Spring 启动 : Not to use TLSv1. 0-6ren

Spring 启动 : Not to use TLSv1. 0

转载作者：太空宇宙更新时间：2023-11-03 13:03:24

现在我的 spring boot 应用程序支持 TLS1.0 TLS1.1 和 TLS1.2。如何禁用 TLS1.0 以避免野兽攻击？

下面是我的application.yml

server:
  address: localhost
  port: 8443
  sessionTimeout: 30
  ssl:
    client-auth: need
    key-store: keystore.jks
    key-store-password: xxxx
    key-alias: dev-demo
    key-password: xxxx
    protocol: TLS
    trust-store: truststore.jks
    trust-store-password: xxxx
    ciphers: TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 
             TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
             TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA
             TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA
             TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_GCM_SHA384
             TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
             TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
             TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
             TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
             TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA
             TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA
             TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
             TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
             TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
             TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
             TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
             TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
             TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256
             TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384
             TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
             TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  tomcat:
    #default max-threads is 200
    max-threads: 200
    basedir: ./
    access-log-enabled: true
    access-log-pattern: "%h %l %u %t %r %s %b"
security:
  require-ssl: true

最佳答案

尽管这个问题是在 2015 年发布的，但在这里为到达这里的人发布答案:

Springboot 应用程序允许添加可用于自定义连接器以禁用协议(protocol)或其他属性的定制器。

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer(TomcatConnectorCustomizer connectorCustomizer) {
    return new EmbeddedServletContainerCustomizer() {
        public void customize(ConfigurableEmbeddedServletContainer container) {
            TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
            tomcat.addConnectorCustomizers(connectorCustomizer);
        }
    };
}

@Bean
public TomcatConnectorCustomizer connectorCustomizer() {
    return new TomcatConnectorCustomizer() {
        @Override
        public void customize(Connector connector) {
            connector.setAttribute("sslEnabledProtocols", "TLSv1.2");
        }
    };
}