`
marlgl
  • 浏览: 73820 次
  • 性别: Icon_minigender_1
  • 来自: 上海
社区版块
存档分类
最新评论

Https - TLSv1.2

 
阅读更多
大于8k左右的数据请求(PUT/POST)无法与server通信

Chrome: Error (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

public class ShortBufferException extends GeneralSecurityException
This exception is thrown when an output buffer provided by the user is too short to hold the operation result.

Tomcat 8.0
disable TLS1.2

 
<Connector SSLEnabled="true" 
               clientAuth="false" 
               connectionLinger="0"
...
               protocol="org.apache.coyote.http11.Http11NioProtocol" 
               scheme="https"
               secure="true" 
               sslProtocol="TLS" 
               sslEnabledProtocols="TLSv1,TLSv1.1,TLS1.2,SSLv2Hello" />


 
<Connector SSLEnabled="true" 
               clientAuth="false" 
               connectionLinger="0"
...
               protocol="org.apache.coyote.http11.Http11NioProtocol" 
               scheme="https"
               secure="true" 
               sslProtocol="TLS" 
               sslEnabledProtocols="TLSv1,TLSv1.1,SSLv2Hello" />



HTTPS connector parameter sslProtocol defines which SSL/TLS protocols
are enabled by default, e.g. for Oracle JDK 7:

1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work

So, in order to restrict available protocols only to TLSv1.1, you need
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.

Note that even if some protocol is not enabled by default, you may
enable it by specifying sslEnabledProtocols parameter. E.g.

   sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"

is somewhat confusing, but perfectly legal.


参考:
https://bugs.openjdk.java.net/browse/JDK-8036970

https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
http://docs.oracle.com/javase/8/docs/api/javax/crypto/ShortBufferException.html
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7031830
http://mail-archives.apache.org/mod_mbox/tomcat-users/201303.mbox/%3C13A085B2E018374C813676301AED0EE412D87457C3@BLR0EXC00.us.sonicwall.com%3E
https://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx
  • 大小: 16.1 KB
  • 大小: 17.5 KB
分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics