差異處
這裏顯示兩個版本的差異處。
— |
java:sonarlint:fixvulnerability:s4423 [2023/06/25 09:48] (目前版本) |
||
---|---|---|---|
行 1: | 行 1: | ||
+ | {{tag>SonarLint}} | ||
+ | ====== SonarLint | Weak SSL/TLS protocols should not be used (java:S4423) ====== | ||
+ | ===== Problem ===== | ||
+ | 這個問題會發生在使用SSLContext.getInstance傳入一個安全性較弱的protocol種類,以我們的案例來說,我們使用了SSL: | ||
+ | <code java> | ||
+ | final SSLContext sc = SSLContext.getInstance("SSL"); | ||
+ | sc.init(null, trustAllCerts, new java.security.SecureRandom()); | ||
+ | HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); | ||
+ | </code> | ||
+ | ===== How to fix? ===== | ||
+ | 這個問題也屬於find-sec-bug中的SSL_CONTEXT pattern的SSLContext needs to be compatible with TLS 1.2。在SonarLint中,建議將Protocol設定為TLSv1.2,而spotBugs建議為TLS;由於JDK會自己對應TLS的預設值,所以我們選擇設定TLS,在JDK8中預設值為TLSv1.2: | ||
+ | <code java> | ||
+ | final SSLContext sc = SSLContext.getInstance("TLS"); | ||
+ | sc.init(null, trustAllCerts, new java.security.SecureRandom()); | ||
+ | HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); | ||
+ | </code> | ||
+ | ===== ===== | ||
+ | ---- | ||
+ | \\ | ||
+ | ~~DISQUS~~ |