Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/348.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java 如何在Jetty中禁止特定的SSL协议?_Java_Ssl_Jetty_Openjdk_Sslv3 - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java 如何在Jetty中禁止特定的SSL协议?

Java 如何在Jetty中禁止特定的SSL协议?

java ssl jetty

Java 如何在Jetty中禁止特定的SSL协议?,java,ssl,jetty,openjdk,sslv3,Java,Ssl,Jetty,Openjdk,Sslv3,我有一个web应用程序在Debian 6.0.7上的Jetty 6+Open JDK 7上运行。我有一个安全要求,当客户端启动HTTPS连接时,接受TLS握手,但不接受SSLv3.0握手 在我的jetty.xml中,我将协议设置为TLS: <New class="org.mortbay.jetty.security.SslSocketConnector"> <Set name="protocol">TLS</Set> ... TLS ...

我有一个web应用程序在Debian 6.0.7上的Jetty 6+Open JDK 7上运行。我有一个安全要求,当客户端启动HTTPS连接时,接受TLS握手,但不接受SSLv3.0握手

在我的jetty.xml中,我将协议设置为TLS:

<New class="org.mortbay.jetty.security.SslSocketConnector">
    <Set name="protocol">TLS</Set>
    ...


TLS
...
通过这种配置,web服务器似乎仍然接受SSLv3.0握手。这已经通过“sslscan”工具和运行“curl-sslv3-kv{host}”进行了验证

是否可以将Jetty配置为仅接受TLS握手?如果需要,我愿意升级我的Jetty版本。

我找到了两种解决方案:

升级到Jetty 9,它支持Jetty.xml条目:

<Arg name="sslContextFactory">
    ...
    <Set name="excludeProtocols">
      <Array type="java.lang.String">
        <Item>SSLv3</Item>
      </Array>
     </Set>


...
SSLv3
或者,使用Jetty 6为SslSocketConnector和SSLServerSocketFactory创建委托类:

jetty.xml:
  ...
  <New class="com.src.TlsSocketConnector">
    ...
  </New>

public class TlsSocketConnector extends SslSocketConnector  {
  @Override
  protected SSLServerSocketFactory createFactory() throws Exception {
    return new TlsServerSocketFactory( super.createFactory() );
  }
}

public class TlsServerSocketFactory extends SSLServerSocketFactory {

  private SSLServerSocketFactory delegate;

  public TlsServerSocketFactory( SSLServerSocketFactory delegate ) {
    this.delegate = delegate;
  }

  //Repeat this pattern for all createServerSocket() methods
  public ServerSocket createServerSocket() throws IOException {
    SSLServerSocket socket = (SSLServerSocket) delegate.createServerSocket();
    socket.setEnabledProtocols( new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
    return socket;
  }

  // Directly delegated methods from SSLServerSocketFactory
  public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); }
  public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); }
}

jetty.xml:
...
...
公共类TlsSocketConnector扩展SslSocketConnector{
@凌驾
受保护的SSLServerSocketFactory createFactory()引发异常{
返回新的TlsServerSocketFactory(super.createFactory());
}
}
公共类TlsServerSocketFactory扩展了SSLServerSocketFactory{
私人SSLServerSocketFactory代表;
公共TlsServerSocketFactory(SSLServerSocketFactory委托){
this.delegate=委托;
}
//对所有createServerSocket()方法重复此模式
公共ServerSocket createServerSocket()引发IOException{
SSLServerSocket=(SSLServerSocket)委托。createServerSocket();
setEnabledProtocols(新字符串[]{“TLSv1”、“TLSv1.1”、“TLSv1.2”});
返回插座;
}
//来自SSLServerSocketFactory的直接委托方法
公共字符串[]GetDefaultCipherSuite(){返回委托。GetDefaultCipherSuite();}
公共字符串[]GetSupportedCipherSuite(){返回委托。GetSupportedCipherSuite();}
}
对于Jetty 6,您还可以创建一个覆盖的SslSelectChannelConnector来删除SSLv3,如下所示:

package com.mycompany;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;

import javax.net.ssl.SSLEngine;

import org.mortbay.jetty.security.SslSelectChannelConnector;

public class SslSelectChannelConnectorNoSsl3 extends SslSelectChannelConnector {

  @Override
  protected SSLEngine createSSLEngine() throws IOException {
    SSLEngine engine = super.createSSLEngine();
    Set<String> protocols = new HashSet<String>(Arrays.asList(engine.getEnabledProtocols()));
    protocols.removeAll(Arrays.asList("SSLv2Hello","SSLv3"));
    engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
    return engine;
  }

}

<Call name="addConnector">
 <Arg>
   <New class="com.mycompany.SslSelectChannelConnectorNoSsl3">
   ...
   </New>
 </Arg>
</Call>  

package.com.mycompany;
导入java.io.IOException;
导入java.util.array;
导入java.util.HashSet;
导入java.util.Set;
导入javax.net.ssl.SSLEngine;
导入org.mortbay.jetty.security.SslSelectChannelConnector;
公共类SslSelectChannelConnectorNoSsl3扩展了SslSelectChannelConnector{
@凌驾
受保护的SSLEngine CreateSLengine()引发IOException{
SSLEngine引擎=super.createSSLEngine();
Set protocols=newhashset(Arrays.asList(engine.getEnabledProtocols());
protocols.removeAll(Arrays.asList(“SSLv2Hello”、“SSLv3”);
engine.setEnabledProtocols(protocols.toArray(新字符串[protocols.size()]);
返回引擎;
}
}
然后在jetty.xml中指定该连接器,如下所示:

package com.mycompany;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;

import javax.net.ssl.SSLEngine;

import org.mortbay.jetty.security.SslSelectChannelConnector;

public class SslSelectChannelConnectorNoSsl3 extends SslSelectChannelConnector {

  @Override
  protected SSLEngine createSSLEngine() throws IOException {
    SSLEngine engine = super.createSSLEngine();
    Set<String> protocols = new HashSet<String>(Arrays.asList(engine.getEnabledProtocols()));
    protocols.removeAll(Arrays.asList("SSLv2Hello","SSLv3"));
    engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
    return engine;
  }

}

<Call name="addConnector">
 <Arg>
   <New class="com.mycompany.SslSelectChannelConnectorNoSsl3">
   ...
   </New>
 </Arg>
</Call>  


...
我找到了两种解决方案。1) 升级到Jetty 9,它支持Jetty 6中的SslContextFactory条目:SSLv3 2),创建一个扩展SslSocketConnector的Java类,覆盖以下方法: