目前说如何在Open Liberty上启用TLSv1.2,它说已启用TLSV1

问题描述 投票:0回答:1

我们已经使用Open Liberty Web配置文件8构建了一个Docker映像,并且当前对salesforce API的HTTPS出站调用失败,并且从日志中似乎仅启用了TLSV1,并且从所有读取中看来,似乎需要启用了TLSV1.2 。我是Open Linberty的新手,我不知道该怎么做。在My Server.xml文件中,我具有以下条目:-

<keyStore id="defaultKeyStore" password="Liberty"/>

<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/>

但是即使在那之后,我仍然遇到错误,并且HTTPS调用失败:-

phx.salesforceliveagent.com/136.147.100.1:443 with timeout 0
2019-04-29T23:05:08.840527853Z 2019-04-29 23:05:08.839 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Enabled protocols: [TLSv1]
2019-04-29T23:05:08.848027084Z 2019-04-29 23:05:08.845 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Enabled cipher suites:[SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
2019-04-29T23:05:08.852594802Z 2019-04-29 23:05:08.851 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Starting handshake
2019-04-29T23:05:08.905209219Z [err] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2019-04-29T23:05:09.063121768Z [err]    at com.ibm.jsse2.k.a(k.java:42)
2019-04-29T23:05:09.067062984Z [err]    at com.ibm.jsse2.k.a(k.java:37)
2019-04-29T23:05:09.098532614Z [err]    at com.ibm.jsse2.av.b(av.java:549)
2019-04-29T23:05:09.101687527Z [err]    at com.ibm.jsse2.av.a(av.java:715)

我不确定如何解决这个handhake_failure问题?有帮助吗?

UPDATE 04/30/2019:-已解决:-开发团队在此修复了代码,以确保强制执行TSLv1.2,目前已为我们解决了该问题。感谢Alasdair提供的关于创建jvm.options文件和创建用于设置为TLSv1.2的环境变量的想法,以防将来有人遇到麻烦时可以采取措施。

UPDATE 05.01 / 2019-> IBM的Alasdir和Brian S Paskin也帮助了jvm.options文件,它看起来应该像这样:-

-Dhttps.protocols=TLSv12
-Djdk.tls.client.protocols=TLSv12
-Dhttps.protocols=TLSv12
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12

如果有人要走这条路线。

ssl websphere-liberty open-liberty
1个回答
0
投票

对于任何对此问题和所包含的答案有疑问的人,答案中有一种。缺少一个点,这将禁用所有TLS通信(取决于您的JDK / JRE)。

-Dhttps.protocols=TLSv1.2
-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.protocols=TLSv1.2
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv1.2
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.