时间戳

首页 > 解决方案 > 如果在 Jetty 日志下禁用密码,JreDisabled:java.security 意味着什么

java - 如果在 Jetty 日志下禁用密码,JreDisabled:java.security 意味着什么

问题描述

我正在尝试使用 TLS_PSK_WITH_AES_256_CBC_SHA 在 Android 应用程序上运行 Jetty 服务器,但看到它未在启用下列出。

    private static final String[] suites = {
            "TLS_PSK_WITH_AES_256_CBC_SHA"
    };

    SslContextFactory ctxFactory = new SslContextFactory();
    ctxFactory.setExcludeCipherSuites(new String[0]);
    ctxFactory.setIncludeCipherSuites(suites);

下面是启动服务器后的 Jetty Dump 日志:

   |       +- Protocol Selections
   |       |   +- Enabled (size=4)
   |       |   |   +- TLSv1
   |       |   |   +- TLSv1.1
   |       |   |   +- TLSv1.2
   |       |   |   +- TLSv1.3
   |       |   +- Disabled (size=0)
   |       +- Cipher Suite Selections
   |           +- Enabled (size=0)
   |           +- Disabled (size=25)
   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigIncluded:NotSpecified
   |               +- TLS_AES_128_GCM_SHA256 - ConfigIncluded:NotSpecified
   |               +- TLS_AES_256_GCM_SHA384 - ConfigIncluded:NotSpecified
   |               +- TLS_CHACHA20_POLY1305_SHA256 - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 - JreDisabled:java.security, ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - ConfigIncluded:NotSpecified
   |               +- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - ConfigIncluded:NotSpecified
   |               +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV - ConfigIncluded:NotSpecified
   |               +- TLS_FALLBACK_SCSV - JreDisabled:java.security, ConfigIncluded:NotSpecified
   |               +- TLS_PSK_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigIncluded:NotSpecified
   |               +- TLS_PSK_WITH_AES_256_CBC_SHA - JreDisabled:java.security
   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigIncluded:NotSpecified
   |               +- TLS_RSA_WITH_AES_128_GCM_SHA256 - ConfigIncluded:NotSpecified
   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigIncluded:NotSpecified
   |               +- TLS_RSA_WITH_AES_256_GCM_SHA384 - ConfigIncluded:NotSpecified

JreDisabled:java.security 是什么意思?Jetty 是否支持这个 TLS_PSK_WITH_AES_256_CBC_SHA 密码套件?

标签: javaandroidssljettyembedded-jetty

解决方案

这意味着您正在运行的 JRE(或 JDK)在属于该 JRE 的配置中禁用了特定的 TLS 密码套件(或 TLS 协议)。

示例:在 OpenJDK 11 上

$ grep -A2 tls.disabledAlgo $JAVA_HOME/conf/security/java.security
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

推荐阅读