Question

我尝试根据服务器偏好设置HTTPS SSL密码套件首选项，而不是根据客户端＆amp;服务器支持最高强度的通用密码套件。

我想让服务器选择服务器和服务器之间的通用;客户有＆＃34; TLS_ECDHE ...＆＃34;为了支持前瞻性保密。现在我在＆＃34; www.ssllabs.com＆＃34;中进行了测试，客户端浏览器会更喜欢使用＆＃34; TLS_RSA ...＆＃34;而不是＆＃34; TLS_ECDHE＆＃34; ...

我注意到java 8支持set密码套件首选项： http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference

我认为Spring boot嵌入式Tomcat会调用Java 8函数来选择密码

这是我在spring boot application.properties文件中设置的服务器支持密码设置：

server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA

希望有人可以指导我如何覆盖默认选择密码行为。

Answer 1

您需要告诉连接器的底层协议处理程序使用服务器的密码套件顺序。您可以使用EmbeddedServletContainerCustomizer：

执行此操作

@Bean
public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
    return (factory) -> {
        ((TomcatEmbeddedServletContainerFactory) factory)
                .addConnectorCustomizers((connector) -> {
            ((AbstractHttp11Protocol<?>) connector.getProtocolHandler())
                    .setUseServerCipherSuitesOrder(Boolean.toString(true));
        });
    };
}

Answer 2

这是我在Spring Boot 2.3.4.RELEASE和JDK 1.8中的解决方案。
对我来说很好。

import org.apache.catalina.connector.Connector;
import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class HttpsConfiguration {

    @Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> servletContainerCustomizer() {
        return new WebServerFactoryCustomizer<TomcatServletWebServerFactory>() {
            @Override
            public void customize(TomcatServletWebServerFactory factory) {
                factory.addConnectorCustomizers(new TomcatConnectorCustomizer() {
                    @Override
                    public void customize(Connector connector) {
                        AbstractHttp11Protocol<?> httpHandler = ((AbstractHttp11Protocol<?>) connector.getProtocolHandler());
                        httpHandler.setUseServerCipherSuitesOrder(true);
                        httpHandler.setSSLProtocol("TLSv1.2");
                        httpHandler.setSSLHonorCipherOrder(true);
                        httpHandler.setCiphers("TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384");
                    }
                });
            }
        };
    }

}

如何在Spring启动嵌入式tomcat中设置HTTPS SSL密码套件首选项

2 个答案: