How do you enable TLS 1.2 on Spring-boot?

问题:

I am trying to enable TLS 1.2 on Tomcat on Spring-boot 1.2.1. Android 5.0 is failing to connect to the default SSL settings, due to an SSL handshake failure. Android 4.4, iOS, Firefox, and Chrome all connect to the default version. I think this is because of a mismatch in the TLS protocols supported in Android 5.0 and the spring boot tomcat defaults (TLS v1?).

I imagine I want to change this application.properties setting:

server.ssl.protocol=TLS 

but I have not located the other acceptable strings (or if there are any, even). There is no enumeration that I can find by searching on "protocol" in spring boot github. I have tried "TLSv1.2", but this appears to have no effect.

The current SSL configuration in application.properties is:

server.ssl.key-store = chainedcertificates.p12 server.ssl.key-store-password = secret server.ssl.key-store-type = PKCS12 

How do you enable TLS 1.2 in spring boot?

If it matters, I am using Java 1.7. The documentation for this seems to indicate it should support TLS 1.2.

Tomcat 8 seems to have support present. I am not sure how to check exactly which version is running in spring boot.

回答1:

TLS 1.2 is enabled by default in spring-boot 1.2.1. This can be verified by running the following from the command line

openssl s_client -connect serverAddress:port 

which outputs

SSL-Session: Protocol  : TLSv1.2 Cipher    : ECDHE-RSA-AES256-SHA384 

So my problem must be something separate.

回答2:

You may experience an SSL handshake error due to the default ciphers that spring boot includes. It is recommended that you define a set of ciphers. We had a similar issue, and the way we fixed it was by using SSLScan on the caller and then scanning our system to see if there were any matches. This lead us to find out that there were no matches and helped us define a list of ciphers we should support.

Using SSLScan these are the default ciphers spring boot will use:

Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256 Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256 Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256 Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits 

To enable TLS 1.2 and to define the cipher list please do the following:

#enable/diable https server.ssl.enabled=true  #ssl ciphers server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT  # SSL protocol to use. server.ssl.protocol=TLS  # Enabled SSL protocols. server.ssl.enabled-protocols=TLSv1.2 

For a list of of ciphers you can use https://testssl.sh/openssl-rfc.mapping.html and https://msdn.microsoft.com/en-us/library/windows/desktop/mt813794(v=vs.85).aspx

文章来源: How do you enable TLS 1.2 on Spring-boot?