Warm tip: This article is reproduced from serverfault.com, please click
java spring spring-boot ssl tomcat

How to set HTTPS SSL Cipher Suite Preference in Spring boot embedded tomcat

发布于 2017-05-12 14:48:42

I trying to set HTTPS SSL cipher suite preference according to server preference rather than auto select based on client & server supported common cipher suite with highest strength.

I like to let server choose for common between server & client having "TLS_ECDHE..." in order to support Forward Secrecy. Now I tested in "www.ssllabs.com", client browser will prefer cipher having "TLS_RSA..." rather than "TLS_ECDHE"...

I noticed java 8 support set cipher suite preference: http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference

I assume spring boot embedded Tomcat will call Java 8 function to choose cipher

Here is what I done in spring boot application.properties file to set server support ciphers set:

server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA

Hopefully someone can guide me how to override default choose cipher behaviour.

Questioner
Mr Hoelee
Viewed
0
分享
Andy Wilkinson 2020-10-19 22:38:57

You need to tell the connector's underlying protocol handler to use the server's cipher suite order. You can do so with a WebServerFactoryCustomizer :

@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> servletContainerCustomizer() {
    return (factory) -> {
        factory.addConnectorCustomizers((c) -> 
            ((AbstractHttp11Protocol<?>) c.getProtocolHandler()).setUseServerCipherSuitesOrder(true));
    };
}
Bampfer 2019-03-14 14:27:33

To upgrade this solution to Spring Boot 2.1.x, I just had to make two small changes: replace EmbeddedServletContainerCustomizer with WebServerFactoryCustomizer<TomcatServletWebServerFactory>, and TomcatEmbeddedServletContainerFactory with TomcatServletWebServerFactory.

Bampfer 2019-03-14 19:23:00

Plus, somewhere between Spring Boot 2.0.7 and 2.1.3 the argument to setUseServerCipherSuitesOrder changed from String to boolean.

Julian Solarte 2019-10-02 22:16:50

setUseServerCipherSuitesOrder now recieves a boolean

热门帖子

1
预算一万五攒个深度学习的主机,有好哥哥来看看配置吗
2
哀叹,头发越来越少了
3
[内购终身版限时免费][macOS] Barbee - 拯救你的菜单栏空间(刘海屏快来!
4
请教 mac 如何进行同 app 的窗口切换?
5
notion 是否有平替?
6
我又又又来求购 pixel 初代了。。。
7
领克 08 EM-P 和理想 L6 大伙觉得怎么选
8
[开发者自荐] 公众号封面神器——封面大师「Cover Master」(图片美化第二弹)
9
关于出镜旅游
10
原来凤凰系统已经倒闭 2 年多了

热门github

1
A multi-platform library for OpenGL, OpenGL ES, Vulkan, window and input
2
Dev tool that writes scalable apps from scratch while the developer oversees the implementation
3
shadcn/ui, but for Svelte. ✨
4
The Python Risk Identification Tool for generative AI (PyRIT) is an open access automation framework to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.
5
Performance-portable, length-agnostic SIMD with runtime dispatch
6
ZK Credo
7
OpenCodeInterpreter: Integrating Code Generation with Execution and Refinement
8
Joplin - the secure note taking and to-do app with synchronisation capabilities for Windows, macOS, Linux, Android and iOS.
9
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.
10
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
11
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
12
🎓 Path to a free self-taught education in Computer Science!
13
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
14
A collective list of free APIs
15
📚 Freely available programming books