Java 8 更新保险丝,使其具有TLS v1.3
我是JBoss Fuse服务器的新手。我们使用的Fuse服务器版本是7.2。根据Java 8 更新保险丝,使其具有TLS v1.3,java-8,jboss7.x,jbossfuse,tls1.3,Java 8,Jboss7.x,Jbossfuse,Tls1.3,我是JBoss Fuse服务器的新手。我们使用的Fuse服务器版本是7.2。根据${karaf.home}/etc位置中的undertow.xml文件,我们目前支持TLSv1、TLSv1.1和TLSv1.2。还需要添加更高版本(本例中为TLSv1.3)。我想检查的先决条件和可行性方面相同 此外,我无法确定Fuse 7.2是否支持TLSv1.3 我们正在使用Java8 非常感谢您提供的任何信息/指导。您可以查看安全指南 首先,您必须启用安全侦听器。您可以在两个文件中执行此操作: etc/org.o
${karaf.home}/etcundertow.xmlTLSv1TLSv1.1TLSv1.2TLSv1.3非常感谢您提供的任何信息/指导。您可以查看安全指南 首先,您必须启用安全侦听器。您可以在两个文件中执行此操作:
etc/org.ops4j.pax.web.cfg,其中需要两个新属性(根据):
当然,您需要一个密钥库/信任库(可以是相同的,也可以是单独的)。例如,将其复制到etc/server.keystore
最后,您需要在etc/undertow.xml
中进行更改
取消对https侦听器的注释:
取消对安全套接字绑定的注释:
您现在不能使用TLS 1.3:
$ openssl s_client -connect 127.0.0.1:8443 -tls1_3 -debug
CONNECTED(00000003)
write to 0x562ac4785740 [0x562ac479cb90] (215 bytes => 215 (0xD7))
0000 - 16 03 01 00 d2 01 00 00-ce 03 03 12 4c a3 cb de ............L...
0010 - 46 95 45 07 5b 86 05 d0-69 20 3c e2 70 9f 0f 99 F.E.[...i <.p...
...
New, (NONE), Cipher is (NONE)
...
但是如果您添加(到etc/system.properties
):
您将看到如下内容:
javax.net.ssl|FINE|6F|XNIO-4 I/O-8|2021-03-17 07:46:46.011 CET|Logger.java:765|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLS13
javax.net.ssl|FINE|6F|XNIO-4 I/O-8|2021-03-17 07:46:46.011 CET|Logger.java:765|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLS13
看来剩下的事情就是为TLS1.3找到合适的密码套件。其中一个套件是TLS_AES_256_GCM_SHA384enabled-cipher-suites="TLS_AES_256_GCM_SHA384"
$ openssl s_client -connect 127.0.0.1:8443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384
CONNECTED(00000003)
...
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1906 bytes and written 640 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
...
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
...
- 至少Oracle JDK 1.8.0ą
- 至少OpenJDK 8u272
<interface name="secure">
<w:inet-address value="0.0.0.0" />
</interface>
<socket-binding name="https" interface="secure"
port="${org.osgi.service.http.port.secure}" />
<w:engine
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
$ openssl s_client -connect 127.0.0.1:8443 -debug -tls1_2 -ciphersuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
CONNECTED(00000003)
...
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1691 bytes and written 386 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
...
$ openssl s_client -connect 127.0.0.1:8443 -tls1_3 -debug
CONNECTED(00000003)
write to 0x562ac4785740 [0x562ac479cb90] (215 bytes => 215 (0xD7))
0000 - 16 03 01 00 d2 01 00 00-ce 03 03 12 4c a3 cb de ............L...
0010 - 46 95 45 07 5b 86 05 d0-69 20 3c e2 70 9f 0f 99 F.E.[...i <.p...
...
New, (NONE), Cipher is (NONE)
...
enabled-protocols="TLSv1.3"
javax.net.debug=all
javax.net.ssl|FINE|6F|XNIO-4 I/O-8|2021-03-17 07:46:46.011 CET|Logger.java:765|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLS13
javax.net.ssl|FINE|6F|XNIO-4 I/O-8|2021-03-17 07:46:46.011 CET|Logger.java:765|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLS13
enabled-cipher-suites="TLS_AES_256_GCM_SHA384"
$ openssl s_client -connect 127.0.0.1:8443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384
CONNECTED(00000003)
...
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1906 bytes and written 640 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
...
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
...