Java 如何在Jetty中禁止特定的SSL协议?
我有一个web应用程序在Debian 6.0.7上的Jetty 6+Open JDK 7上运行。我有一个安全要求,当客户端启动HTTPS连接时,接受TLS握手,但不接受SSLv3.0握手 在我的jetty.xml中,我将协议设置为TLS:Java 如何在Jetty中禁止特定的SSL协议?,java,ssl,jetty,openjdk,sslv3,Java,Ssl,Jetty,Openjdk,Sslv3,我有一个web应用程序在Debian 6.0.7上的Jetty 6+Open JDK 7上运行。我有一个安全要求,当客户端启动HTTPS连接时,接受TLS握手,但不接受SSLv3.0握手 在我的jetty.xml中,我将协议设置为TLS: <New class="org.mortbay.jetty.security.SslSocketConnector"> <Set name="protocol">TLS</Set> ... TLS ...
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="protocol">TLS</Set>
...
TLS
...
通过这种配置,web服务器似乎仍然接受SSLv3.0握手。这已经通过“sslscan”工具和运行“curl-sslv3-kv{host}”进行了验证
是否可以将Jetty配置为仅接受TLS握手?如果需要,我愿意升级我的Jetty版本。我找到了两种解决方案:
升级到Jetty 9,它支持Jetty.xml条目:
<Arg name="sslContextFactory">
...
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
...
SSLv3
或者,使用Jetty 6为SslSocketConnector和SSLServerSocketFactory创建委托类:
jetty.xml:
...
<New class="com.src.TlsSocketConnector">
...
</New>
public class TlsSocketConnector extends SslSocketConnector {
@Override
protected SSLServerSocketFactory createFactory() throws Exception {
return new TlsServerSocketFactory( super.createFactory() );
}
}
public class TlsServerSocketFactory extends SSLServerSocketFactory {
private SSLServerSocketFactory delegate;
public TlsServerSocketFactory( SSLServerSocketFactory delegate ) {
this.delegate = delegate;
}
//Repeat this pattern for all createServerSocket() methods
public ServerSocket createServerSocket() throws IOException {
SSLServerSocket socket = (SSLServerSocket) delegate.createServerSocket();
socket.setEnabledProtocols( new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
return socket;
}
// Directly delegated methods from SSLServerSocketFactory
public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); }
public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); }
}
jetty.xml:
...
...
公共类TlsSocketConnector扩展SslSocketConnector{
@凌驾
受保护的SSLServerSocketFactory createFactory()引发异常{
返回新的TlsServerSocketFactory(super.createFactory());
}
}
公共类TlsServerSocketFactory扩展了SSLServerSocketFactory{
私人SSLServerSocketFactory代表;
公共TlsServerSocketFactory(SSLServerSocketFactory委托){
this.delegate=委托;
}
//对所有createServerSocket()方法重复此模式
公共ServerSocket createServerSocket()引发IOException{
SSLServerSocket=(SSLServerSocket)委托。createServerSocket();
setEnabledProtocols(新字符串[]{“TLSv1”、“TLSv1.1”、“TLSv1.2”});
返回插座;
}
//来自SSLServerSocketFactory的直接委托方法
公共字符串[]GetDefaultCipherSuite(){返回委托。GetDefaultCipherSuite();}
公共字符串[]GetSupportedCipherSuite(){返回委托。GetSupportedCipherSuite();}
}
对于Jetty 6,您还可以创建一个覆盖的SslSelectChannelConnector来删除SSLv3,如下所示:
package com.mycompany;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import org.mortbay.jetty.security.SslSelectChannelConnector;
public class SslSelectChannelConnectorNoSsl3 extends SslSelectChannelConnector {
@Override
protected SSLEngine createSSLEngine() throws IOException {
SSLEngine engine = super.createSSLEngine();
Set<String> protocols = new HashSet<String>(Arrays.asList(engine.getEnabledProtocols()));
protocols.removeAll(Arrays.asList("SSLv2Hello","SSLv3"));
engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
return engine;
}
}
<Call name="addConnector">
<Arg>
<New class="com.mycompany.SslSelectChannelConnectorNoSsl3">
...
</New>
</Arg>
</Call>
package.com.mycompany;
导入java.io.IOException;
导入java.util.array;
导入java.util.HashSet;
导入java.util.Set;
导入javax.net.ssl.SSLEngine;
导入org.mortbay.jetty.security.SslSelectChannelConnector;
公共类SslSelectChannelConnectorNoSsl3扩展了SslSelectChannelConnector{
@凌驾
受保护的SSLEngine CreateSLengine()引发IOException{
SSLEngine引擎=super.createSSLEngine();
Set protocols=newhashset(Arrays.asList(engine.getEnabledProtocols());
protocols.removeAll(Arrays.asList(“SSLv2Hello”、“SSLv3”);
engine.setEnabledProtocols(protocols.toArray(新字符串[protocols.size()]);
返回引擎;
}
}
然后在jetty.xml中指定该连接器,如下所示:
package com.mycompany;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import org.mortbay.jetty.security.SslSelectChannelConnector;
public class SslSelectChannelConnectorNoSsl3 extends SslSelectChannelConnector {
@Override
protected SSLEngine createSSLEngine() throws IOException {
SSLEngine engine = super.createSSLEngine();
Set<String> protocols = new HashSet<String>(Arrays.asList(engine.getEnabledProtocols()));
protocols.removeAll(Arrays.asList("SSLv2Hello","SSLv3"));
engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
return engine;
}
}
<Call name="addConnector">
<Arg>
<New class="com.mycompany.SslSelectChannelConnectorNoSsl3">
...
</New>
</Arg>
</Call>
...
我找到了两种解决方案。1) 升级到Jetty 9,它支持Jetty 6中的SslContextFactory条目:SSLv3 2),创建一个扩展SslSocketConnector的Java类,覆盖以下方法: