Websphere 9 总是为 SSL 握手发送 ClientHello TLSv1。我如何强制使用 TLSv1.2
Posted
技术标签:
【中文标题】Websphere 9 总是为 SSL 握手发送 ClientHello TLSv1。我如何强制使用 TLSv1.2【英文标题】:Websphere 9 always sending ClientHello TLSv1 for SSL handshake. How i can force to TLSv1.2 【发布时间】:2019-07-31 17:19:28 【问题描述】:我正在使用 websphere 传统 9.0.0.9 并尝试创建数据源以连接在 IBM 云上运行的 postgresql。当我在数据源之后尝试测试连接时,我收到 SSL 握手异常。 SSL 跟踪显示,我的 websphere 正在发送 ClientHello, TLSv1,因为所有到 postgresql 的连接都启用了 TLS1.2。
我在我的 websphere 中进行了以下配置以强制 TLSv1.2 通信。但它总是启动 TLSv1 调用。
在 SSL 设置的保护质量 (QoP) 设置中,选择 TLSv1.2 作为协议。之前选择了 SSL_TLSv2
在服务器 JVM 参数中添加了 -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2
在服务器中,ssl.client.props 属性文件已更新 com.ibm.ssl.protocol=TLSv1.2
重新启动服务器但没有运气。
我已在此处附加 SSL 跟踪。你能帮我解决这个问题吗?
[3/9/19 20:10:27:031 UTC] 00000087 SystemOut O WebContainer : 2, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:031 UTC] 00000087 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:032 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:032 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, closeInboundInternal()
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, closeOutboundInternal()
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut O WebContainer : 2, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:033 UTC] 00000087 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:033 UTC] 00000087 SystemOut O WebContainer : 2, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:034 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:038 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:038 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:040 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:041 UTC] 00000086 SystemOut O WebContainer : 1, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:041 UTC] 00000086 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:042 UTC] 00000086 SystemOut O WebContainer : 1, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, closeInboundInternal()
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, closeOutboundInternal()
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut O WebContainer : 1, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:044 UTC] 00000086 SystemOut O WebContainer : 1, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:048 UTC] 00000091 SystemOut O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:049 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:049 UTC] 00000091 SystemOut O WebContainer : 6, RECV TLSv1.2 ALERT: warning, close_notify
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut O WebContainer : 6, SEND TLSv1.2 ALERT: warning, description = close_notify
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut O CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:051 UTC] 00000091 SystemOut O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:28:893 UTC] 00000090 SystemOut O X509KeyManager passed to SSLContext.init(): need an X509ExtendedKeyManager for SSLEngine use
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut O SSLContextImpl: Using X509KeyManager com.ibm.jsse2.ax
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut O SSLContextImpl: Using X509TrustManager org.postgresql.ssl.NonValidatingFactory$NonValidatingTM
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut O JsseJCE: Using SecureRandom SHA2DRBG from provider IBMJCE version 1.8
[3/9/19 20:10:28:898 UTC] 00000090 SystemOut O trigger seeding of SecureRandom
[3/9/19 20:10:28:942 UTC] 00000090 SystemOut O done seeding SecureRandom
[3/9/19 20:10:28:946 UTC] 00000090 SystemOut O
Is initial handshake: true
[3/9/19 20:10:28:947 UTC] 00000090 SystemOut O
Is initial handshake: true
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut O %% No cached client session
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut O ALPNJSSEExt not initialzed for Client
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut O *** ClientHello, TLSv1
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut O RandomCookie: GMT: 1535384756 bytes = 247, 108, 226, 59, 54, 187, 101, 14, 95, 251, 73, 147, 217, 248, 218, 111, 67, 202, 92, 205, 47, 42, 141, 87, 25, 87, 2, 68
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Session ID:
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA]
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Compression Methods: 0
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension elliptic_curves, curve names: secp256r1, secp384r1, secp521r1, secp256k1
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension ec_point_formats, formats: [uncompressed]
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut O Extension extended_master_secret
[3/9/19 20:10:28:953 UTC] 00000090 SystemOut O Extension server_name, server_name: [type=host_name (0), value=5a3ec84c-0eb5-49ba-899d-91a9339f02a9.d7deeff0d58745aba57fa5c84685d5b4.databases.appdomain.cloud]
[3/9/19 20:10:28:953 UTC] 00000090 SystemOut O ***
[3/9/19 20:10:28:954 UTC] 00000090 SystemOut O [write] MD5 and SHA1 hashes: len = 217
[3/9/19 20:10:28:954 UTC] 00000090 SystemOut O 0000: 01 00 00 d5 03 01 5c 84 1d b4 f7 6c e2 3b 36 bb ...........l..6.
0010: 65 0e 5f fb 49 93 d9 f8 da 6f 43 ca 5c cd 2f 2a e...I....oC.....
0020: 8d 57 19 57 02 44 00 00 2c 00 ff c0 0a c0 14 00 .W.W.D..........
0030: 35 c0 05 c0 0f 00 39 00 38 c0 09 c0 13 00 2f c0 5.....9.8.......
0040: 04 c0 0e 00 33 00 32 c0 08 c0 12 00 0a c0 03 c0 ....3.2.........
0050: 0d 00 16 00 13 01 00 00 80 00 0a 00 0a 00 08 00 ................
0060: 17 00 18 00 19 00 16 00 0b 00 02 01 00 00 17 00 ................
0070: 00 00 00 00 64 00 62 00 00 5f 35 61 33 65 63 38 ....d.b...5a3ec8
0080: 34 63 2d 30 65 62 35 2d 34 39 62 61 2d 38 39 39 4c.0eb5.49ba.899
0090: 64 2d 39 31 61 39 33 33 39 66 30 32 61 39 2e 64 d.91a9339f02a9.d
00a0: 37 64 65 65 66 66 30 64 35 38 37 34 35 61 62 61 7deeff0d58745aba
00b0: 35 37 66 61 35 63 38 34 36 38 35 64 35 62 34 2e 57fa5c84685d5b4.
00c0: 64 61 74 61 62 61 73 65 73 2e 61 70 70 64 6f 6d databases.appdom
00d0: 61 69 6e 2e 63 6c 6f 75 64 ain.cloud
[3/9/19 20:10:28:955 UTC] 00000090 SystemOut O WebContainer : 5, WRITE: TLSv1 Handshake, length = 217
[3/9/19 20:10:29:485 UTC] 00000090 SystemOut O WebContainer : 5, READ: TLSv1 Alert, length = 2
[3/9/19 20:10:29:485 UTC] 00000090 SystemOut O WebContainer : 5, RECV TLSv1.2 ALERT: fatal, handshake_failure
[3/9/19 20:10:29:486 UTC] 00000090 SystemOut O WebContainer : 5, called closeSocket()
[3/9/19 20:10:29:486 UTC] 00000090 SystemOut O WebContainer : 5, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[3/9/19 20:10:29:594 UTC] 00000090 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_83c02f89_19.03.09_20.10.29.512728361473924885244.txt com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection 568
[3/9/19 20:10:29:722 UTC] 00000090 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_83c02f89_19.03.09_20.10.29.7052740090681335855170.txt com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionToDataSource 1486
[3/9/19 20:10:29:727 UTC] 00000090 DSConfigurati W DSRA8201W: DataSource Configuration: DSRA8040I: Failed to connect to the DataSource jdbc/SelfService. Encountered java.sql.SQLException: SSL error: Received fatal alert: handshake_failure DSRA0010E: SQL State = 08006, Error Code = 0.
java.sql.SQLException: SSL error: Received fatal alert: handshake_failure DSRA0010E: SQL State = 08006, Error Code = 0
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:675)
at java.sql.DriverManager.getConnection(DriverManager.java:258)
at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:94)
at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:79)
【问题讨论】:
更新:根据本文档,我在我的 websphere 中启用了 TLSv1.2。 link 现在我得到不同的错误Caused by: java.lang.IllegalArgumentException: Only TLS1.2 protocol can be enabled in SP800_131 strict mode 我相信它与 postgresql 驱动程序有关 Something unusual has occurred to cause the driver to fail. Please report this exception. DSRA0010E: SQL State = 99999, Error Code = 0 at org.postgresql.Driver.connect(Driver.java:277)
已解决:启用 TLSv1.2 后使用 postgresql 9.4-1206-jdbc42 版本解决了问题
您好,建议将您的解决方案复制到答案中(即使是您自己的问题)
【参考方案1】:
我为此苦苦挣扎了 2 天,通过 HTTP 客户端调用了一个休息服务。 最终添加了以下 2 个设置:
SSL 设置,保护质量 (QoP) 设置,选择 TLSv1.2 作为协议。之前选择了 SSL_TLSv2 服务器 > 应用程序服务器 > 服务器名称 > 进程定义 > Java 虚拟机 > 定制属性 > com.ibm.jsse2.overrideDefaultTLS=true在这里找到讨论https://issues.apache.org/jira/browse/HTTPCLIENT-1784 我尝试单独使用选项 2,并将 SSL_TLSv2 设置为之前的设置,它似乎也可以工作。
【讨论】:
【参考方案2】:过去 10 天我一直在苦苦挣扎……终于通过设置以下参数解决了问题。
但是,我已经在环境(qop)级别启用了 TLSv1.2,但我遇到了上述问题,然后我在自定义属性下方添加了。
以下属性强制 IBM JDK 使用 TLSv1.2。
服务器 > 应用程序服务器 > 服务器名称 > 进程定义 > Java 虚拟机 > 自定义属性 >
com.ibm.jsse2.overrideDefaultTLS=true
【讨论】:
以上是关于Websphere 9 总是为 SSL 握手发送 ClientHello TLSv1。我如何强制使用 TLSv1.2的主要内容,如果未能解决你的问题,请参考以下文章