So verwenden Sie TLS 1.2 in Java 6
Es scheint, dass Java 6 TLS bis Version 1.0 unterstützt. Gibt es eine Möglichkeit, TLS 1.2 in Java 6 zu verwenden?
Vielleicht wird ein Patch oder ein bestimmtes Update von Java 6 dafür unterstützt?
Öffentliche Oracle Java 6-Versionen unterstützen TLSv1.2 nicht. Möglicherweise werden kostenpflichtige Versionen von Java 6 (Post-EOL). (UPDATE - TLSv1.1 ist für Java 1.6 ab Update 111 verfügbar; source )
Wenden Sie sich an den Oracle-Vertrieb.
Andere Alternativen sind:
Verwenden Sie eine alternative JCE-Implementierung wie Bouncy Castle.
Verwenden Sie IBM Java 6 ..., falls für Ihre Plattform verfügbar. Laut "IBM SDK, Korrekturen der Java Technology Edition zur Verringerung der POODLE-Sicherheitsanfälligkeit (CVE-2014-3566)" :
"TLSv1.1 und TLSv1.2 sind nur für Java 6 Service Refresh 10, Java 6.0.1 Service Refresh 1 (J9 VM2.6) und spätere Versionen verfügbar."
Ich würde jedoch empfehlen, auf Java 8 zu aktualisieren. Java 6 wurde im Februar 2013 als EOL eingestuft, und die weitere Verwendung ist potenziell riskant. (Sagen oder erinnern Sie den Chef/den Kunden. Sie müssen es wissen.)
Hier eine TLSConnection Factory:
package test.connection;
import Java.io.ByteArrayInputStream;
import Java.io.ByteArrayOutputStream;
import Java.io.DataOutputStream;
import Java.io.IOException;
import Java.io.InputStream;
import Java.io.OutputStream;
import Java.net.InetAddress;
import Java.net.InetSocketAddress;
import Java.net.Socket;
import Java.net.UnknownHostException;
import Java.security.Principal;
import Java.security.SecureRandom;
import Java.security.Security;
import Java.security.cert.CertificateException;
import Java.security.cert.CertificateFactory;
import Java.util.Hashtable;
import Java.util.LinkedList;
import Java.util.List;
import javax.net.ssl.HandshakeCompletedEvent;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.security.cert.X509Certificate;
import org.bouncycastle.crypto.tls.Certificate;
import org.bouncycastle.crypto.tls.CertificateRequest;
import org.bouncycastle.crypto.tls.DefaultTlsClient;
import org.bouncycastle.crypto.tls.ExtensionType;
import org.bouncycastle.crypto.tls.TlsAuthentication;
import org.bouncycastle.crypto.tls.TlsClientProtocol;
import org.bouncycastle.crypto.tls.TlsCredentials;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
/**
* This Class enables TLS V1.2 connection based on BouncyCastle Providers.
* Just to use:
* URL myurl = new URL( "http:// ...URL tha only Works in TLS 1.2);
HttpsURLConnection con = (HttpsURLConnection )myurl.openConnection();
con.setSSLSocketFactory(new TSLSocketConnectionFactory());
* @author AZIMUTS
*
*/
public class TSLSocketConnectionFactory extends SSLSocketFactory {
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//Adding Custom BouncyCastleProvider
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
Security.addProvider(new BouncyCastleProvider());
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//HANDSHAKE LISTENER
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
public class TLSHandshakeListener implements HandshakeCompletedListener {
@Override
public void handshakeCompleted(HandshakeCompletedEvent event) {
}
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//SECURE RANDOM
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
private SecureRandom _secureRandom = new SecureRandom();
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//Adding Custom BouncyCastleProvider
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
@Override
public Socket createSocket(Socket socket, final String Host, int port, boolean arg3)
throws IOException {
if (socket == null) {
socket = new Socket();
}
if (!socket.isConnected()) {
socket.connect(new InetSocketAddress(Host, port));
}
final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), _secureRandom);
return _createSSLSocket(Host, tlsClientProtocol);
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// SOCKET FACTORY METHODS
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@Override
public String[] getDefaultCipherSuites() {
return null;
}
@Override
public String[] getSupportedCipherSuites(){
return null;
}
@Override
public Socket createSocket(String Host, int port) throws IOException,UnknownHostException{
return null;
}
@Override
public Socket createSocket(InetAddress Host, int port) throws IOException {
return null;
}
@Override
public Socket createSocket(String Host, int port, InetAddress localHost,
int localPort) throws IOException, UnknownHostException {
return null;
}
@Override
public Socket createSocket(InetAddress address, int port,
InetAddress localAddress, int localPort) throws IOException{
return null;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//SOCKET CREATION
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
private SSLSocket _createSSLSocket(final String Host , final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
private Java.security.cert.Certificate[] peertCerts;
@Override
public InputStream getInputStream() throws IOException {
return tlsClientProtocol.getInputStream();
}
@Override
public OutputStream getOutputStream() throws IOException {
return tlsClientProtocol.getOutputStream();
}
@Override
public synchronized void close() throws IOException {
tlsClientProtocol.close();
}
@Override
public void addHandshakeCompletedListener(HandshakeCompletedListener arg0) {
}
@Override
public boolean getEnableSessionCreation() {
return false;
}
@Override
public String[] getEnabledCipherSuites() {
return null;
}
@Override
public String[] getEnabledProtocols() {
// TODO Auto-generated method stub
return null;
}
@Override
public boolean getNeedClientAuth(){
return false;
}
@Override
public SSLSession getSession() {
return new SSLSession() {
@Override
public int getApplicationBufferSize() {
return 0;
}
@Override
public String getCipherSuite() {
throw new UnsupportedOperationException();
}
@Override
public long getCreationTime() {
throw new UnsupportedOperationException();
}
@Override
public byte[] getId() {
throw new UnsupportedOperationException();
}
@Override
public long getLastAccessedTime() {
throw new UnsupportedOperationException();
}
@Override
public Java.security.cert.Certificate[] getLocalCertificates() {
throw new UnsupportedOperationException();
}
@Override
public Principal getLocalPrincipal() {
throw new UnsupportedOperationException();
}
@Override
public int getPacketBufferSize() {
throw new UnsupportedOperationException();
}
@Override
public X509Certificate[] getPeerCertificateChain()
throws SSLPeerUnverifiedException {
// TODO Auto-generated method stub
return null;
}
@Override
public Java.security.cert.Certificate[] getPeerCertificates()throws SSLPeerUnverifiedException {
return peertCerts;
}
@Override
public String getPeerHost() {
throw new UnsupportedOperationException();
}
@Override
public int getPeerPort() {
return 0;
}
@Override
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
return null;
//throw new UnsupportedOperationException();
}
@Override
public String getProtocol() {
throw new UnsupportedOperationException();
}
@Override
public SSLSessionContext getSessionContext() {
throw new UnsupportedOperationException();
}
@Override
public Object getValue(String arg0) {
throw new UnsupportedOperationException();
}
@Override
public String[] getValueNames() {
throw new UnsupportedOperationException();
}
@Override
public void invalidate() {
throw new UnsupportedOperationException();
}
@Override
public boolean isValid() {
throw new UnsupportedOperationException();
}
@Override
public void putValue(String arg0, Object arg1) {
throw new UnsupportedOperationException();
}
@Override
public void removeValue(String arg0) {
throw new UnsupportedOperationException();
}
};
}
@Override
public String[] getSupportedProtocols() {
return null;
}
@Override
public boolean getUseClientMode() {
return false;
}
@Override
public boolean getWantClientAuth() {
return false;
}
@Override
public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) {
}
@Override
public void setEnableSessionCreation(boolean arg0) {
}
@Override
public void setEnabledCipherSuites(String[] arg0) {
}
@Override
public void setEnabledProtocols(String[] arg0) {
}
@Override
public void setNeedClientAuth(boolean arg0) {
}
@Override
public void setUseClientMode(boolean arg0) {
}
@Override
public void setWantClientAuth(boolean arg0) {
}
@Override
public String[] getSupportedCipherSuites() {
return null;
}
@Override
public void startHandshake() throws IOException {
tlsClientProtocol.connect(new DefaultTlsClient() {
@Override
public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
if (clientExtensions == null) {
clientExtensions = new Hashtable<Integer, byte[]>();
}
//Add Host_name
byte[] Host_name = Host.getBytes();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final DataOutputStream dos = new DataOutputStream(baos);
dos.writeShort(Host_name.length + 3); // entry size
dos.writeByte(0); // name type = hostname
dos.writeShort(Host_name.length);
dos.write(Host_name);
dos.close();
clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
return clientExtensions;
}
@Override
public TlsAuthentication getAuthentication()
throws IOException {
return new TlsAuthentication() {
@Override
public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<Java.security.cert.Certificate> certs = new LinkedList<Java.security.cert.Certificate>();
for ( org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
certs.add(cf.generateCertificate(new ByteArrayInputStream(c.getEncoded())));
}
peertCerts = certs.toArray(new Java.security.cert.Certificate[0]);
} catch (CertificateException e) {
System.out.println( "Failed to cache server certs"+ e);
throw new IOException(e);
}
}
@Override
public TlsCredentials getClientCredentials(CertificateRequest arg0)
throws IOException {
return null;
}
};
}
});
}
};//Socket
}
}
Um dies zu beweisen, testen Sie es mit einer Website, die NUR TLS 1.2 enthält. Wenn das Web TLS 1.0 verfügbar macht, wird TLS 1.1, abhängig von der Java-Implementierung, eine Verbindung mit tls 1.0, tls 1.1 herstellen. Testen Sie es mit einer Site, die nur TLS 1.2 verfügbar macht. Ein Beispiel kann die sichere Website von NIST sein https://www.nist.gov
Java 6 unterstützt jetzt TLS 1.2 (siehe unten)
http://www.Oracle.com/technetwork/Java/javase/overview-156328.html#R160_121
Sie müssen Ihre eigene SSLSocketFactory basierend auf Bouncy Castle erstellen. Wenn Sie diese benutzerdefinierte SocketFactory verwenden möchten, wechseln Sie zur üblichen HttpsConnextion.
1. Zuerst: Erstellen Sie eine TLSConnectionFactory.
Hier ein Tipp:
1.1 Erweitern Sie SSLConnectionFactory
1.2 Überschreiben Sie diese Methode:
@Override
public Socket createSocket(Socket socket, final String Host, int port, boolean arg3)
Diese Methode ruft die nächste interne Methode auf.
1.3 Implementieren Sie eine interne Methode _createSSLSocket (Host, tlsClientProtocol);
Hier müssen Sie einen Socket mit TlsClientProtocol erstellen. Der Trick ist überschreiben ... startHandshake () -Methode, die TlsClientProtocol aufruft
private SSLSocket _createSSLSocket(final String Host , final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
.... Override and implement SSLSocket methods, particulary:
startHandshake() {
}
}
Wichtig: Das vollständige Beispiel für die Verwendung des TLS-Clientprotokolls wird hier ausführlich erläutert: Verwendung von BouncyCastle für eine einfache HTTPS-Abfrage
2. Zweitens: Verwenden Sie diese angepasste SSLConnextionFactory für allgemeine HTTPSConnection.
Das ist wichtig ! In anderen Beispielen können Sie in das Web sehen und hartcodierte HTTP-Befehle sehen. Mit einer angepassten SSLConnectionFactory brauchen Sie also nichts weiter ...
URL myurl = new URL( "http:// ...URL tha only Works in TLS 1.2);
HttpsURLConnection con = (HttpsURLConnection )myurl.openConnection();
con.setSSLSocketFactory(new TSLSocketConnectionFactory());
Falls Sie auf eine bestimmte Gruppe von Remote-Services zugreifen müssen, können Sie einen Intermediate-Reverse-Proxy verwenden, um tls1.2 für Sie auszuführen. Dies erspart Ihnen den Versuch, Java1.6 zu patchen oder zu aktualisieren.
z.B. .app -> Proxy: http (5500) [tls-1.2] -> remote: https (443)
Die Konfiguration in ihrer einfachsten Form (ein Port pro Service) für Apache httpd ist:
Listen 127.0.0.1:5000
<VirtualHost *:5500>
SSLProxyEngine On
ProxyPass / https://remote-domain/
ProxyPassReverse / https://remote-domain/
</VirtualHost>
Anstatt auf https: // remote-domain/ zuzugreifen, greifen Sie auf http: // localhost: 5500/ zu.