在Spring Boot中启用TLS 1.3时出现问题
在Spring Boot中启用TLS 1.3时出现问题
提问于 2021-08-14 13:28:11
我尝试在我的Spring Boot应用程序中启用TLS 1.3。
我有一个HttpsConfiguration类:
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> servletContainerCustomizer() {
return new WebServerFactoryCustomizer<TomcatServletWebServerFactory>() {
@Override
public void customize(TomcatServletWebServerFactory factory) {
factory.addConnectorCustomizers(new TomcatConnectorCustomizer() {
@Override
public void customize(Connector connector) {
AbstractHttp11Protocol<?> httpHandler = ((AbstractHttp11Protocol<?>) connector.getProtocolHandler());
httpHandler.setUseServerCipherSuitesOrder(true);
httpHandler.setSSLProtocol("TLSv1.3,TLSv1.2");
httpHandler.setSSLHonorCipherOrder(true);
httpHandler.setCiphers("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256");
}
});
}
};
}}
我的application.properties SSL配置是:
# SSL Settings
server.ssl.key-store=/etc/letsencrypt/live/arbejdsdag.dk/keystore.p12
server.ssl.key-store-password=<redacted>
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat我还尝试将相关的server.ssl.*行添加到我的application.properties
server.ssl.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2,TLSv1.3但这也不起作用。
我在Ubuntu 18.04和Spring Boot Starter Parent 2.5.3上运行openjdk版本"11.0.11“2021-04-20。
SSL实验室似乎没有接收到此配置SSL Labs scan
我不确定我还需要做些什么才能让它正常工作。有什么想法吗?
回答 1
Stack Overflow用户
发布于 2021-08-17 18:43:01
我通过设置TLS 1.3支持的密码解决了这个问题。
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> servletContainerCustomizer() {
return new WebServerFactoryCustomizer<TomcatServletWebServerFactory>() {
@Override
public void customize(TomcatServletWebServerFactory factory) {
factory.addConnectorCustomizers(new TomcatConnectorCustomizer() {
@Override
public void customize(Connector connector) {
AbstractHttp11Protocol<?> httpHandler = ((AbstractHttp11Protocol<?>) connector.getProtocolHandler());
httpHandler.setUseServerCipherSuitesOrder(true);
httpHandler.setSSLHonorCipherOrder(true);
httpHandler.setCiphers(
"TLS_AES_256_GCM_SHA384, "
+ "TLS_CHACHA20_POLY1305_SHA256, "
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "
);
}
});
}
};
}}
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/68783720
复制相关文章
相似问题
腾讯云开发者
