3

我在 Debian 6.0.7 上的 Jetty 6 + Open JDK 7 上运行了一个 Web 应用程序。当客户端启动 HTTPS 连接时,我有接受 TLS 握手但接受 SSLv3.0 握手的安全要求。

在我的 jetty.xml 中,我将协议设置为 TLS:

<New class="org.mortbay.jetty.security.SslSocketConnector">
    <Set name="protocol">TLS</Set>
    ...

使用此配置,Web 服务器似乎仍然接受 SSLv3.0 握手。这已使用“sslscan”工具和运行“curl -sslv3 -kv {host}”进行了验证。

是否可以将 Jetty 配置为仅接受 TLS 握手?如果需要,我愿意升级我的 Jetty 版本。

4

2 回答 2

5

我找到了两个解决方案:

升级到 Jetty 9,它支持 jetty.xml 条目:

<Arg name="sslContextFactory">
    ...
    <Set name="excludeProtocols">
      <Array type="java.lang.String">
        <Item>SSLv3</Item>
      </Array>
     </Set>

或者,使用 Jetty 6 为 SslSocketConnector 和 SSLServerSocketFactory 创建委托类:

jetty.xml:
  ...
  <New class="com.src.TlsSocketConnector">
    ...
  </New>

public class TlsSocketConnector extends SslSocketConnector  {
  @Override
  protected SSLServerSocketFactory createFactory() throws Exception {
    return new TlsServerSocketFactory( super.createFactory() );
  }
}

public class TlsServerSocketFactory extends SSLServerSocketFactory {

  private SSLServerSocketFactory delegate;

  public TlsServerSocketFactory( SSLServerSocketFactory delegate ) {
    this.delegate = delegate;
  }

  //Repeat this pattern for all createServerSocket() methods
  public ServerSocket createServerSocket() throws IOException {
    SSLServerSocket socket = (SSLServerSocket) delegate.createServerSocket();
    socket.setEnabledProtocols( new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
    return socket;
  }

  // Directly delegated methods from SSLServerSocketFactory
  public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); }
  public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); }
}
于 2013-11-12T19:01:52.437 回答
1

对于 Jetty 6,您还可以创建一个覆盖 SslSelectChannelConnector 来删除 SSLv3,如下所示:

package com.mycompany;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;

import javax.net.ssl.SSLEngine;

import org.mortbay.jetty.security.SslSelectChannelConnector;

public class SslSelectChannelConnectorNoSsl3 extends SslSelectChannelConnector {

  @Override
  protected SSLEngine createSSLEngine() throws IOException {
    SSLEngine engine = super.createSSLEngine();
    Set<String> protocols = new HashSet<String>(Arrays.asList(engine.getEnabledProtocols()));
    protocols.removeAll(Arrays.asList("SSLv2Hello","SSLv3"));
    engine.setEnabledProtocols(protocols.toArray(new String[protocols.size()]));
    return engine;
  }

}

然后在 jetty.xml 中指定该连接器,如下所示:

<Call name="addConnector">
 <Arg>
   <New class="com.mycompany.SslSelectChannelConnectorNoSsl3">
   ...
   </New>
 </Arg>
</Call>
于 2014-11-14T22:17:41.573 回答