猿问

回到首页 个人中心 反馈问题 注册登录
下载APP
首页 课程 实战 体系课 手记 专栏 慕课教程

如何禁用 TLS_RSA_WITH_AES_128_CBC_SHA 而不禁用其他人?

我正在尝试缩小 Java 应用程序允许的 SSL 密码的范围。在 java.security 文件中,我使用:


jdk.tls.disabledAlgorithms = SSLv2Hello,SSLv3的,使用TLSv1,TLSv1.1,3DES_EDE_CBC,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256


它产生以下允许的密码:


Will-Adams-MacBook-Air:~ Looker$ nmap -script ssl-enum-ciphers -p 9999 <AWS INSTANCE>.compute.amazonaws.com

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-06 14:23 PDT

Nmap scan report for <AWS INSTANCE>.compute.amazonaws.com

Host is up (0.079s latency).


PORT     STATE SERVICE

9999/tcp open  abyss

| ssl-enum-ciphers:

|   TLSv1.2:

|     ciphers:

|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A

|     compressors:

|       NULL

|     cipher preference: client

|     warnings:

|       Weak certificate signature: SHA1

|_  least strength: A


Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds

伟大的!我快到了。我也想禁止TLS_RSA_WITH_AES_128_CBC_SHA但将其添加到jdk.tls.disabledAlgorithms禁用所有内容:


Will-Adams-MacBook-Air:~ Looker$ nmap -script ssl-enum-ciphers -p 9999 <AWS INSTANCE>.compute.amazonaws.com

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-06 14:28 PDT

Nmap scan report for <AWS INSTANCE>.compute.amazonaws.com 

Host is up (0.079s latency).


PORT     STATE SERVICE

9999/tcp open  abyss


Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds

为什么是这样?有没有办法让我禁用TLS_RSA_WITH_AES_128_CBC_SHA而不禁用TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 和TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384?


陪伴而非守候
浏览 1185回答 3
3回答

茅侃侃

从 java 1.8.0_141 开始,只需添加&nbsp;SHA1 jdkCA & usage TLSServer即可jdk.certpath.disabledAlgorithms。jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 jdkCA & Usage TLSServer或者,只需添加SHA1到jdk.tls.disabledAlgorithms也应该工作jdk.tls.disabledAlgorithms=MD5、SHA1、DSA、RSA keySize < 4096您没有指定您的 JVM 版本,所以请告诉我这对您有用。
0

森林海

只需将密码套件添加到 jdk.tls.disabledAlgorithms 即可禁用它。喜欢jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH, DHE, \EC keySize < 224, 3DES_EDE_CBC, anon, NULL, RSA keySize < 512, DESede, TLSv1, TLSv1.1, TLS_RSA_WITH_AES_128_CBC_SHA
0
打开App,查看更多内容
随时随地看视频慕课网APP

相关分类

Java