Tomcat 7.0.20和Java 6u30如何防范FREAK?

时间:2017-05-31 13:52:12

标签: java tomcat7

我正在使用Tomcat 7.0.20和Java 6u30并尝试使用许多不同的配置来禁用不安全的密码,但tomcat7无法启动。实际上它始于错误。

案例1:

如果我像这样设置连接器:

    <Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false"
    keystoreFile="XXXXXXXX" keystorePass="YYYYYYY" maxThreads="25"
    port="443" secure="true" 
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" 
sslProtocol="TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"  />

我在catalina文件中收到此错误:

31/05/2017 07:11:00 org.apache.catalina.startup.SetAllPropertiesRule begin
AVISO: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching property.

案例2:

如果我像这样设置连接器:

    <Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false"
    keystoreFile="XXXXXXXX" keystorePass="YYYYYYY" maxThreads="25"
    port="443" secure="true" 
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" 
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, 
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 
TLS_ECDH_RSA_WITH_RC4_128_SHA, 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_RSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF 
"
 />

我在catalina文件中收到此错误:

31/05/2017 06:59:44 org.apache.tomcat.util.net.NioEndpoint setSocketOptions
GRAVE: 
java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(Unknown Source)
    at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(Unknown Source)
    at org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:692)
    at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:644)
    at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:789)
    at java.lang.Thread.run(Unknown Source)
31/05/2017 06:59:44 org.apache.tomcat.util.net.NioEndpoint setSocketOptions

1 个答案:

答案 0 :(得分:0)

我解决了这样的配置:

    <Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false"
    keystoreFile="XXXXXXXX" keystorePass="YYYYYYY" maxThreads="25"
    port="443" secure="true" 
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" 
sslProtocol="TLS"  
sslEnabledProtocols="TLSv1"
ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
/>

Java 6似乎不支持TLSv1.1和TLSv1.2,只剩下几个密码选项。

相关问题
最新问题