为什么Java的SSLSocket发送版本2客户端问候？ [英] Why does Java's SSLSocket send a version 2 client hello?

问题描述

SSLSocket.getEnabledProtocols（）方法返回以下内容： [SSLv2Hello，SSLv3，TLSv1] 。事实上，当我调用 connect（）并打开SSL调试时，我看到使用了一个v2客户端问候语：

The SSLSocket.getEnabledProtocols() method returns the following: [SSLv2Hello, SSLv3, TLSv1]. And indeed, when I call connect() and I have SSL debugging turned on, I see that a v2 client hello is used:

main, WRITE: TLSv1 Handshake, length = 81
main, WRITE: SSLv2 client hello message, length = 110

但是我发现两个（不可否认的是旧的）引用说JSSE 不支持SSL版本2：

But I have found two (admittedly old) references that say JSSE does not support SSL version 2:

来自 Java中的基础网络：

'SSLv2Hello'是一种允许Java发起握手的伪协议使用SSLv2'hello消息'。这不导致使用SSLv2协议，而Java根本不支持该协议。

'SSLv2Hello' is a pseudo-protocol which allows Java to initiate the handshake with an SSLv2 'hello message'. This does not cause use of the SSLv2 protocol, which is not supported by Java at all.

来自 JSSE参考指南：

J2SDK 1.4及更高版本中的JSSE实现实现了SSL 3.0和TLS 1.0。它没有实现SSL 2.0。

The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.

现在，我的理解是版本2.0客户端问候语只应在客户端时发送支持SSL 2.0版。来自 RFC 2246 ：

Now, my understanding is that version 2.0 client hello should only be sent when the client does support SSL version 2.0. From RFC 2246:

支持SSL 2.0版服务器的TLS 1.0客户端必须发送SSL
版本2.0客户端问候消息[SSL2] ... 警告：发送2.0版客户端问候消息的能力将被分阶段所有应有的急速。

TLS 1.0 clients that support SSL Version 2.0 servers must send SSL Version 2.0 client hello messages [SSL2] ... Warning: The ability to send Version 2.0 client hello messages will be phased out with all due haste.

那么为什么Java会使用它？

So why does Java use it?

推荐答案

Sun的JSSE不支持SSLv2，但它支持 SSlv2ClientHello ，以支持一些需要它的SSL服务器。你可以通过从启用的协议中删除它来关闭它。

Sun's JSSE doesn't support SSLv2 but it supports the SSlv2ClientHello, to support some SSL servers that require it. You can turn it off by removing it from the enabled protocols.

IBM的JSSE完全支持SSLv2。

IBM's JSSE does support SSLv2 entirely.

来自 JSSE参考指南：

例如，一些较旧的服务器
实现仅说SSLv3而
不理解TLS。理想情况下，这些
实现应该协商到
SSLv3，但有些只是挂断。对于
向后兼容性，一些服务器
实现（例如SunJSSE）发送
SSLv3 / TLS ClientHellos封装在
SSLv2 ClientHello数据包中。一些
服务器不接受这种格式，在
这些情况下使用setEnabledProtocols到
禁用发送封装的
SSLv2 ClientHellos。

For example, some older server implementations speak only SSLv3 and do not understand TLS. Ideally, these implementations should negotiate to SSLv3, but some simply hangup. For backwards compatibility, some server implementations (such as SunJSSE) send SSLv3/TLS ClientHellos encapsulated in a SSLv2 ClientHello packet. Some servers do not accept this format, in these cases use setEnabledProtocols to disable the sending of encapsulated SSLv2 ClientHellos.

我想'服务器实现'应该是上面的'SSL实现'。

I imagine 'server implementations' should read 'SSL implementations' above.

编辑：感谢引用我的书！

thanks for citing my book!

这篇关于为什么Java的SSLSocket发送版本2客户端问候？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！