How to set HTTPS SSL Cipher Suite Preference in Spring boot embedded tomcat

前端 未结 2 1965
闹比i
闹比i 2021-02-09 20:52

I trying to set HTTPS SSL cipher suite preference according to server preference rather than auto select based on client & server supported common cipher suite with highest

相关标签:
2条回答
  • 2021-02-09 21:26

    You need to tell the connector's underlying protocol handler to use the server's cipher suite order. You can do so with a WebServerFactoryCustomizer :

    @Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> servletContainerCustomizer() {
        return (factory) -> {
            factory.addConnectorCustomizers((c) -> 
                ((AbstractHttp11Protocol<?>) c.getProtocolHandler()).setUseServerCipherSuitesOrder(true));
        };
    }
    
    0 讨论(0)
  • 2021-02-09 21:48

    Here is my solution in Spring Boot 2.3.4.RELEASE and JDK 1.8.
    It works fine for me.

    import org.apache.catalina.connector.Connector;
    import org.apache.coyote.http11.AbstractHttp11Protocol;
    import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
    import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
    import org.springframework.boot.web.server.WebServerFactoryCustomizer;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    
    @Configuration
    public class HttpsConfiguration {
    
        @Bean
        public WebServerFactoryCustomizer<TomcatServletWebServerFactory> servletContainerCustomizer() {
            return new WebServerFactoryCustomizer<TomcatServletWebServerFactory>() {
                @Override
                public void customize(TomcatServletWebServerFactory factory) {
                    factory.addConnectorCustomizers(new TomcatConnectorCustomizer() {
                        @Override
                        public void customize(Connector connector) {
                            AbstractHttp11Protocol<?> httpHandler = ((AbstractHttp11Protocol<?>) connector.getProtocolHandler());
                            httpHandler.setUseServerCipherSuitesOrder(true);
                            httpHandler.setSSLProtocol("TLSv1.2");
                            httpHandler.setSSLHonorCipherOrder(true);
                            httpHandler.setCiphers("TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384");
                        }
                    });
                }
            };
        }
    
    }
    
    0 讨论(0)
提交回复
热议问题