SSLContext 初始化 [英] SSLContext initialization

问题描述

我正在查看 JSSE 参考指南，我需要获取一个 SSLContext 的实例以创建一个 SSLEngine，所以我可以将它与 Netty 一起使用以启用安全性.

I'm looking at the JSSE reference guide, I need to obtain an instance of SSLContext in order to create a SSLEngine, so I can use it with Netty to enable security.

要获取SSLContext 的实例，我使用了SSLContext.getInstance().我看到该方法被多次覆盖，因此我可以选择要使用的协议和安全提供程序.

To obtain an instance of SSLContext, I use SSLContext.getInstance(). I see that the method is overridden multiple times, so I can chose the protocol and security provider to use.

这里，可以看到算法列表可以使用.我应该使用哪种算法来实现安全通信?

Here, I can see the list of algorithms that can be used. Which algorithm should I use to enable secure communication?

此外，由于可以指定要使用的安全提供程序，我应该使用哪个提供程序?

Also, since it is possible to specify the security provider to use, which provider should I use?

谢谢

推荐答案

正如您在 标准名称文档，所有条目(SSLv3、TLSv1.0、TLSv1.1、...)都表示它们可能支持其他版本.

As you can see in the standard names documentation, all entries (SSLv3, TLSv1.0, TLSv1.1, ...) say that they may support other versions.

实际上，在 Oracle JDK(和 OpenJDK)中，它们都可以.如果您查看源代码，TLS10Context 类用于 TLS、SSL、SSLv3 和 TLS10，TLS11Context 用于 TLSv1.1，TLS12Context 用于 TLSv1.2.都支持所有版本的 SSL/TLS，默认情况下启用的会有所不同.

In practice, in the Oracle JDK (and OpenJDK), they all do. If you look at the source code, the TLS10Context class is what's used for TLS, SSL, SSLv3 and TLS10, TLS11Context is used for TLSv1.1 and TLS12Context for TLSv1.2. All support all versions of SSL/TLS, it's what's enabled by default that varies.

这可能与其他提供商或 JRE 供应商不同.您当然应该选择一个至少支持您要使用的协议版本的版本.

This may be different with another provider or JRE vendor. You should of course pick one that's at least going to support the protocol version you want to use.

请注意，使用的协议稍后使用 SSLSocket.setEnabledProtocols(...) 或其 SSLEngine 等效项.

Note that the protocol used is determined later on using SSLSocket.setEnabledProtocols(...) or its SSLEngine equivalent.

作为一般规则，请使用您可以使用的最高版本号(SSLv3

As a general rule, use the highest version number you can (SSLv3 < TLSv1.0 < TLSv1.1 ...), which may depend on what the parties with which you want to communicate support.

默认启用的协议因 Oracle JRE 的确切版本而异.

Which protocols are enabled by default varies depending on the exact version of the Oracle JRE.

查看OpenJDK 7u40-b43 中sun.security.ssl.SunJSSE 的源代码，TLS 只是一个TLSv1 的别名(SSL 和 SSLv3 也是如此)，就 SSLContext 协议而言.查看各种 SSLContextImpl 的实现(它们是 SSLContextImpl 本身的内部类):

When looking at the source code for sun.security.ssl.SunJSSE in OpenJDK 7u40-b43, TLS is simply an alias for TLSv1 (and so are SSL and SSLv3), in terms of SSLContext protocols. Looking at the various implementations of SSLContextImpl (which are inner classes of SSLContextImpl itself):

• 全部支持所有协议.
• 默认情况下，所有协议都在服务器端启用.
• 默认启用的客户端协议各不相同:
  • TLS10Context(用于协议SSL、SSLv3、TLS、TLSv1) 在客户端默认启用 SSLv3 到 TLSv1.0.
  • TLS11Context(用于协议TLSv1.1)也默认启用TLSv1.1.
  • TLS12Context(用于协议TLSv1.2)也默认启用TLSv1.2.
  • All support all protocols.
  • All protocols are enabled on the server side by default.
  • the client-side protocols enabled by default vary:
    • TLS10Context (used for protocol SSL, SSLv3, TLS, TLSv1) enables SSLv3 to TLSv1.0 by default on the client side.
    • TLS11Context (used for protocol TLSv1.1) also enables TLSv1.1 by default.
    • TLS12Context (used for protocol TLSv1.2) also enables TLSv1.2 by default.

    这在 Java 8 中发生了变化，结合 新的jdk.tls.client.protocols 系统属性.

    This changes in Java 8, in conjunction with the new jdk.tls.client.protocols system property.

    再次，当查看 OpenJDK 8u40-b25中sun.security.ssl.SunJSSE的源代码，SSLContext协议TLSv1、TLSv1.1 和 TLSv1.2 也使用了 TLS10Context、TLS11Context 和 TLS12Context，它们遵循与 Java 7 中相同的逻辑.

    Again, when looking at the source code for sun.security.ssl.SunJSSE in OpenJDK 8u40-b25, SSLContext protocols TLSv1, TLSv1.1, and TLSv1.2 also make use of TLS10Context, TLS11Context and TLS12Context, which follow the same logic as in Java 7.

    然而，协议 TLS 不再是其中任何一个的别名.相反，它使用 TLSContext 依赖于 jdk.tls.client.protocols 系统属性中的值.来自 JSSE 参考指南:

    However, protocol TLS is no longer aliased to any of them. Rather, it uses TLSContext which relies on the values in the jdk.tls.client.protocols system properties. From the JSSE Reference guide:

    要在客户端启用特定的 SunJSSE 协议，请在逗号分隔的列表中用引号指定它​​们；然后在客户端上禁用所有其他支持的协议.例如，如果此属性的值为TLSv1,TLSv1.1"，则客户端上 TLSv1 和 TLSv1.1 的默认协议设置在客户端上启用，而 SSLv3、TLSv1.2 和 SSLv2Hello 在客户端上禁用客户.

    To enable specific SunJSSE protocols on the client, specify them in a comma-separated list within quotation marks; all other supported protocols are then disabled on the client. For example, if the value of this property is "TLSv1,TLSv1.1", then the default protocol settings on the client for TLSv1 and TLSv1.1 are enabled on the client, while SSLv3, TLSv1.2, and SSLv2Hello are disabled on the client.

    如果此属性为空，则默认情况下在客户端和服务器端启用所有协议.

    If this property is empty, all protocols are enabled by default on both client and server side.

    当然，在 Oracle JRE 8 的最新版本中, 默认情况下 SSL 也是完全禁用的(因此从这些列表中删除).

    Of course, in recent versions of Oracle JRE 8, SSL is also completely disabled by default (so removed from those lists).

    请注意，在这两种情况下(JRE 7 和 8)，默认情况下通过 SSLContext.getDefault() 获得的 SSLContext 或多或少是等效的到使用协议 TLS 获得并使用默认信任库参数等初始化的 SSLContext.

    Note that in both cases (JRE 7 and 8), the SSLContext you get by default via SSLContext.getDefault() out of the box is more or less equivalent to an SSLContext obtained with protocol TLS and initialised with the default truststore parameters and so on.

    这篇关于SSLContext 初始化的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！