'Enabling TLS-1.2 on embedded Jetty
Currently I am using this code which is enabling TLS 1.2:
ServerConnector httpsConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, "http/1.1"),
new HttpConnectionFactory(https_config));
httpsConnector.setPort(8443);
httpsConnector.setIdleTimeout(50000)
Now I am using TLS 1.1 and want to change it to TLS 1.2.
Solution 1:[1]
Java 8 is TLS/1.2 by default.
You can diagnose TLS in the JVM using the techniques at:
If you want to force TLS/1.2, see the prior answer at:
How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
Know that the ciphers and protocols you expose in Jetty's SslContextFactory will also have an influence on your TLS support level. (For example: you can exclude the ciphers that TLS/1.0 knows about leaving no ciphers to negotiate against)
Solution 2:[2]
Yeah, I resolved this question just now.
We can customize it by org.eclipse.jetty.util.ssl.SslContextFactory
just like this:
- exclude TLSv1?TLSv1.1 protocol etc.
sslContextFactory.addExcludeProtocols("TLSv1", "TLSv1.1");
By the way, my jetty version is 9.4.45, default protocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3") have already excluded by Jetty.
// org.eclipse.jetty.util.ssl.SslContextFactory#DEFAULT_EXCLUDED_PROTOCOLS
private static final String[] DEFAULT_EXCLUDED_PROTOCOLS = {"SSL", "SSLv2", "SSLv2Hello", "SSLv3"};
- include only TLSv1.2 protocol (some protocols etc.)
sslContextFactory.setIncludeProtocols("TLSv1.2");
The final protocols selected you can see in the method org.eclipse.jetty.util.ssl.SslContextFactory#selectProtocols
, you can debug yourself.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Community |
Solution 2 | Mr. Liu |