我有一个在 Java 7 上运行的 HTTPS Web 服务.我需要进行更改,以便该服务只接受 TLS1.2 连接并拒绝 SSL3、TLS1.0 和 TLS1.1.

I have a HTTPS web service running on Java 7. I need to make changes so that this service only accepts TLS1.2 connection and reject SSL3, TLS1.0 and TLS1.1.

我添加了以下 Java 参数,以便 TLS1.2 具有最高优先级.

I have added the following Java parameter so that TLS1.2 is the highest priority.


但它也接受来自 Java 客户端的 TLS1.0 连接.如果客户端也使用上述 Java 参数运行,则连接为 TLS1.2,但如果客户端未使用此参数运行,则连接为 TLS1.0.

but it also accepts the TLS1.0 connections from Java clients. If the client is also running with above Java parameter, the connection is TLS1.2 but if the client is running without this parameter, the connections is TLS1.0.

我对 jdk/jre/lib/security 文件夹中的 java.security 文件做了一些尝试.

I did some play around the java.security file in jdk/jre/lib/security folder.


I currently have following disabled algorithms:

jdk.certpath.disabledAlgorithms= MD2, MD4, MD5, SHA224, DSA, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224
jdk.tls.disabledAlgorithms=DSA, DHE, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224

我使用的是 Java 7 update 79.我不倾向于拦截每个连接并检查 TLS 版本.

I am using Java 7 update 79. I am not inclined towards intercepting each connection and checking the TLS version.

我的服务器证书是 2048 位的,使用 MD5 和 RSA 算法生成.

My server certificate is 2048 bit generated with MD5 with RSA algorithm.

如果禁用的算法列表有 RSA 代替 RSA keySize <2048,我收到带有错误消息的 SSLHandShakeError:

If the disabled algorithm list has RSA in place of RSA keySize < 2048, I get the SSLHandShakeError with error message:


我的测试程序正在从以下 URL 运行 HTTP 服务器:http://www.herongyang.com/JDK/HTTPS-HttpsEchoer-Better-HTTPS-Server.html

My test program is running the HTTP server from following URL:http://www.herongyang.com/JDK/HTTPS-HttpsEchoer-Better-HTTPS-Server.html


Please help how to make java accept only TLS1.2 connections.



I found a solution for this. I set the

jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

在服务器上的文件 jre/lib/security/java.security 中.

in the file jre/lib/security/java.security on the server.


After setting this, server only accepts the TLS1.2 connection and reject lower security protocol versions.

05-29 13:23