码头-是否可以配置SSL密码的顺序?
[英]Jetty - Any way to configure order of SSL ciphers?
问题描述
I'm trying to configure Jetty to prefer ciphers using perfect forward secrecy to those that don't support it, but while allowing those older ciphers for clients that only support them. 
我正在尝试将Jetty配置为更喜欢使用不支持密码的人使用完全正向保密性的密码,但同时允许那些仅支持它们的客户端使用那些较旧的密码。 However, I can't figure out how to configure the order for Jetty. 但是,我不知道如何配置Jetty的订单。 Is this possible? 这可能吗?
I've set my server's SSLContextFactory's setUseCipherSuitesOrder method to true, but don't see any equivalent of the option to set a list of ciphers in server.xml, as appears to be possible with Tomcat. 我已经将服务器的SSLContextFactory的setUseCipherSuitesOrder方法设置为true,但是没有看到等效的选项来设置server.xml中的密码列表,这在Tomcat中似乎是可能的。 I'm using embedded Jetty 9.4.x, and currently am running Java 8. 我正在使用嵌入式Jetty 9.4.x,当前正在运行Java 8。
1 个解决方案
解决方案1
0 2018-04-11 11:13:20
TLS and HTTP/2 make have strict/mandatory Cipher Suite order requirements. TLS和HTTP / 2具有严格/强制的密码套件订购要求。
Since the protocols require specific behavior, you cannot control it anymore, so Jetty doesn't offer it as an option. 由于协议要求特定的行为,因此您无法再对其进行控制,因此Jetty不提供它作为选项。
While the JRE does have a SSLParameters.setUseCipherSuitesOrder(true) , it is not possible to use this in all modern HTTP connection scenarios. 虽然JRE确实具有SSLParameters.setUseCipherSuitesOrder(true) ,但不可能在所有现代HTTP连接方案中都使用它。
You can choose to use this Java option with Jetty at SslContextFactory.setUseCipherSuitesOrder(boolean) . 您可以在SslContextFactory.setUseCipherSuitesOrder(boolean)选择将此Java选项与Jetty一起使用。 Be aware that newer TLS versions (1.2 and above) and HTTP/2 will override this setting to fit their own needs and requirements. 请注意,较新的TLS版本(1.2和更高版本)和HTTP / 2将覆盖此设置以适合其自身的需求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.