JDK1.7支持TLS1.2协议解决方案

近期，项目中需要调用的第三方API接口升级，http调用要使用TLS1.2协议。但是项目使用的是JDK1.7,默认支持的TLS是V1 ，jdk1.8默认支持的是v1.2。升级JDK影响比较大，所以不做升级处理。

查询了很多网上资料，有改服务器配置的，也有修改Java请求http代码的。此次是选择修改Java代码

以下是解决方案：

直接在调用接口修改java代码，在创建socket连接时指定调用方式，具体参考链接，示例如下：

SSLContext ctx= SSLContext.getInstance("TLSv1.2"); 

ctx.init(null,null,null);

 

官方解决方案：

详细链接：https://www.java.com/en/configure_crypto.html#enableTLSv1_2

 

How to change the protocol version on client side

Several options exist for changing the default client-side TLS protocol version in the JDK.

Option 1. Use the "jdk.tls.client.protocols" system property

This property was introduced to JDK 7 in 7u95 and to JDK 6 in 6u121.

To enable specific TLS protocols on the client, specify them in a comma-separated list within quotation marks; all other supported protocols are then disabled on the client. For example, if the value of this property is "TLSv1.1,TLSv1.2", then the default protocol settings on the client for TLSv1.1 and TLSv1.2 are enabled on the client, while SSLv3, TLSv1, and SSLv2Hello are disabled on the client.

// Set the client default protocol versions to TLS 1.0, 1.1 and 1.2. 
$ java Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" myApp

 

// Set the client default protocol version to TLS 1.0. 
$ java Djdk.tls.client.protocols="TLSv1" myApp

 

Note that the standard TLS protocol version names used in the JDK are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.

 

Option 2. Use SSLContext to set TLS version

SSLContext of "TLSv1.2" protocol supports TLS 1.2. For example:

// Get SSLContext instance for "TLSv1.2".
SSLContext context = SSLContext.getInstance("TLSv1.2"); 

 

// Create SSLEngine object that enables TLS version 1.2.
SSLEngine sslEngine = context.createSSLEngine("www.example.com", 443);

Or 

// Create SSLSocket object that enables TLS version 1.2.
SSLSocketFactory socketFac = context.getSocketFactory();
SSLSocekt sslSocket = (SSLSocekt)socketFac.createSocket("www.example.com", 443); 

 

An SSLContext with "TLSv1" protocol supports TLS versions up to TLS 1.0 (no TLS 1.1 and 1.2).
An SSLContext created with "TLSv1.1" supports versions up to TLS 1.1 (no TLS 1.2).

// Get SSLContext instance that supports TLS versions up to TLS 1.0.
SSLContext context = SSLContext.getInstance("TLSv1");

 

Option 3 Use the SSLSocket/SSLEngine.setEnabledProtocols() API

Applications can set the enabled protocols explicitly in an SSLSocket/SSLEngine object. For example:

// Enable TLS 1.0, 1.1 and 1.2 in an SSLSocket object.
sslSocket.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"}); 

// Enable TLS 1.0, 1.1 and 1.2 in an SSLEngine object.
sslEngine.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});

Or

// Enable TLS 1.0 only in an SSLSocket object.
sslSocket.setEnabledProtocols(new String[] {"TLSv1"}); 

// Enable TLS 1.0 only in an SSLEngine object.
sslEngine.setEnabledProtocols(new String[] {"TLSv1"});

 

Option 4. Use the SSLParameters.setProtocols() API

Applications can set the protocols in an SSLParameters object, and then apply it to a connection via the SSLSocket.setSSLParameters() and SSLEngine.setSSLParameters() methods. For example:

// Set TLS 1.0, 1.1 and 1.2 in an SSLParameters object.
sslParameters.setProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});

Or

// Set TLS 1.0 only in an SSLParameters object.
sslParameters.setProtocols(new String[] {"TLSv1"}); 

// Apply the parameters to an SSLSocket object.
sslSocket.setSSLParameters(sslParameters); 

// Apply the parameters to an SSLEngine object.
sslEngine.setSSLParameters(sslParameters);

 

For client applications, administrators may have to remove TLS 1.1 or TLS 1.2 from the default enabled protocol list to work around a TLS version intolerance issue on the server side.