如何使用 SSLv2 启动 ssl 连接
我想使用 SSLv2 启动与远程服务器的 SSL 连接.我正在使用 Java.我尝试使用以下方法在我的套接字中获取支持的协议:
I want to initiate an SSL connection with a remote server using SSLv2. I am using Java. I tried to get the supported protocols in my socket using:
String[] suppProtocols=socket.getSupportedProtocols();
System.out.println("The protocols supported for this socket are:
"+Arrays.toString(suppProtocols));
我在输出中得到了这个:
and I got this in the output:
[SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
现在,我了解到 Java 不支持 SSLv2,而 SSLv2Hello 仅使用 SSLv2 发送 hello 消息.我无法理解这是什么意思?和客户端支持 SSLv2 不一样吗?如何使用 SSLv2 建立 SSL 连接.
Now, I read that Java does not support SSLv2 and SSLv2Hello only sends hello message using SSLv2. I can't grasp what does this means? Isn't the same as if the client support SSLv2? How can I make SSL connection using SSLv2.
推荐答案
SSLv3 和 TLSv1.x 提供了一种将其 Client Hello 消息包装在 SSLv2 Client Hello 中的方法,如 TLS 规范:向后兼容 SSL.SSLv3 和 TLS 1 及更高版本具有更一致的版本协商机制.正如 TLS 规范所说:
SSLv3 and TLSv1.x offer a way to wrap their Client Hello message in an SSLv2 Client Hello, as described in the TLS specification: Backward compatibility with SSL. SSLv3 and TLS 1 and above have a more consistent mechanism to negotiate the version. As the TLS spec says:
发送版本 2.0 客户端问候消息的能力将是迅速淘汰.实施者应该使每个努力尽快向前推进.3.0 版为迁移到新版本提供了更好的机制.
The ability to send Version 2.0 client hello messages will be phased out with all due haste. Implementors SHOULD make every effort to move forward as quickly as possible. Version 3.0 provides better mechanisms for moving to newer versions.
Sun/Oracle JRE 或 OpenJDK 不支持 SSLv2.将 SSLv3+ 消息包装成 SSLv2 消息只是为了向后兼容.现在 在 Java 7 中默认禁用客户端.从服务器的角度来看,它至少可以接受其他 SSLv3+ 客户端以这种方式将其 Client Hello 消息包装在 SSLv2 消息中,无论它们是否支持 SSLv2.
The Sun/Oracle JRE or OpenJDK doesn't support SSLv2. Wrapping an SSLv3+ message into an SSLv2 message was just for backward compatibility. It is now disabled by default for clients in Java 7. From a server point of view, it can at least accept other SSLv3+ clients that wrap their Client Hello message in an SSLv2 message this way, whether they support SSLv2 or not.
您可以在这个问题中找到有关 Java 支持(包括其他实现)的更多详细信息.
You'll find more details about Java support (including other implementations) in this question.
一般来说,SSLv2 被认为是不安全的:您根本不应该使用它.总体趋势是从 SSLv3 转向 TLS 1.0 或更高版本,而不是倒退.
Generally speaking, SSLv2 is considered insecure: you simply shouldn't use it. The general trend is to move away from SSLv3 towards TLS 1.0 or higher, not to go backwards.
相关文章