差異處
這裏顯示兩個版本的差異處。
| — |
java:sonarlint:fixvulnerability:s4423 [2023/06/25 09:48] (目前版本) |
||
|---|---|---|---|
| 行 1: | 行 1: | ||
| + | {{tag>SonarLint}} | ||
| + | ====== SonarLint | Weak SSL/TLS protocols should not be used (java:S4423) ====== | ||
| + | ===== Problem ===== | ||
| + | 這個問題會發生在使用SSLContext.getInstance傳入一個安全性較弱的protocol種類,以我們的案例來說,我們使用了SSL: | ||
| + | <code java> | ||
| + | final SSLContext sc = SSLContext.getInstance("SSL"); | ||
| + | sc.init(null, trustAllCerts, new java.security.SecureRandom()); | ||
| + | HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); | ||
| + | </code> | ||
| + | ===== How to fix? ===== | ||
| + | 這個問題也屬於find-sec-bug中的SSL_CONTEXT pattern的SSLContext needs to be compatible with TLS 1.2。在SonarLint中,建議將Protocol設定為TLSv1.2,而spotBugs建議為TLS;由於JDK會自己對應TLS的預設值,所以我們選擇設定TLS,在JDK8中預設值為TLSv1.2: | ||
| + | <code java> | ||
| + | final SSLContext sc = SSLContext.getInstance("TLS"); | ||
| + | sc.init(null, trustAllCerts, new java.security.SecureRandom()); | ||
| + | HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); | ||
| + | </code> | ||
| + | ===== ===== | ||
| + | ---- | ||
| + | \\ | ||
| + | ~~DISQUS~~ | ||
