我们已经使用Open Liberty Web配置文件8构建了一个Docker映像,并且当前对salesforce API的HTTPS出站调用失败,并且从日志中似乎仅启用了TLSV1,并且从所有读取中看来,似乎需要启用了TLSV1.2 。我是Open Linberty的新手,我不知道该怎么做。在My Server.xml文件中,我具有以下条目:-
<keyStore id="defaultKeyStore" password="Liberty"/>
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/>
但是即使在那之后,我仍然遇到错误,并且HTTPS调用失败:-
phx.salesforceliveagent.com/136.147.100.1:443 with timeout 0
2019-04-29T23:05:08.840527853Z 2019-04-29 23:05:08.839 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory : Enabled protocols: [TLSv1]
2019-04-29T23:05:08.848027084Z 2019-04-29 23:05:08.845 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory : Enabled cipher suites:[SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
2019-04-29T23:05:08.852594802Z 2019-04-29 23:05:08.851 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory : Starting handshake
2019-04-29T23:05:08.905209219Z [err] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2019-04-29T23:05:09.063121768Z [err] at com.ibm.jsse2.k.a(k.java:42)
2019-04-29T23:05:09.067062984Z [err] at com.ibm.jsse2.k.a(k.java:37)
2019-04-29T23:05:09.098532614Z [err] at com.ibm.jsse2.av.b(av.java:549)
2019-04-29T23:05:09.101687527Z [err] at com.ibm.jsse2.av.a(av.java:715)
我不确定如何解决这个handhake_failure问题?有帮助吗?
UPDATE 04/30/2019:-已解决:-开发团队在此修复了代码,以确保强制执行TSLv1.2,目前已为我们解决了该问题。感谢Alasdair提供的关于创建jvm.options文件和创建用于设置为TLSv1.2的环境变量的想法,以防将来有人遇到麻烦时可以采取措施。
UPDATE 05.01 / 2019-> IBM的Alasdir和Brian S Paskin也帮助了jvm.options文件,它看起来应该像这样:-
-Dhttps.protocols=TLSv12
-Djdk.tls.client.protocols=TLSv12
-Dhttps.protocols=TLSv12
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12
如果有人要走这条路线。
对于任何对此问题和所包含的答案有疑问的人,答案中有一种。缺少一个点,这将禁用所有TLS通信(取决于您的JDK / JRE)。
-Dhttps.protocols=TLSv1.2
-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.protocols=TLSv1.2
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv1.2