https站点强制通信协议TLSv1.2
现在网络安全原来越重要,好多公司网站需要ssl支持,也就是要求客户通过https访问公司站点,由于TLSv1.1容易被黑客攻击,于是很多企业要求站点只提供TLSv1.2协议支持。
对Java 程序,TLSv1.2的实现中, oracle 从JDK1.7 update96以后的版本才开始支持,IBM JDK 采用的是类似的方案。只有从JDK1.8开始才是默认支持的。
https://bugs.openjdk.java.net/browse/JDK-7093640
https://www.java.com/en/configure_crypto.html#enableTLSv1_2
https://wiki.openssl.org/index.php/Manual:Ciphers(1) 参见TLSv1.2支持的cipher list.
TLSv1.2协议支持具体要分三部分内容。
<一>服务器对TLSv1.2的支持。
具体要看服务器采用的是那种服务器,这里主要讲Apache web server 和Tomcat 为基础的web 服务器。
Apache web server:
更新文件 httpd-ssl.conf于如下路径:WebServer/conf/extra/
做如下更改:
#Limit Protocol to TLSv1.2
SSLProtocol +TLSv1.2
#Update cipher suites to remediate variousencryption related vulnerabilities
SSLHonorCipherOrder On
SSLCipherSuiteECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256
Tomcat:
更新文件 wrapper.conf 文件于如下路径
Tomcat/conf/ (Windows) or the setenv.shscript file (UNIX) with the following modifications:
· 添加参数 -Djdk.tls.client.protocols=TLSv1.2 在 Java Virtual Machine (JVM) arguments.
针对AIX 环境参数变为-Dcom.ibm.jsse2.overrideDefaultProtocol="TLSv12".
· 如果Tomcat 配置了TLS , 更新文件 server.xml 在如下路径
Tomcat/conf/, 如下. 在<Connector> 定义中, 更改 ciphers 和 sslProtocols 参数如下:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" sslProtocols="TLSv1.2"
<二>客户端设置对TLSv1.2的支持
现代浏览器对TLS 1.2 默认支持的版本如下:
Firefox: Next 6 months (either version 27 or 28)
IE version 11
Google Chrome 31
Opera 18 on Windows
Safari 7.0 on Mac
①.打开Java Control Panel,查看Java支持的TLS版本
②.高级。拉到最下面。
为了你的浏览器在访问时不弹出不安全访问访问提示,你需要在浏览器中导入客户端证书。
<三>客户端默认通过TLSv1.2访问设置。
- import org.apache.http.impl.client.DefaultHttpClient;
- public class SSLClient extends DefaultHttpClient {
- public SSLClient() throws Exception {
- super();
- SSLContext ctx = SSLContext.getInstance("TLSv1.2");
- X509TrustManager tm = new X509TrustManager() {
- @Override
- public void checkClientTrusted(X509Certi<a target=_blank target="_blank" href="http://superuser.com/questions/747377/enable-tls-1-1-and-1-2-for-clients-on-java-7">http://superuser.com/questions/747377/enable-tls-1-1-and-1-2-for-clients-on-java-7</a>ficate[] chain, String authType) throws CertificateException {
- }
- @Override
- public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
- }
- @Override
- public X509Certificate[] getAcceptedIssuers() {
- return null;
- }
- };
- ctx.init(null, new TrustManager[] { tm }, null);
- org.apache.http.conn.ssl.SSLSocketFactory ssf = new org.apache.http.conn.ssl.SSLSocketFactory(ctx,
- org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
- ClientConnectionManager ccm = this.getConnectionManager();
- SchemeRegistry sr = ccm.getSchemeRegistry();
- sr.register(new Scheme("https", 443, ssf));
- }
- }
为了测试需要你可以通过如下代码来测试你的客户端环境,看你的客户程序可以采用的协议:
- public static void main(String[] args) throws Exception {
- SSLContext context = SSLContext.getInstance("TLS");
- context.init(null, null, null);
- SSLSocketFactory factory = (SSLSocketFactory) context.getSocketFactory();
- SSLSocket socket = (SSLSocket) factory.createSocket();
- String[] protocols = socket.getSupportedProtocols();
- System.out.println("Supported Protocols: " + protocols.length);
- for (int i = 0; i < protocols.length; i++) {
- System.out.println(" " + protocols[i]);
- }
- protocols = socket.getEnabledProtocols();
- System.out.println("Enabled Protocols: " + protocols.length);
- for (int i = 0; i < protocols.length; i++) {
- System.out.println(" " + protocols[i]);
- }
- }