如何将 SSLEngine 限制为 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 CipherSuite?
How to restrict SSLEngine to TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 CipherSuite?
我有以下代码:
SSLContext sslContext = SSLContext.getInstance("TLS", BouncyCastleProvider.PROVIDER_NAME);
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
SSLEngine sslEngine = sslContext.createSSLEngine();
String[] suites = { "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" };
sslEngine.setEnabledCipherSuites(suites);
谢谢。
编辑:
我发现我应该使用需要 SecureRandom
对象的 BouncyCastleJsseProvider
,像这样:
sslContext.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());
使用新提供程序后,我的代码库中得到以下堆栈跟踪,据我所知,它应该像以前一样工作:
Aug 17, 2017 8:47:32 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyAlertRaised
INFO: Server raised fatal(2) handshake_failure(40) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40)
at org.bouncycastle.tls.AbstractTlsServer.getSelectedCipherSuite(Unknown Source)
at org.bouncycastle.jsse.provider.ProvTlsServer.getSelectedCipherSuite(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.sendServerHelloMessage(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.offerInput(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(Unknown Source)
为了让它正常工作,我做了以下操作。
添加提供商:BouncyCastleProvider
和 BouncyCastleJsseProvider
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());
使用BouncyCastleJsseProvider
创建SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS", BouncyCastleJsseProvider.PROVIDER_NAME);
使用 SecureRandom
的实例和 BouncyCastleProvider
初始化 sslContext
sslContext.init(
keyManagers,
trustManagers,
SecureRandom.getInstance("DEFAULT", BouncyCastleProvider.PROVIDER_NAME));
您可能需要使用 BouncyCastleJsseProvider
和 PKIX
算法创建 KeyManagerFactory
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX", BouncyCastleJsseProvider.PROVIDER_NAME);
现在,我们可以启用密码套件了
SSLEngine sslEngine = sslContext.createSSLEngine();
String[] suites = { "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" };
sslEngine.setEnabledCipherSuites(suites);
我有以下代码:
SSLContext sslContext = SSLContext.getInstance("TLS", BouncyCastleProvider.PROVIDER_NAME);
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
SSLEngine sslEngine = sslContext.createSSLEngine();
String[] suites = { "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" };
sslEngine.setEnabledCipherSuites(suites);
谢谢。
编辑:
我发现我应该使用需要 SecureRandom
对象的 BouncyCastleJsseProvider
,像这样:
sslContext.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());
使用新提供程序后,我的代码库中得到以下堆栈跟踪,据我所知,它应该像以前一样工作:
Aug 17, 2017 8:47:32 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyAlertRaised
INFO: Server raised fatal(2) handshake_failure(40) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40)
at org.bouncycastle.tls.AbstractTlsServer.getSelectedCipherSuite(Unknown Source)
at org.bouncycastle.jsse.provider.ProvTlsServer.getSelectedCipherSuite(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.sendServerHelloMessage(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.offerInput(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(Unknown Source)
为了让它正常工作,我做了以下操作。
添加提供商:
BouncyCastleProvider
和BouncyCastleJsseProvider
Security.addProvider(new BouncyCastleProvider()); Security.addProvider(new BouncyCastleJsseProvider());
使用
创建BouncyCastleJsseProvider
SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS", BouncyCastleJsseProvider.PROVIDER_NAME);
使用
初始化SecureRandom
的实例和BouncyCastleProvider
sslContext
sslContext.init( keyManagers, trustManagers, SecureRandom.getInstance("DEFAULT", BouncyCastleProvider.PROVIDER_NAME));
您可能需要使用
BouncyCastleJsseProvider
和PKIX
算法创建KeyManagerFactory
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX", BouncyCastleJsseProvider.PROVIDER_NAME);
现在,我们可以启用密码套件了
SSLEngine sslEngine = sslContext.createSSLEngine(); String[] suites = { "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" }; sslEngine.setEnabledCipherSuites(suites);