我正在使用Java的SSLSocket来保护客户端和服务器程序之间的通信.服务器程序还提供来自Web浏览器的HTTPS请求.
根据" 使用Java进行初始加密 ",第371页,您应始终呼叫setEnabledCipherSuites您的SSLSocket/ SSLServerSocket以确保最终协商的密码套件足够强大以满足您的需要.
话虽这么说,调用我SSLSocketFactory的getDefaultCipherSuites方法会产生180个选项.这些选项范围从TLS_RSA_WITH_AES_256_CBC_SHA(我认为相当安全)到SSL_RSA_WITH_RC4_128_MD5(不确定这是否安全,给定MD5的当前状态)到SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA(不完全确定它是什么).
什么是限制套接字的密码套件的合理列表?
请注意,客户端和服务器可以访问Bouncy Castle服务提供商,并且他们可能安装或不安装无限制的加密策略文件.
我正在尝试创建与启用了 ssl 身份验证的 mq 管理器的连接。我正在使用Java 1.8
我有这个代码
TrustStrategy trustStrategy = new TrustSelfSignedStrategy();
KeyStore trustStore = KeyStore.getInstance("JKS");
try (FileInputStream fileInputStream = new FileInputStream(propertyReader.getProperty(QUEUE_KEYSTORE))) {
trustStore.load(fileInputStream, propertyReader.getProperty(QUEUE_KEYSTOREPASS).toCharArray());
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(trustStore, "changeit".toCharArray());
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
connectionFactory.setTransportType(WMQConstants.WMQ_CM_CLIENT);
connectionFactory.setHostName(propertyReader.getProperty(QUEUE_HOST));
connectionFactory.setQueueManager(propertyReader.getProperty(QUEUE_MANAGER));
connectionFactory.setChannel(propertyReader.getProperty(QUEUE_CHANNEL));
connectionFactory.setSSLCipherSuite(propertyReader.getProperty(QUEUE_CIPHERSUITE));
connectionFactory.setPort(Integer.parseInt(propertyReader.getProperty(QUEUE_PORT)));
connectionFactory.setSSLSocketFactory(sslContext.getSocketFactory());
当我尝试创建连接时出现此异常:
com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
我可以在日志中看到以下内容:
Allow …