配置Jetty的SSL密码套件 [英] Configuring SSL cipher suites for Jetty
问题描述
我正在尝试在我的应用程序中为嵌入式码头服务器设置允许的ssl密码套件。如果在运行sslscan时,由于某种原因,如果我在xml文件设置中仅使用SslContextFactory的IncludeCipherSuites设置,那么它只会列出TLSv1.2而不是TLSv1.1或TLSv1.0的密码。我需要能够使用所有三种TLS版本的码头。有没有办法我可以设置Jetty的IncludeCipherSuites,以便我可以正确设置列表。
I am trying to set the allowed ssl cipher suites for the embedded jetty server in my application. If I only use IncludeCipherSuites setting for SslContextFactory in the xml file setting for some reason when I run sslscan it only lists the ciphers for TLSv1.2 and not TLSv1.1 or TLSv1.0. I need to be able to have jetty use all three TLS versions. Is there anyway I can set the IncludeCipherSuites for Jetty so that I can set the list correctly.
推荐答案
Jetty 9.3.8禁用SLOTH易受攻击的密码阻止使用最新版本的Chrome进行适当的加密(如果您重新启用SLOTH易受攻击的密码,您将看到 Chrome中的挂锁图标已损坏)。
Jetty 9.3.8 disables the SLOTH vulnerable ciphers that prevent proper encryption with the latest versions of Chrome (if you re-enable the SLOTH vulnerable ciphers you'll see a broken padlock icon in Chrome).
您需要设置一个 $ {jetty.base} / etc / tweak -ssl.xml 和您的 $ {jetty.base} /start.ini
You'll want to setup a ${jetty.base}/etc/tweak-ssl.xml and appropriate entry in your ${jetty.base}/start.ini
注意:您应该使用拆分
$ {jetty.home}和$ {jetty.base }目录结构,不修改$ {jetty.home}内容
Note: you should be using a split
${jetty.home}and${jetty.base}directory structure and not modifying the${jetty.home}contents
至于什么配置使用,这取决于你决定。
As for what configuration to use, that's up to you decide.
知道排除胜过包括。如果密码套件被排除在外,在包含列表中不添加它将启用它。
Know that excludes win over includes. If the cipher suite is excluded, no addition of it in the includes list will enable it.
还要注意,JVM本身是还禁用各种旧协议和密码套件,遵循与Jetty有关安全性的相同准则和更新规范。在不久的将来,您还必须在JVM级别重新启用这些密码和协议。
Also be aware, that the JVM itself is also disabling various old protocols and cipher suites, following the same guidelines and updated specs that Jetty is with regards to security. In the near future you'll have to also re-enable those ciphers and protocols at the JVM level.
这篇关于配置Jetty的SSL密码套件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
