限制JRE级别的密码套件 [英] Restrict cipher suites on JRE level

问题描述

我们的Java应用程序公开了许多不同的接口（SMTP，FTP，HTTP），由SSL / TLS保护。现在的目标是限制这些接口上允许的密码套件仅包括强密码套件。我已经有了一个列表，很清楚如何让它适用于特定的套接字

Our Java application exposes a lot of different interfaces (SMTP, FTP, HTTP), secured by SSL/TLS. The goal now is to limit cipher suites allowed on these interfaces to include only "strong" ones. I already have a list and it's clear how to make it working for a particular socket

socket.setEnabledCipherSuites(ENABLED_SECURE_CIPHER_SUITES);

或Tomcat连接器

 <Connector port="443" ciphers="..."/>

问题是应用程序中已有5个位置我应该手动应用此限制。常见的SocketFactory似乎没有帮助，因为向第三方API或框架提供自定义SocketFactory并不总是可行的。是否有可能以某种方式在JRE级别上引入此限制，例如使用JCE提供程序配置或策略文件？

The problem is that there are already 5 places in the application where I should apply this limitation manualy. Common SocketFactory does not seem to help, as it's not always feasible to supply custom SocketFactory to third-party API or framework. Is it possible to somehow introduce this limitation on JRE level, e.g. with JCE providers configuration or policy file?

JRE：Oracle JRE 1.7.0_17

JRE: Oracle JRE 1.7.0_17

推荐答案

好吧，我设法使这工作。感谢EJP指向正确的方向。
从Java 1.7开始，$ JRE_HOME / lib / security / java.security中还有两个附加属性：

Well, I managed to get that working. Thanks to EJP for pointing in the right direction. Since Java 1.7 there are two additional properties in $JRE_HOME/lib/security/java.security:

jdk.certpath.disabledAlgorithms=MD2

控制认证路径构建和验证的算法。

Controls algorithms for certification path building and validation.

jdk.tls.disabledAlgorithms=MD5, SHA1, RC4, RSA keySize < 1024

我正在寻找的SSL / TLS处理的JVM范围算法限制。符号在这里很明显;可以禁止某些算法或限制密钥大小。 Oracle JRE 7，Open JRE 7和（令人惊讶的） IBM Java v7

JVM-wide algorithm restrictions for SSL/TLS processing, the one I was looking for. Notation is quite obvious here; it's possible to disallow certain algorithms or limit key sizes. Both properties are supported in Oracle JRE 7, Open JRE 7 and (surprisingly) IBM Java v7

这篇关于限制JRE级别的密码套件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！