Spring Boot:不使用TLSv1.0

时间:2015-06-25 16:07:15

标签: spring security ssl spring-boot

现在我的春季启动应用程序支持TLS1.0 TLS1.1和TLS1.2。如何禁用TLS1.0以避免野兽攻击?

以下是我的application.yml

server:
  address: localhost
  port: 8443
  sessionTimeout: 30
  ssl:
    client-auth: need
    key-store: keystore.jks
    key-store-password: xxxx
    key-alias: dev-demo
    key-password: xxxx
    protocol: TLS
    trust-store: truststore.jks
    trust-store-password: xxxx
    ciphers: TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 
             TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
             TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA
             TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA
             TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_GCM_SHA384
             TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
             TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
             TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
             TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
             TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA
             TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA
             TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
             TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
             TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
             TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
             TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
             TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
             TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256
             TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384
             TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
             TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  tomcat:
    #default max-threads is 200
    max-threads: 200
    basedir: ./
    access-log-enabled: true
    access-log-pattern: "%h %l %u %t %r %s %b"
security:
  require-ssl: true

1 个答案:

答案 0 :(得分:1)

即使这个问题是在2015年发布的,也可以在这里找到答案:

Springboot应用程序允许添加定制程序,可用于自定义连接器以禁用协议或其他属性。

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer(TomcatConnectorCustomizer connectorCustomizer) {
    return new EmbeddedServletContainerCustomizer() {
        public void customize(ConfigurableEmbeddedServletContainer container) {
            TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
            tomcat.addConnectorCustomizers(connectorCustomizer);
        }
    };
}

@Bean
public TomcatConnectorCustomizer connectorCustomizer() {
    return new TomcatConnectorCustomizer() {
        @Override
        public void customize(Connector connector) {
            connector.setAttribute("sslEnabledProtocols", "TLSv1.2");
        }
    };
}

更多详细信息,请参见YoursAndMyIdeas