gpt4 book ai didi

java - 如何使用 SSLPoke 强制 TLS1.2

转载 作者:太空宇宙 更新时间:2023-11-03 13:58:17 25 4
gpt4 key购买 nike

我们怀疑主机由于不支持 TLS1 而终止连接,但我们如何强制 SSLPoke 实用程序使用 TLS1.2?

或者,是否有其他实用程序(如 SSLPoke)来调试 SSL 问题?

请注意,我们同时使用了 -Djdk.tls.client.protocols=TLSv1.2-Dhttps.protocols=TLSv1.2

/usr/java/jre1.7.0_79/bin/java -Djavax.net.debug=ssl:handshake:verbose -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Djavax.net.ssl.trustStore=/usr/java/jre1.7.0_79/lib/security/cacerts SSLPoke hostname.com 443

这是输出:

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1552588154 bytes = { 73, 65, 219, 139, 69, 186, 117, 96, 143, 111, 176, 121, 23, 183, 218, 92, 16, 61, 9, 162, 243, 215, 95, 23, 255, 24, 12, 2 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: hostname.com]
***
main, WRITE: TLSv1 Handshake, length = 194
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, protocol_version
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
javax.net.ssl.SSLException: Received fatal alert: protocol_version
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at SSLPoke.main(SSLPoke.java:43)

最佳答案

假设您安装了 JDK 或等效软件,只需对代码进行非常简单的更改即可完成此操作。因为 TLS 在范围版本上进行协商(直到 TLS1.3 和 Java11,此处均不适用),所以有两种可能性:

  • 您想支持允许 1.2(因为服务器需要它)但不关心较低版本

  • 您只想要求 1.2(如果服务器支持更低版本则失败)

对于情况 1,有两种选择:

SSLContext sslctx = SSLContext.getInstance("TLSv1.2"); // could use user input
sslctx.init (null, null, null); // no keymgr, default truststore and RNG
SSLSocket sslsocket = (SSLSocket) sslctx.getSocketFactory() .createSocket(host,port);
// continue as for SSLPoke to do some I/O, or just .startHandshake is enough
// (in spite of its name, startHandshake does all of (completes) the handshake)

SSLSocket sslsocket = (SSLSocket) SSLSocketFactory.getDefault() .createSocket(host,port);
sslsocket.setEnabledProtocols (new String[]{"TLSv1","TLSv1.1","TLSv1.2"});
// again could use user input; String.split(String) can be handy to create the array
// ditto

而对于情况 2 你需要

SSLSocket sslsocket = (SSLSocket) SSLSocketFactory.getDefault() .createSocket(host,port);
sslsocket.setEnabledProtocols (new String[]{"TLSv1.2"});
// ditto both

虽然正如 Robert 评论的那样,获得受支持的 (LTS) 版本 8 或 11 通常是个好主意。


此外,对于服务器端问题,例如仅在公共(public) HTTPS(网络)服务器上的协议(protocol)和证书兼容性,https://www.ssllabs.com/ssltest是海事组织优秀。但在这些限制之外它不起作用。

关于java - 如何使用 SSLPoke 强制 TLS1.2,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58103594/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com