Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.2k views
in Technique[技术] by (71.8m points)

security - How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections

I have a HTTPS web service running on Java 7. I need to make changes so that this service only accepts TLS1.2 connection and reject SSL3, TLS1.0 and TLS1.1.

I have added the following Java parameter so that TLS1.2 is the highest priority.

-Dhttps.protocols=TLSv1.2

but it also accepts the TLS1.0 connections from Java clients. If the client is also running with above Java parameter, the connection is TLS1.2 but if the client is running without this parameter, the connections is TLS1.0.

I did some play around the java.security file in jdk/jre/lib/security folder.

I currently have following disabled algorithms:

jdk.certpath.disabledAlgorithms= MD2, MD4, MD5, SHA224, DSA, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224
jdk.tls.disabledAlgorithms=DSA, DHE, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224

I am using Java 7 update 79. I am not inclined towards intercepting each connection and checking the TLS version.

My server certificate is 2048 bit generated with MD5 with RSA algorithm.

If the disabled algorithm list has RSA in place of RSA keySize < 2048, I get the SSLHandShakeError with error message:

no cipher suites in common.

My test program is running the HTTP server from following URL: http://www.herongyang.com/JDK/HTTPS-HttpsEchoer-Better-HTTPS-Server.html

Please help how to make java accept only TLS1.2 connections.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I found a solution for this. I set the

jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

in the file jre/lib/security/java.security on the server.

After setting this, server only accepts the TLS1.2 connection and reject lower security protocol versions.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...