如何获取使用哪种版本的协议SSL或TLS

时间:2018-05-10 07:30:30

标签: java ssl apache-httpclient-4.x tls1.2

我们使用以下代码构建HTTP客户端套接字工厂:

    SSLContext sslContext = new SSLContextBuilder().build();     
    sslContext.init(null, getTrustAllCertsManager(), new java.security.SecureRandom());
    final SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    sslsf.createSocket(null);

HTTPClient的版本是4.5.1。由于我对此非常陌生,并且我们的一个客户端正在迁移到TLSv1.2并且不支持TLSv1.0,我如何确保上述代码将支持TLSv1.1,TLSv1.2。如果我通过代码默认协议是TLS,我们没有传递任何这样的参数,如TLSv1.1或TLSv1.2。从这些协议事物的驱动。如果我需要更改代码以支持TLSv1.1,TLSv1.2,并停止支持TLSv1.0,那么我需要在代码中进行所有更改。感谢。

2 个答案:

答案 0 :(得分:2)

HttpClient context logging将提供相当数量的SSL会话详细信息

[DEBUG] MainClientExec - Opening connection {s}->https://httpbin.org:443
[DEBUG] DefaultHttpClientConnectionOperator - Connecting to httpbin.org/52.1.117.85:443
[DEBUG] SSLConnectionSocketFactory - Connecting socket to httpbin.org/52.1.117.85:443 with timeout 0
[DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
[DEBUG] SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[DEBUG] SSLConnectionSocketFactory - Starting handshake
[DEBUG] SSLConnectionSocketFactory - Secure session established
[DEBUG] SSLConnectionSocketFactory -  negotiated protocol: TLSv1.2
[DEBUG] SSLConnectionSocketFactory -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[DEBUG] SSLConnectionSocketFactory -  peer principal: CN=httpbin.org
[DEBUG] SSLConnectionSocketFactory -  peer alternative names: [httpbin.org, www.httpbin.org]
[DEBUG] SSLConnectionSocketFactory -  issuer principal: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
[DEBUG] DefaultHttpClientConnectionOperator - Connection established 192.168.43.64:58742<->52.1.117.85:443

请注意,从版本4.4起,HttpClient默认禁用SSLv3及更早版本的SSL协议版本。

答案 1 :(得分:1)

除了oleg建议的回答之外,我们可以在java_opts中添加“-Djavax.net.debug = all”,这将导致打印所有套接字日志以及协议版本。它将打印很多细节,你可以在其中找到相关的,就像在我的情况下,我发现协议详细信息与下面的日志。 

READ: TLSv1.1 Handshake
WRITE: TLSv1.1 Handshake
相关问题
最新问题