我編寫了一個測試代碼(不是HTTPS)來測試帶有JDK8的TLS。當測試代碼運行,我用nmap的工具來掃描並得到結果如下:如何在不更改源代碼的情況下禁用TLSv1?
D:\softwares\nmap-7.12>nmap -p xxxx --script=ssl* x.x.x.x --unprivileged
Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 °?′óà????÷2?±ê×?ê±??
Nmap scan report for x.x.x.x
Host is up (1.0s latency).
PORT STATE SERVICE
xxxx/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
|_ least strength: A
MAC Address: xx:xx:xx:xx:xx:xx
Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds
D:\softwares\nmap-7.12>
JDK8使TLSv1.0爲默認值,但我想禁用它。
Protocols
The SunJSSE provider supports the following protocol parameters:
Protocol Enabled by Default for Client Enabled by Default for Server
SSLv3 No(Unavailable Footnote 2) No(Unavailable Footnote 2)
TLSv1 Yes Yes
TLSv1.1 Yes Yes
TLSv1.2 Yes Yes
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols
我援引 「setEnabledProtocols」 在我的測試代碼javax.net.ssl.SSLEngine中的類的方法,TLSv1.0可以完全禁用。 有沒有更改代碼禁用TLSv1.0的方法?例如通過配置文件。
我嘗試了幾種方法作爲遵循,但沒有人能達到預期的效果:(
1. -Djdk.tls.client.protocols = TLSv1.1,TLSv1.2工作
2. -Ddeployment.security.TLSv1 =假
這裏是java版本:
java version "1.8.0_92"
Java(TM) SE Runtime Environment (build 1.8.0_92-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.92-b14, mixed mode)
買者自負,'-D'將*不*爲'jdk.tls工作.disabledAlgorithms',如你所說,它應該進入java.security'文件。 – kubanczyk