首页

如何在Jetty中禁用SSLv3协议以防止贵宾犬攻击

security ssl java jetty
2022-09-02 13:40:44

是否有任何特定的排除列表可用,仅禁用 SSLv3 密码不是 TLSv1/2。

我有8号码头,现在升级到9号不是一个选择。我目前的码头.xml如下所示

<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
    <Arg>
        <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
            <Arg>
                <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                    .........
                </New>
            </Arg>
            <Set name="ExcludeCipherSuites">
                <Array type="java.lang.String">             
                <Item>SSL_RSA_WITH_NULL_MD5</Item>
                <Item>SSL_RSA_WITH_NULL_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
                <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
                <Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
                <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item>
                <Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item>
                <Item>SSL_FORTEZZA_KEA_WITH_RC4_128_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                <Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item>   
                </Array>
            </Set>
        </New>
    </Arg>
</Call>

仍然当我运行“sslscan --no-failed --ssl3 localhost:443”我得到

    Supported Server Cipher(s):
  Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
  Accepted  SSLv3  128 bits  AES128-SHA

Prefered Server Cipher(s):
  SSLv3  128 bits  DHE-RSA-AES128-SHA

答案 1

我不得不在集成Jetty源代码的应用程序中禁用SSLv3。根据我在代码中更改的内容,我猜您会添加以下内容:

<Set name="ExcludeProtocols">
    <Array type="java.lang.String">             
       <Item>SSLv3</Item>
    </Array>
</Set>

试一试,让我知道它是否适合您。


答案 2

要展开@Lars答案..

对于 Jetty 7、Jetty 8 和 Jetty 9,您必须排除用于为基于 SSL 的连接器配置的任何协议(而不是密码)。SSLv3SslContextFactory

对于码头分布

编辑并添加以下 XML 代码段。${jetty.home}/etc/jetty-ssl.xml

<Set name="ExcludeProtocols">
  <Array type="java.lang.String">
     <Item>SSLv3</Item>
  </Array>
</Set>

在管理org.eclipse.jetty.http.ssl.SslContextFactory

对于码头嵌入式

您为基于SSL的连接器创建/管理的任何SslContextFactory,您只需要设置排除的协议即可。

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.addExcludeProtocols("SSLv3");
    sslContextFactory.setKeyStorePath(...);
    ...

推荐
更多 »
标签
更多 »
php pass-by-reference optional-parameters default-value javascript arrays dom function string object serialization tostring visibility syntax jslint use-strict operators equality equality-operator identity-operator datetime timestamp date-arithmetic redirect angularjs loops foreach iteration scope variables
推荐
更多 »