问题描述
SSLSocketFactory 提供 getDefaultCipherSuites (默认情况下在套接字上启用的密码)和 getSupportedCipherSuites (如果需要,可以启用密码)
SSLSocketFactory provides getDefaultCipherSuites (ciphers that are enabled by default on sockets) and getSupportedCipherSuites (ciphers that can be enabled, if desired).
但是, SSLSocketFactory 不提供 setEnabledCipherSuites 配置密码列表一次以提供后续套接字的首选项。
However, SSLSocketFactory does not offer setEnabledCipherSuites to configure the cipher list once to provide the preference on subsequent sockets.
其实我觉得使 setEnabledCipherSuites 部分 SSLSocket 真的使炒锅流动复杂化。例如, HttpsURLConnection 不提供 getSocket ,它真的打破了这个流程:
In fact, I think making setEnabledCipherSuites part of SSLSocket really complicates wok flows. For example, HttpsURLConnection does not provide a getSocket, and it really breaks this flow:
...
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustManager.getTrustManagers(), null);
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setSSLSocketFactory(context.getSocketFactory());
我认为对于 SSLContext getDefaultSSLParameters 和 getSupportedSSLParameters 。
I think the same can be said about SSLContext since it has methods like getDefaultSSLParameters and getSupportedSSLParameters.
我想提出一个健全的安全工程原因的(in)能力,但我不能。也许有一个软件工程原因的决定。 (我怀疑有一个很好的理由,我目前缺乏洞察力)。
I'm trying to come up with a sound security engineering reason for the (in)ability, but I can't. Perhaps there's a software engineering reason for the decision. (I suspect there's a good reason, and I lack the insight to see it at the moment).
为什么Java缺乏配置 SSLSocketFactory的?这显然是一个设计决策,我正在努力理解为什么它是以图书馆相关部分的安全为代价的。
Why does Java lack the ability to configure the SSLSocketFactory? Its clearly a design decision, and I'm trying to understand why it was made at the expense of security in a relevant portion of the library.
推荐答案
可能的是,允许应用程序更改启用的密码套件可能是一个坏主意。您可能会认为这是一个安全问题,而不是应用程序的责任,而且某些应用程序能够启用(或禁用)系统管理员已禁用的套件将是一件坏事/启用。
It could be that it was deemed to be a bad idea to allow an application to alter the enabled cipher suites. You could argue that this is a platform security issue rather than an application responsibility, and that it would be a bad thing for some application to be able to enable (or disable) suites that the system administrator has disabled / enabled.
但我不知道,我怀疑那些真正的小人物中没有一个可以知道经常阅读StackOverflow
But I don't know, and I suspect that none of the small set of people who would really know read StackOverflow regularly.
In a sense, yes. But it could just be one of those design decisions that happened by accident or by default. Or it could be that "they" didn't think this functionality would be used. Or there may be a sound security reason for doing this.
无论哪种方式,如果您对此感到强烈,您可以将此建议为Java增强功能(例如),或者处理实现您的增强功能的补丁,并将其提交给OpenJDK
Either way, if you feel strongly about this, you could suggest this as a Java enhancement (e.g. here), or work up a patch that implements your enhancement and submit it to the OpenJDK team.
如果您没有动力提出/实施增强功能,最好的方式来回答为什么这样做是要问他们你自己(请分享答案...)
And if you don't feel motivated to propose / implement an enhancement, the best way to get an answer to "why did they do it" is to ask "them" yourself. (And please share the answer ...)
这篇关于为什么SSLSocketFactory缺少setEnabledCipherSuites?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!