如何为Java指定SSL密码套件的服务器优先顺序? [英] How to specify server-preferred order of SSL cipher suites for Java?
问题描述
我在使用Java 1.6和Netty 3.8作为HTTP / HTTPS服务器。
我已经通过ssllab.com进行了SSL测试( https://www.ssllabs。 com / ssltest / analyze.html ),我得到如下所示的密码套件的结果。
I'm using Java 1.6 and netty 3.8 for HTTP/HTTPS server. I've done SSL test by ssllab.com(https://www.ssllabs.com/ssltest/analyze.html), and I got a result for cipher suites like below.
密码套件通过强度; 服务器没有偏好)
但是,google.com的结果是不同的。
https:// www .ssllabs.com / ssltest / analyze.html?d = www.google.com& s = 74.125.227.148
But, a result for google.com is something different. https://www.ssllabs.com/ssltest/analyze.html?d=www.google.com&s=74.125.227.148
密码套件( SSL 3+套件以服务器首选顺序,然后使用SSL 2套件)
Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where used)
如何设置密码套件的服务器端偏好顺序?
JSSE是否有任何属性或API?
How can I set server-side preference order for cipher suites? Does JSSE have any property or API about that?
提前感谢。
推荐答案
您可以尝试以所需的顺序调用 setEnabledCipherSuites(),但JSSE文档中没有提示它将使用该顺序作为所需的顺序,TLS RFC 2246中没有说服务器在客户端建议的密码套件中进行选择时必须遵守任何特定的顺序。
You could try calling setEnabledCipherSuites() with an array in the desired order, but there's nothing in the JSSE documentation that suggest it will use that order as the desired order, and there's nothing in the TLS RFC 2246 that says the server is obliged to obey any particular ordering when choosing among the cipher suites suggested by the client.
EDIT 您可能会将Apache HTTPD反向代理放在服务器前端并终止SSL。 Apache HTTPD使用OpenSSL,它可以让您完成所需的操作。在某些Webapps需要客户端证书的情况下,还有其他人不需要,而且假设您正在撰写Webapps,那么这也是更好的。
EDIT You might be better off putting an Apache HTTPD reverse proxy in front of your server and terminating the SSL there. Apache HTTPD uses OpenSSL, which lets you do exactly what you are looking for. It's also better for situations where some Webapps needs client certificates and others don't, assuming you are writing Webapps of course.
这篇关于如何为Java指定SSL密码套件的服务器优先顺序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
