问题:
Websphere 9总是发送ClientHello TLSv1进行SSL握手。如何强制使用TLSv1.2
咸高谊
当我尝试数据源后的测试连接,我收到SSL握手异常。SSL跟踪显示,我的webphere正在发送ClientHello,TLSv1,因为所有连接到postgresql的TLS1.2启用。
我在websphere中进行了以下配置,以强制TLSv1.2通信。但它总是启动TLSv1调用。
>
在“SSL 设置”的“保护质量 (QoP)”设置中,选择 TLSv1.2 作为原型。以前选择了SSL_TLSv2
在服务器中添加了JVM参数-djdk . TLS . client . protocols = tlsv 1.2-dhttps . protocols = tlsv 1.2
在服务器中,ssl.client.props属性文件更新com.ibm.ssl.protocol=TLSv1.2
重新启动服务器,但没有运气。
我在这里附上了SSL跟踪。你能帮我一下吗?
[3/9/19 20:10:27:031 UTC] 00000087 SystemOut O WebContainer : 2, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:031 UTC] 00000087 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:032 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:032 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, closeInboundInternal()
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, closeOutboundInternal()
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:033 UTC] 00000087 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:033 UTC] 00000087 SystemOut O WebContainer : 2, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:034 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:038 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:038 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:040 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:041 UTC] 00000086 SystemOut O WebContainer : 1, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:041 UTC] 00000086 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:042 UTC] 00000086 SystemOut O WebContainer : 1, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, closeInboundInternal()
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, closeOutboundInternal()
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:044 UTC] 00000086 SystemOut O WebContainer : 1, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:048 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:049 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:049 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:051 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:28:893 UTC] 00000090 SystemOut O X509KeyManager passed to SSLContext.init(): need an X509ExtendedKeyManager for SSLEngine use
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut O SSLContextImpl: Using X509KeyManager com.ibm.jsse2.ax
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut O SSLContextImpl: Using X509TrustManager org.postgresql.ssl.NonValidatingFactory$NonValidatingTM
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut O JsseJCE: Using SecureRandom SHA2DRBG from provider IBMJCE version 1.8
[3/9/19 20:10:28:898 UTC] 00000090 SystemOut O trigger seeding of SecureRandom
[3/9/19 20:10:28:942 UTC] 00000090 SystemOut O done seeding SecureRandom
[3/9/19 20:10:28:946 UTC] 00000090 SystemOut O
Is initial handshake: true
[3/9/19 20:10:28:947 UTC] 00000090 SystemOut O
Is initial handshake: true
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut O %% No cached client session
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut O ALPNJSSEExt not initialzed for Client
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut O *** ClientHello, TLSv1
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut O RandomCookie: GMT: 1535384756 bytes = { 247, 108, 226, 59, 54, 187, 101, 14, 95, 251, 73, 147, 217, 248, 218, 111, 67, 202, 92, 205, 47, 42, 141, 87, 25, 87, 2, 68 }
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Session ID: {}
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA]
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Compression Methods: { 0 }
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, secp256k1}
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension ec_point_formats, formats: [uncompressed]
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension extended_master_secret
[3/9/19 20:10:28:953 UTC] 00000090 SystemOut O Extension server_name, server_name: [type=host_name (0), value=5a3ec84c-0eb5-49ba-899d-91a9339f02a9.d7deeff0d58745aba57fa5c84685d5b4.databases.appdomain.cloud]
[3/9/19 20:10:28:953 UTC] 00000090 SystemOut O ***
[3/9/19 20:10:28:954 UTC] 00000090 SystemOut O [write] MD5 and SHA1 hashes: len = 217
[3/9/19 20:10:28:954 UTC] 00000090 SystemOut O 0000: 01 00 00 d5 03 01 5c 84 1d b4 f7 6c e2 3b 36 bb ...........l..6.
0010: 65 0e 5f fb 49 93 d9 f8 da 6f 43 ca 5c cd 2f 2a e...I....oC.....
0020: 8d 57 19 57 02 44 00 00 2c 00 ff c0 0a c0 14 00 .W.W.D..........
0030: 35 c0 05 c0 0f 00 39 00 38 c0 09 c0 13 00 2f c0 5.....9.8.......
0040: 04 c0 0e 00 33 00 32 c0 08 c0 12 00 0a c0 03 c0 ....3.2.........
0050: 0d 00 16 00 13 01 00 00 80 00 0a 00 0a 00 08 00 ................
0060: 17 00 18 00 19 00 16 00 0b 00 02 01 00 00 17 00 ................
0070: 00 00 00 00 64 00 62 00 00 5f 35 61 33 65 63 38 ....d.b...5a3ec8
0080: 34 63 2d 30 65 62 35 2d 34 39 62 61 2d 38 39 39 4c.0eb5.49ba.899
0090: 64 2d 39 31 61 39 33 33 39 66 30 32 61 39 2e 64 d.91a9339f02a9.d
00a0: 37 64 65 65 66 66 30 64 35 38 37 34 35 61 62 61 7deeff0d58745aba
00b0: 35 37 66 61 35 63 38 34 36 38 35 64 35 62 34 2e 57fa5c84685d5b4.
00c0: 64 61 74 61 62 61 73 65 73 2e 61 70 70 64 6f 6d databases.appdom
00d0: 61 69 6e 2e 63 6c 6f 75 64 ain.cloud
[3/9/19 20:10:28:955 UTC] 00000090 SystemOut O WebContainer : 5, WRITE: TLSv1 Handshake, length = 217
[3/9/19 20:10:29:485 UTC] 00000090 SystemOut O WebContainer : 5, READ: TLSv1 Alert, length = 2
[3/9/19 20:10:29:485 UTC] 00000090 SystemOut O WebContainer : 5, RECV TLSv1.2 ALERT: fatal, handshake_failure
[3/9/19 20:10:29:486 UTC] 00000090 SystemOut O WebContainer : 5, called closeSocket()
[3/9/19 20:10:29:486 UTC] 00000090 SystemOut O WebContainer : 5, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[3/9/19 20:10:29:594 UTC] 00000090 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_83c02f89_19.03.09_20.10.29.512728361473924885244.txt com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection 568
[3/9/19 20:10:29:722 UTC] 00000090 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_83c02f89_19.03.09_20.10.29.7052740090681335855170.txt com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionToDataSource 1486
[3/9/19 20:10:29:727 UTC] 00000090 DSConfigurati W DSRA8201W: DataSource Configuration: DSRA8040I: Failed to connect to the DataSource jdbc/SelfService. Encountered java.sql.SQLException: SSL error: Received fatal alert: handshake_failure DSRA0010E: SQL State = 08006, Error Code = 0.
java.sql.SQLException: SSL error: Received fatal alert: handshake_failure DSRA0010E: SQL State = 08006, Error Code = 0
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:675)
at java.sql.DriverManager.getConnection(DriverManager.java:258)
at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:94)
at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:79)
共有2个答案
盖成弘
我挣扎了10天...最后通过设置以下参数来解决问题。
但是,我已经在环境(qop)级别上启用了TLSv1.2,但是我遇到了上述问题,然后我添加了下面的自定义属性。
以下属性迫使IBM JDK公司使用TLSv1.2。
服务器
com.ibm.jsse2.overrideDefaultTLS=真
晁璞
我为此挣扎了2天,通过HTTP客户端调用了一个rest服务。最终添加了以下2个设置:
- SSL设置,保护质量(QoP)设置,选择TLSv1.2作为协议。以前选择了SSL_TLSv2
- 服务器
发现这里的讨论 https://issues.apache.org/jira/browse/HTTPCLIENT-1784 我尝试单独使用选项2,并且SSL_TLSv2像以前一样设置,它似乎也有效。
类似资料:
-
我想使用客户端证书对每个目录的身份验证进行故障排除。我特别想知道服务器发送哪些可接受的客户端证书。 如何调试SSL握手,最好使用cURL?
-
线程“main”javax.net.ssl.SSLHandShakeException中的异常:没有共同的密码套件 列出的密码如下
-
问题内容: 我的推送通知有问题。我有一个由团队成员创建的p.12证书,并且我拥有要推送到的设备的设备令牌。我正在使用javapns库进行推送(也尝试了具有相同结果的javaapns lib),但我一直收到此错误: 这是我用来测试的代码 我阅读并尝试了其他几篇文章中的建议,包括将证书导入cacerts密钥库,但导入也失败。我正在Windows机器上使用Eclipse开发。 有人熟悉这个问题吗?我是使
-
问题内容: 这是“ 使用自签名证书和SSLEngine(JSSE)进行SSL握手 ”的后续问题。 我实现了一个NIO Web服务器,该服务器可以在同一端口上处理SSL和非SSL消息。为了区分SSL消息和非SSL消息,我检查了入站请求的第一个字节,看看它是否是SSL / TLS消息。例: 在parseTLS()方法中,我实例化了一个SSLEngine,启动了握手,包装/展开消息等。对于大多数现代We
-
我正在尝试使用SSL证书将java客户端与JMX服务器连接。 但是不幸的是,这个连接给出了一个SSL握手错误。当我尝试使用< code >-DJ avax . net . debug = all 标志对此进行调试时,我在java客户端上得到以下错误消息。 2016-07-15T13:29:50.02-0700[APP/0]退出RMI更新清洁-[10.200.0.27:44445,javax.rmi
-
我看到这篇文章给出了使用WebClient将文件上传到ftp的简单想法。这很简单,但如何强制它使用SSL?