TLSv1.2 on Jboss 5.1.0 GA using Java 6 and BouncyCastle

大憨熊 提交于 2020-02-02 15:00:30

问题


I'm facing a problem with a Jboss server and the https connector, running on Java 6. I want to make my server using only TLSv1.2 and using the cipher suites "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" for decoding the certificate.

I know that Java 6 does not support TLSv1.2, but I added the Bouncy Castle JCE and JSSE provider to the JDK (https://www.bouncycastle.org/latest_releases.html) :

  • Added the JARs files (bcprov-jdk15on-159.jar and bctls-jdk15on-159.jar) in path_to_jdk/jre/lib/ext folder

  • Edited file path_to_jdk/jre/lib/security/java.security to add lines :

    security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider security.provider.11=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

The java instruction : SSLContext.getInstance("TLSv1.2"); does not throw a NoSuchAlgorithmException anymore if I test it on a small test class.

On Jboss :

  • Edited file path_to_jboss/server/default/deploy/jbossweb.sar/server.xml to have :

    < Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" keystoreFile="${jboss.server.home.dir}/conf/jboss.pfx" keystorePass="password" sslProtocols="TLSv1.2" maxThreads="170"/>

After that, jboss is still providing only SSLv3 and TLSv1 protocols for https connection.

Any solution ?

Thanks


回答1:


I believe the 'sslProtocols' attribute translates to a call to SSLParameters.setProtocols (later given effect by SSLSocket.setParameters), and doesn't affect the SSLContext.getInstance call. So you are still getting a SunJSSE SSLContext because you added BCJSSE at lower priority.

I suggest moving the BouncyCastleJsseProvider entry in java.security to a higher priority (than com.sun.net.ssl.internal.ssl.Provider).

Also in java.security you will need to set the default KMF type from SunX509 to PKIX (change the existing entry):

ssl.KeyManagerFactory.algorithm=PKIX

This is because BCJSSE currently only works with its own KMF implementation.



来源:https://stackoverflow.com/questions/50489592/tlsv1-2-on-jboss-5-1-0-ga-using-java-6-and-bouncycastle

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!