议TLSv1.2
)也默认启用TLSv1.2.
- All support all protocols.
- All protocols are enabled on the server side by default.
- the client-side protocols enabled by default vary:
TLS10Context
(used for protocolSSL
,SSLv3
,TLS
,TLSv1
) enables SSLv3 to TLSv1.0 by default on the client side.TLS11Context
(used for protocolTLSv1.1
) also enables TLSv1.1 by default.TLS12Context
(used for protocolTLSv1.2
) also enables TLSv1.2 by default.
这在 Java 8 中发生了变化,结合 新的
jdk.tls.client.protocols
系统属性.This changes in Java 8, in conjunction with the new
jdk.tls.client.protocols
system property.再次,当查看 OpenJDK 8u40-b25中
sun.security.ssl.SunJSSE
的源代码,SSLContext
协议TLSv1
、TLSv1.1
和TLSv1.2
也使用了TLS10Context
、TLS11Context
和TLS12Context
,它们遵循与 Java 7 中相同的逻辑.Again, when looking at the source code for
sun.security.ssl.SunJSSE
in OpenJDK 8u40-b25,SSLContext
protocolsTLSv1
,TLSv1.1
, andTLSv1.2
also make use ofTLS10Context
,TLS11Context
andTLS12Context
, which follow the same logic as in Java 7.然而,协议
TLS
不再是其中任何一个的别名.相反,它使用TLSContext
依赖于jdk.tls.client.protocols
系统属性中的值.来自 JSSE 参考指南:However, protocol
TLS
is no longer aliased to any of them. Rather, it usesTLSContext
which relies on the values in thejdk.tls.client.protocols
system properties. From the JSSE Reference guide:要在客户端启用特定的 SunJSSE 协议,请在逗号分隔的列表中用引号指定它们;然后在客户端上禁用所有其他支持的协议.例如,如果此属性的值为TLSv1,TLSv1.1",则客户端上 TLSv1 和 TLSv1.1 的默认协议设置在客户端上启用,而 SSLv3、TLSv1.2 和 SSLv2Hello 在客户端上禁用客户.
To enable specific SunJSSE protocols on the client, specify them in a comma-separated list within quotation marks; all other supported protocols are then disabled on the client. For example, if the value of this property is "TLSv1,TLSv1.1", then the default protocol settings on the client for TLSv1 and TLSv1.1 are enabled on the client, while SSLv3, TLSv1.2, and SSLv2Hello are disabled on the client.
如果此属性为空,则默认情况下在客户端和服务器端启用所有协议.
If this property is empty, all protocols are enabled by default on both client and server side.
当然,在 Oracle JRE 8 的最新版本中, 默认情况下 SSL 也是完全禁用的(因此从这些列表中删除).
Of course, in recent versions of Oracle JRE 8, SSL is also completely disabled by default (so removed from those lists).
请注意,在这两种情况下(JRE 7 和 8),默认情况下通过
SSLContext.getDefault()
获得的SSLContext
或多或少是等效的到使用协议TLS
获得并使用默认信任库参数等初始化的SSLContext
.Note that in both cases (JRE 7 and 8), the
SSLContext
you get by default viaSSLContext.getDefault()
out of the box is more or less equivalent to anSSLContext
obtained with protocolTLS
and initialised with the default truststore parameters and so on.这篇关于SSLContext 初始化的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!