Java 在Spring Boot中启用TLSv1密码
我试图在我的spring boot REST服务中启用TLSv1密码,以便旧的android客户端可以连接到它,但由于某些原因,它无法工作。我正在运行Java 在Spring Boot中启用TLSv1密码,java,android,spring,ssl,tls1.2,Java,Android,Spring,Ssl,Tls1.2,我试图在我的spring boot REST服务中启用TLSv1密码,以便旧的android客户端可以连接到它,但由于某些原因,它无法工作。我正在运行openjdk版本“1.8.0_131”,默认情况下TLSv1、TLSv1.1和TLSv1.2似乎已启用 我正在使用nmap--scriptssl枚举密码-p8443127.0.0.1扫描服务器可以获取的内容,我得到了这个结果 8443/tcp open https-alt | ssl-enum-ciphers: | TLSv1.2: |
openjdk版本“1.8.0_131”我正在使用
nmap--scriptssl枚举密码-p8443127.0.0.18443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256k1) - A
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (secp521r1) - A
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (secp521r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (secp256k1) - A
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (secp521r1) - A
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (secp521r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256k1) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256k1) - A
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (secp521r1) - A
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (secp521r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (secp256k1) of lower strength than certificate key
|_ least strength: A
server.ssl.enabled protocols=TLSv1.2javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 not enabled or not supported
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Cipher Suites: [Unknown 0xc0:0xa9, TLS_PSK_WITH_AES_256_GCM_SHA384, Unknown 0xc0:0x64, Unknown 0xc0:0x6a, Unknown 0xc0:0x65, Unknown 0xc0:0x6b, Unknown 0xc0:0x94, Unknown 0xc0:0x8e, Unknown 0xc0:0x95, Unknown 0xc0:0x8f, Unknown 0xcc:0xab, TLS_PSK_WITH_NULL_SHA, TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA384, TLS_PSK_WITH_RC4_128_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, Unknown 0x0:0x61, Unknown 0x0:0x60, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, TLS_RSA_PSK_WITH_AES_128_CBC_SHA, TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS_RSA_PSK_WITH_AES_256_CBC_SHA, TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, Unknown 0xc0:0x68, Unknown 0xc0:0x6e, Unknown 0xc0:0x69, Unknown 0xc0:0x6f, Unknown 0xc0:0x98, Unknown 0xc0:0x92, Unknown 0xc0:0x99, Unknown 0xc0:0x93, Unknown 0xcc:0xae, TLS_RSA_PSK_WITH_NULL_SHA, TLS_RSA_PSK_WITH_NULL_SHA256, TLS_RSA_PSK_WITH_NULL_SHA384, TLS_RSA_PSK_WITH_RC4_128_SHA, Unknown 0x0:0x7c, SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x7d, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, Unknown 0xc0:0x9c, Unknown 0xc0:0xa0, TLS_RSA_WITH_AES_128_GCM_SHA256, Unknown 0x0:0x7e, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, Unknown 0xc0:0x9d, Unknown 0xc0:0xa1, TLS_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xc0:0x3c, Unknown 0xc0:0x50]
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
如果我在spring中使用
server.ssl.ciphersSslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setExcludeCipherSuites(
"^.*_(MD5|SHA|SHA1)$");
server.ssl.ciphers我不得不说,至少在TLS1.2中使用它时,这个jetty决策对我来说似乎没有必要(尽管我不是安全专家)。要点是,使用SHA1签署证书肯定不安全,但在HMAC中使用使用SHA1的密码套件仍然被认为是安全的我完全同意。做这样的决定不是Jetty的事。这应该取决于安装程序/配置程序。我花了6个小时找到这个答案,并在Jetty升级后处理我们产品中的同一问题。你能分享一下你是如何在Spring引导配置中创建这些显式密码列表的吗?@chelute我已经更新了我的答案。简而言之,在您的配置文件中的key
server.ssl.ciphers