问题:
当服务器不支持TLS 1.0时,具有目标的HCP JEE6应用程序失败
夏侯枫
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:150)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:575)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at com.sap.core.connectivity.httpdestination.client.RequestDirectorExtender.execute(RequestDirectorExtender.java:47)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper$2.execute(AbstractHttpClientWrapper.java:141)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper$2.execute(AbstractHttpClientWrapper.java:1)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.executeOperation(AbstractHttpClientWrapper.java:300)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.execute(AbstractHttpClientWrapper.java:277)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.execute(AbstractHttpClientWrapper.java:132)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.execute(AbstractHttpClientWrapper.java:126)
at my.domain.hcp.HttpRequestSupport.service(HttpRequestSupport.java:124)
at my.domain.gap.proxy.ProxyServlet.service(ProxyServlet.java:36)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.sap.core.communication.server.CertValidatorFilter.doFilter(CertValidatorFilter.java:156)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.eclipse.virgo.web.enterprise.security.valve.OpenEjbSecurityInitializationValve.invoke(OpenEjbSecurityInitializationValve.java:44)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614)
at com.sap.core.jpaas.security.auth.service.lib.AbstractAuthenticator.invoke(AbstractAuthenticator.java:170)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at com.sap.core.tenant.valve.TenantValidationValve.invokeNextValve(TenantValidationValve.java:168)
at com.sap.core.tenant.valve.TenantValidationValve.invoke(TenantValidationValve.java:94)
at com.sap.js.statistics.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:38)
at com.sap.core.js.monitoring.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:27)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1083)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:640)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:807)
我们尝试向Java应用程序添加JVM参数,以强制它使用TLSV1.1或TLSV1.2,而不使用TLSV1.0:
-Dhttps.protocols=TLSv1.1,TLSv1.2
设置JVM参数不起任何作用,Apache HttpClient库似乎忽略了此设置。是否有其他方法强制Apache HttpClient(V4.1.3)使用更新版本的TLS?
共有1个答案
阎鸿煊
事实证明,可以扩展类org.apache.http.conn.ssl.SSLSocketFactory并将其注册到HttpClient以强制客户机使用特定协议。事实上,您可以使用相同的机制来更改密码、超时等。
添加以下附加代码以从HttpDestination创建HttpClient:
private static final String CA_CERTS_PATH = System.getProperties().getProperty("java.home") + File.separator +
"lib" + File.separator + "security" + File.separator + "cacerts";
private HttpClient createHttpClient(HttpDestination httpDestination)
throws DestinationException, KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, KeyManagementException {
HttpClient httpClient = httpDestination.createHttpClient();
try (FileInputStream fis = new FileInputStream(CA_CERTS_PATH)) {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(fis, "changeit".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), new SecureRandom());
// Instantiate the custom SSLSocketFactory
SSLSocketFactory sslSocketFactory = new CustomSSLSocketFactory(
ctx,
SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER,
new String[]{"TLSv1.1", "TLSv1.2"}
);
// Register the https scheme with the custom SSLSocketFactory
Scheme httpsScheme = new Scheme("https", 443, sslSocketFactory);
httpClient.getConnectionManager().getSchemeRegistry().register(httpsScheme);
}
return httpClient;
}
并扩展SSLSocketFactory类:
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.params.HttpParams;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
/**
* Custom SSLSocketFactory to limit connections to specific TLS protocols.
*
* @author Juan Heyns
*/
public class CustomSSLSocketFactory extends SSLSocketFactory {
private final String[] tlsProtocols;
public CustomSSLSocketFactory(SSLContext sslContext, X509HostnameVerifier hostnameVerifier, String[] tlsProtocols) {
super(sslContext, hostnameVerifier);
this.tlsProtocols = tlsProtocols;
}
@Override
public Socket connectSocket(Socket socket, InetSocketAddress remoteAddress, InetSocketAddress localAddress, HttpParams params) throws IOException {
return prepareSocket(super.connectSocket(socket, remoteAddress, localAddress, params));
}
@Override
public Socket createLayeredSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
return prepareSocket(super.createLayeredSocket(socket, host, port, autoClose));
}
@Override
public Socket createSocket(HttpParams params) throws IOException {
return prepareSocket(super.createSocket(params));
}
@Override
@Deprecated
public Socket createSocket() throws IOException {
return prepareSocket(super.createSocket());
}
@Override
@Deprecated
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
return prepareSocket(super.createSocket(socket, host, port, autoClose));
}
@Override
@Deprecated
public Socket connectSocket(Socket socket, String host, int port, InetAddress localAddress, int localPort, HttpParams params) throws IOException {
return prepareSocket(super.connectSocket(socket, host, port, localAddress, localPort, params));
}
/**
* Any socket returned from this class will first be configured.
*
* @param socket
* @return
*/
private Socket prepareSocket(Socket socket) {
if (socket instanceof SSLSocket) {
SSLSocket sslSocket = (SSLSocket) socket;
sslSocket.setEnabledProtocols(tlsProtocols);
}
return socket;
}
}
类似资料:
-
本文列出了Apache HTTP服务器中所有的可执行程序。 索引 httpd Apache超文本传输协议服务器 apachectl Apache HTTP服务器控制接口 ab Apache HTTP服务器性能测试工具 apxs APache功能扩展工具 configure 配置源代码树 dbmmanage 建立和更新DBM形式的基本认证文件 htcacheclean 清理磁盘缓冲区 htdiges
-
我已经在MyEclipse Tomcat服务器中部署了我的应用程序,我在本地使用JDK 1.6配置了Apache -Tomcat 7.0.8。成功启动服务器后,我尝试在地址栏中输入本地主机网址。但是我没有得到回应。我试过了 但它被称为“HTTP 400错误请求”。我重新部署了应用程序,并通过重新启动服务器重试。 启动我的服务器后,控制台有 当我在浏览器中输入url时,我在控制台中没有找到任何日志。
-
我正在使用 WebSocket 服务包将一个基于 JBOSS EAP 7.3 的企业级应用程序迁移到 IBM WebSphere 应用程序服务器 9.0.5.6 (WAS)。问题是,当我尝试连接到WebSocketendpoint时,它什么都不做。在 WebSphere 中,我相应地配置了所有虚拟主机和端口,我的 WebSocket endpoint类如下所示。 非常感谢您的任何建议。
-
我尝试过使用以下启动命令,两个命令都成功地启动了应用程序,正如_default_docker中报告的那样。但应用程序服务正在停止容器,因为端口8080的HTTP ping没有得到响应。 生态系统配置。js文件-在本地运行良好,并在端口8080上成功启动了web应用程序,我已将该文件上载到/应用程序服务中的site/wwwroot/文件夹。 *_默认的码头工人。日志 *_码头工人。日志 我曾尝试在A
-
我正在用Spring Boot(无服务器项目)构建应用程序,以部署在AWS Lambda中。我有一个使用application/x-www-form-urlencoded的方法。当我调用localhost415中的方法时,出现: 不支持内容类型'application/x-www-form-urlencoded;charset=utf-8' 我附加了方法代码和yaml配置,我认为问题是无服务器配置
-
当我想要在neo4j服务器上持久化数据时出现此错误。你觉得问题可能出在哪? 我的pom.xml如下所示 我的controller类如下所示: 我的公司节点如下 我的人节点如下 我可以成功启动spring boot应用程序和tomcat servlet服务于端口8080。 但当我在Postman上执行此操作时,我收到标题上的错误:org.neo4j.driver.exceptions.cliente