简体繁体 English

Java如何选择ClientHello的协议

[英]How Does Java choose the protocol for ClientHello

原文 2017-03-16 03:48:57 0 1 java/ ssl/ jsse

I know different JVMs have different lists of enabled protocols . 我知道不同的JVM具有不同的已启用协议列表。 How does a JVM choose teh protocol version from the list ? JVM如何从列表中选择协议版本？

Does it choose the highest enabled version ? 是否选择启用最高的版本？
I read that all protocols are enabled by default for servers ( unlike the client which has to choose the enabled protocols by using -Dhttps.protocols switch ) . 我读到服务器默认启用所有协议（与客户端不同，客户端必须使用-Dhttps.protocols开关选择启用的协议）。 So if a JVM is running with -server switch but makes a client call to another https site, which protocol will be used ? 因此，如果JVM使用-server开关运行，但客户端调用另一个https站点，将使用哪种协议？ Will it be the highest supported version protocol for that releae of Java ? 它是该版本的Java支持的最高版本协议吗？
How exactly does the switch -Djdk.tls.client.protocols differ from the -Dhttp.protocols switch ? 开关-Djdk.tls.client.protocols与-Dhttp.protocols开关有什么不同？ ( Both appears to be controlling the list of enabled client side protocols ? ( And neither seems to be affecting the list of protocols supported by teh server ) （两者似乎都在控制已启用的客户端协议列表？（而且似乎都没有影响服务器支持的协议列表）
Is there any way to selectively turn off certain protocols for the server ? 有什么方法可以选择性地关闭服务器的某些协议吗？

--sony -索尼

1 个解决方案

I know different JVMs have different lists of enabled protocols . 我知道不同的JVM具有不同的已启用协议列表。 How does a JVM choose teh protocol version from the list ? JVM如何从列表中选择协议版本？ 1. Does it choose the highest enabled version? 1.是否选择启用最高的版本？

Yes. 是。

I read that all protocols are enabled by default for servers ( unlike the client which has to choose the enabled protocols by using -Dhttps.protocols switch). 我读到服务器默认启用所有协议（与客户端不同，客户端必须使用-Dhttps.protocols开关选择启用的协议）。

I don't know where you read that, but all secure protocols are enabled by default for both clients and servers. 我不知道您从哪里读到的，但是默认情况下，客户端和服务器均启用了所有安全协议。 The client may but need not use https.protocols . 客户端可能但不必使用https.protocols 。

So if a JVM is running with -server switch but makes a client call to another https site, which protocol will be used ? 因此，如果JVM使用-server开关运行，但客户端调用另一个https站点，将使用哪种协议？ Will it be the highest supported version protocol for that releae of Java ? 它是该版本的Java支持的最高版本协议吗？

Yes. 是。 The -server switch is irrelevant to this. -server开关与此无关。 It selects an implementation of HotSpot. 它选择HotSpot的实现。 Nothing to do with TLS whatsoever. 与TLS无关。

How exactly does the switch -Djdk.tls.client.protocols differ from the -Dhttp.protocols switch? 开关-Djdk.tls.client.protocols与-Dhttp.protocols开关有何不同？

The former is for all TLS; 前者适用于所有TLS； the latter for HTTPS only. 后者仅用于HTTPS。

Is there any way to selectively turn off certain protocols for the server? 有什么方法可以选择性地关闭服务器的某些协议吗？

For which server? 对于哪个服务器？ It's configurable in Tomcat, and if you're writing the server yourself you can configure the SSLServerSocket directly yourself. 它可以在Tomcat中配置，如果您自己编写服务器，则可以直接配置SSLServerSocket 。