【发布时间】:2019-02-12 05:40:24
【问题描述】:
我正在尝试缩小 Java 应用程序允许的 SSL 密码。在 java.security 文件中,我使用的是:
jdk.tls.disabledAlgorithms = SSLv2Hello,SSLv3的,使用TLSv1,TLSv1.1,3DES_EDE_CBC,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256
这会产生以下允许的密码:
Will-Adams-MacBook-Air:~ Looker$ nmap -script ssl-enum-ciphers -p 9999 <AWS INSTANCE>.compute.amazonaws.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-06 14:23 PDT
Nmap scan report for <AWS INSTANCE>.compute.amazonaws.com
Host is up (0.079s latency).
PORT STATE SERVICE
9999/tcp open abyss
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds
太棒了!我快到了。我也想禁止TLS_RSA_WITH_AES_128_CBC_SHA,但将其添加到jdk.tls.disabledAlgorithms 会禁用一切:
Will-Adams-MacBook-Air:~ Looker$ nmap -script ssl-enum-ciphers -p 9999 <AWS INSTANCE>.compute.amazonaws.com
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-06 14:28 PDT
Nmap scan report for <AWS INSTANCE>.compute.amazonaws.com
Host is up (0.079s latency).
PORT STATE SERVICE
9999/tcp open abyss
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
这是为什么?有没有办法让我在不禁用TLS_DHE_RSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 和TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 的情况下禁用TLS_RSA_WITH_AES_128_CBC_SHA?
【问题讨论】:
标签: java ssl encryption