Tomcat禁用 TLS 1.0 并替换为 TLS 1.2 或更高版本。

添加配置项:protocols="TLSv1.2"

<Connector executor="tomcatThreadPool" 
               port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               connectionTimeout="30000"
               keepAliveTimeout="60000"
               maxKeepAliveRequests="150"
               URIEncoding="UTF-8"
               disableUploadTimeout="true"
               enableLookups="false"
               maxHttpHeaderSize="102400"
               maxPostSize="4194304"
               acceptorThreadCount="16"
               acceptCount="500"
               compression="on"
               compressionMinSize="2048"
               useSendfile="false"
               noCompressionUserAgents="gozilla,traviata"
               compressibleMimeType="text/html,text/xml,text/javascript,text/css,text/plain"
               SSLEnabled="true">
        <SSLHostConfig>
            protocols="TLSv1.2"
            <Certificate certificateKeystoreFile="ssl/123.jks"
                         certificateKeystorePassword="123456"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

 

其它版本:

tomcat使用TLS1.2:添加配置sslEnabledProtocols="TLSv1.2"

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="conf/domains.jks"
           keystorePass="xxxxxxxx"
           clientAuth="false" sslProtocol="TLS"  sslEnabledProtocols="TLSv1.2"/>

java中禁用TLS1.0:

jdk安装目录下jre/lib/security/java.security中修改以下配置(添加TLSv1禁用):

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC

 

posted @ 2022-11-30 14:11  浪淘沙&  阅读(4328)  评论(0编辑  收藏  举报