Java 6上的TLS 1.2
[英]TLS 1.2 on Java 6
问题描述
I have a legacy application running on java 6. However , we need to upgrade to TLS 1.2 due to certain security factors. 
我有一个在Java 6上运行的旧版应用程序。但是,由于某些安全因素,我们需要升级到TLS 1.2。 For this I have tried the following code : 为此,我尝试了以下代码:
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
public class TlsCheck {
/**
* test whether this client can connect to TLS v1.2 or not
*/
public static boolean isSuccessfulTLS12connection(){
try{
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, null, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
URL url = new URL("https://tlstest.paypal.com");
HttpsURLConnection httpsConnection = (HttpsURLConnection)url.openConnection();
httpsConnection.connect();
BufferedReader reader = new BufferedReader(new InputStreamReader(httpsConnection.getInputStream()));
StringBuilder body = new StringBuilder();
while(reader.ready()){
body.append(reader.readLine());
}
httpsConnection.disconnect();
System.out.println("The body is::"+body.toString());
if(body.toString().equals("PayPal_Connection_OK")){
return true;
}
}catch(NoSuchAlgorithmException ne){
ne.printStackTrace();
}catch(UnknownHostException ue){
ue.printStackTrace();
}catch(IOException ioe){
ioe.printStackTrace();
}catch(KeyManagementException ke){
ke.printStackTrace();
}
return false;
}
public static void main(String args[]){
try{
SSLParameters sslParams = SSLContext.getDefault().getSupportedSSLParameters();
System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
sslParams.setProtocols(new String[] { "TLSv1.2"});
String[] protocols = sslParams.getProtocols();
System.out.println("The Supported Protocols are::"+Arrays.asList(protocols));
}catch(NoSuchAlgorithmException ne){
ne.printStackTrace();
}
if(isSuccessfulTLS12connection()){
System.out.println("The connection to TLS v1.2 endpoint is succesful");
}else{
System.out.println("The connection to TLS v1.2 failed!");
}
}
} }
But i get the following error: 但我得到以下错误:
The Supported Protocols are::[TLSv1.2]
javax.net.ssl.SSLException: Received fatal alert: protocol_version
The connection to TLS v1.2 failed!
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at TlsCheck.isSuccessfulTLS12connection(TlsCheck.java:30)
at TlsCheck.main(TlsCheck.java:65)
Can anyone suggest a better way rather than setting property? 有人可以提出比设置财产更好的方法吗? I have also tried setting JVM arguments, but no luck! 我也尝试设置JVM参数,但是没有运气!
3 个解决方案
解决方案1
5 2017-08-29 10:04:37
The real fix? 真正的解决办法? Upgrade to Java 1.7 or later. 升级到Java 1.7或更高版本。 Continuing to run Java 1.6 Update 45 and connecting it to the internet is professionally reckless. 继续运行Java 1.6 Update 45并将其连接到Internet绝对是鲁re的。
How reckless? 多么鲁ck? Very. 非常。
Because Oracle released a critical patch update for Java 1.6 Update 45 that fixed over 40 security vulnerabilities over four years ago . 因为Oracle发布了Java 1.6 Update 45的重要补丁程序更新,该更新程序 在四年前 修复了40多个安全漏洞 。
Among those fixed four years ago : 在四年前修复的那些文件中:
- CVE-2013-2462 Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. CVE-2013-2462成功攻击此漏洞可能导致未经授权的操作系统接管,包括任意代码执行。
- CVE-2013-2463 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. CVE-2013-2463易于利用的漏洞允许通过多种协议成功进行未经身份验证的网络攻击。 Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. 成功攻击此漏洞可能导致未经授权的操作系统接管,包括任意代码执行。
- CVE-2013-2464 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. CVE-2013-2464易于利用的漏洞允许通过多种协议成功进行未经身份验证的网络攻击。 Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. 成功攻击此漏洞可能导致未经授权的操作系统接管,包括任意代码执行。
- CVE-2013-2465 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. CVE-2013-2465易于利用的漏洞允许通过多种协议成功进行未经身份验证的网络攻击。 Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. 成功攻击此漏洞可能导致未经授权的操作系统接管,包括任意代码执行。
- CVE-2013-2466 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. CVE-2013-2466易于利用的漏洞允许通过多种协议成功进行未经身份验证的网络攻击。 Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. 成功攻击此漏洞可能导致未经授权的操作系统接管,包括任意代码执行。
- CVE-2013-2468 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. CVE-2013-2468易于利用的漏洞允许通过多种协议成功进行未经身份验证的网络攻击。 Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. 成功攻击此漏洞可能导致未经授权的操作系统接管,包括任意代码执行。
And SIX more that have a vulnerability rating of 10.0 - that means it's an easily exploitable remote vulnerability. 还有六种漏洞评级为10.0-这意味着它是一个易于利用的远程漏洞。
That's just a list of the critical security vulnerabilities Oracle actually fixed in Java 1.6 Update 45 four years ago. 这只是四年前Oracle实际上在Java 1.6 Update 45中修复的关键安全漏洞的列表。 There are more that weren't fixed in that one patch that still exist. 在那个补丁中仍然存在的更多未解决的问题。
And you don't have any of them fixed. 而且您没有任何固定的解决方案。
To reiterate: those vulnerabilities - and a whole lot more - still exist in Java 1.6 Update 45. 重申一下 :Java 1.6 Update 45中仍然存在这些漏洞- 还有很多其他漏洞。
Again: continuing to use Java 1.6 Update 45 and connecting it to the internet is reckless . 再次:继续使用Java 1.6 Update 45并将其连接到Internet是鲁ck的 。 Java 1.6 Update 45 has at least 25(!!!) known remotely exploitable security vulnerabilities with a CVE score of 9.3 or higher. Java 1.6 Update 45 至少具有25(!!!)个已知的可远程利用的安全漏洞,CVE评分为9.3或更高。
解决方案2
2 2017-08-29 07:47:08
The latest public Java 6 SE build is 6u45, which is not supporting TLS 1.2. 最新的公共Java 6 SE构建为6u45,不支持TLS 1.2。 To use TLS 1.2 with Java 6, I see two possibilities: 要将TLS 1.2与Java 6结合使用,我看到两种可能性:
- Oracle offers a paid Java SE Advance program. Oracle提供了付费的Java SE Advance计划。 In this, the build 6u141 is available with TLS 1.2 support: http://www.oracle.com/technetwork/java/javase/overview-156328.html#R160_141 在此版本6u141中可使用TLS 1.2支持: http : //www.oracle.com/technetwork/java/javase/overview-156328.html#R160_141
- Try the Bouncy Castle library. 尝试充气城堡图书馆。 You can find an example implementation in this answer: https://stackoverflow.com/a/33122393/7059880 您可以在以下答案中找到示例实现: https : //stackoverflow.com/a/33122393/7059880
解决方案3
0 2017-08-29 08:01:58
正如Marcel已经提到的那样,Java 6不支持TLS。也许您可以使用curl等外部软件作为变通办法来通过System.exec()发出请求?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.