使用Java的WebSphere与SSL握手错误
问题描述:
将Java HTTP客户端代码连接到WebSphere服务器URL时遇到错误。测试引发SSL握手错误消息:使用Java的WebSphere与SSL握手错误
java -Djavax.net.ssl.keyStore=mykey.jks -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=ssl,handshake postHTTPWAS
日志文件:
..
jdk.tls.client.protocols is defined as TLSv1.2
SSLv3 protocol was requested but was not enabled
.. Extension server_name, server_name: [type=host_name (0), value=myhost.domain.com]
***
main, WRITE: TLSv1 Handshake, length = 155
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JRE的java.security设置
代码部署用Java7和Java8测试配置如下:
...
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3
jdk.certpath.disabledAlgorithms=SSLv3
com.ibm.jsse2.disableSSLv3=true
问题:
1)为什么SSL跟踪显示对SSLv3的引用?SSLv3是一种在客户端安全设置中逻辑禁用的协议?
2)什么是SSLHandshakeException的根错误?
3)是否可以启用TLSv1.2作为所有HTTPS客户端连接的默认选项,并且哪个是正确的系统属性来设置它?
答
我已经隔离了错误。
WAS应用程序服务器的新版本(完整版)期望客户端将连接到TLSv1.2。对于手动的Java JRE调用使用参数-Dhttps.protocols = TLSv1.2工作,如下图所示:
/opt/java8/ibm-java-x86_64-80/bin/javac SSLTest.java && /opt/java8/ibm-java-x86_64-80/jre/bin/java -Dhttps.protocols=TLSv1.2 SSLTest
对于Apache HTTPS客户端(> V.4.5.2),I增加了一些附加的段,以获得与TLSv1.2连接的HTTPS。现在两个连接都可以正常工作。
// for TLSv1.2 add:
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.socket.ConnectionSocketFactory;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import javax.net.ssl.SSLContext;
import java.security.NoSuchAlgorithmException;
import java.security.KeyManagementException;
import org.apache.http.ssl.SSLContexts;
//Set the https use TLSv1.2
private static Registry<ConnectionSocketFactory> getRegistry() throws KeyManagementException, NoSuchAlgorithmException {
SSLContext sslContext = SSLContexts.custom().build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1.2"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
return RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", sslConnectionSocketFactory)
.build();
}
// for TLSv1.2 use:
PoolingHttpClientConnectionManager clientConnectionManager = new PoolingHttpClientConnectionManager(getRegistry());
clientConnectionManager.setMaxTotal(100);
clientConnectionManager.setDefaultMaxPerRoute(20);
HttpClient client = HttpClients.custom().setConnectionManager(clientConnectionManager).build();
您正在使用哪个版本的WebSphere以及服务器上启用了哪些SSL/TLS协议?您只需要服务器支持TLSv1.2以确保客户端/服务器通信始终在TLSv1.2上。 –
安装的WebSphere版本是8.5.5.10。使用IBM Java 6,7和8 JRE以及多个TLS设置对客户端进行了测试,不包括易受攻击的SSLv3。 –