为什么 Java 的 SSLSocket 会发送版本 2 客户端 hello? [英] Why does Java's SSLSocket send a version 2 client hello?
问题描述
SSLSocket.getEnabledProtocols() 方法返回以下内容:[SSLv2Hello, SSLv3, TLSv1].事实上,当我调用 connect() 并打开 SSL 调试时,我看到使用了 v2 客户端 hello:
main, WRITE: TLSv1 Handshake, length = 81main, WRITE: SSLv2 客户端问候消息,长度 = 110但我发现两个(不可否认的旧)参考文献说 JSSE不支持 SSL 版本 2:
来自 JSSE 参考指南:><块引用>
J2SDK 1.4 及更高版本中的 JSSE 实现实现了 SSL 3.0 和 TLS 1.0.它没有实现 SSL 2.0.
现在,我的理解是只有当客户端确实支持 SSL 2.0 版时,才应发送 2.0 版客户端 hello.来自 RFC 2246:
<块引用>支持 SSL 2.0 版服务器的 TLS 1.0 客户端必须发送 SSL2.0 版客户端问候消息 [SSL2] ... 警告:发送 2.0 版客户端问候消息的功能将被迅速淘汰.
那么Java为什么要使用它?
Sun 的 JSSE 不支持 SSLv2,但它支持 SSlv2ClientHello,以支持一些需要它的 SSL 服务器.您可以通过从启用的协议中删除它来关闭它.
IBM 的 JSSE 确实完全支持 SSLv2.
来自 JSSE 参考指南:
<块引用>例如,一些较旧的服务器实现只讲 SSLv3 和不懂TLS.理想情况下,这些实施应协商SSLv3,但有些只是挂断.为了向后兼容,一些服务器实现(例如 SunJSSE)发送SSLv3/TLS ClientHellos 封装在SSLv2 ClientHello 数据包.一些服务器不接受这种格式,在这些情况使用 setEnabledProtocols 来禁止发送封装的SSLv2 ClientHellos.
我认为服务器实现"应该阅读上面的SSL 实现".
感谢您引用我的书!
The SSLSocket.getEnabledProtocols() method returns the following: [SSLv2Hello, SSLv3, TLSv1]. And indeed, when I call connect() and I have SSL debugging turned on, I see that a v2 client hello is used:
main, WRITE: TLSv1 Handshake, length = 81
main, WRITE: SSLv2 client hello message, length = 110
But I have found two (admittedly old) references that say JSSE does not support SSL version 2:
From Fundamental Networking in Java:
'SSLv2Hello' is a pseudo-protocol which allows Java to initiate the handshake with an SSLv2 'hello message'. This does not cause use of the SSLv2 protocol, which is not supported by Java at all.
And from the JSSE Reference Guide:
The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.
Now, my understanding is that version 2.0 client hello should only be sent when the client does support SSL version 2.0. From RFC 2246:
TLS 1.0 clients that support SSL Version 2.0 servers must send SSL Version 2.0 client hello messages [SSL2] ... Warning: The ability to send Version 2.0 client hello messages will be phased out with all due haste.
So why does Java use it?
Sun's JSSE doesn't support SSLv2 but it supports the SSlv2ClientHello, to support some SSL servers that require it. You can turn it off by removing it from the enabled protocols.
IBM's JSSE does support SSLv2 entirely.
From the JSSE Reference Guide:
For example, some older server implementations speak only SSLv3 and do not understand TLS. Ideally, these implementations should negotiate to SSLv3, but some simply hangup. For backwards compatibility, some server implementations (such as SunJSSE) send SSLv3/TLS ClientHellos encapsulated in a SSLv2 ClientHello packet. Some servers do not accept this format, in these cases use setEnabledProtocols to disable the sending of encapsulated SSLv2 ClientHellos.
I imagine 'server implementations' should read 'SSL implementations' above.
EDIT: thanks for citing my book!
这篇关于为什么 Java 的 SSLSocket 会发送版本 2 客户端 hello?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
