ssl - How to exclude weak protocols (ciphers suits) from the Netty SSLContext?

Question

Welcome To Ask or Share your Answers For Others

ssl - How to exclude weak protocols (ciphers suits) from the Netty SSLContext?

asked Apr 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

ssl - How to exclude weak protocols (ciphers suits) from the Netty SSLContext?

On my Netty server, I need to exclude TLS_1.0 and TLS_1.1 protocols. However, seems like Netty SslContextBuilder doesn't allow to exclude specific suits.

Current code is used to build a SSL context:

SslContextBuilder.forServer(serverCert, serverKey, serverPass)
                .sslProvider(sslProvider)
                .build();

SslContextBuilder has ciphers() method, but it's not clear how to exclude specific ciphers for the TLS_1.0 and TLS_1.1.

Is there any way to achieve that?

question from:https://stackoverflow.com/questions/65680170/how-to-exclude-weak-protocols-ciphers-suits-from-the-netty-sslcontext

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Answer

深蓝 · Answer 1 · 2021-04-24T01:47:40+0000

You would just specify the protocols you want to support:

SslContextBuilder.forServer(serverCert, serverKey, serverPass)
                .sslProvider(sslProvider).protocols(...)

So only include TLSv1.2 and TLSv1.3 here.

Another possibility would be to specify your custom CipherSuiteFilter which filters out ciphers you don't want to support.

Categories

ssl - How to exclude weak protocols (ciphers suits) from the Netty SSLContext?

ssl - How to exclude weak protocols (ciphers suits) from the Netty SSLContext?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags