升级到 spring boot 2.6 和 Java 17 后,我的 spring boot 应用程序无法使用旧的 SSL 证书。 调试后,似乎 TLS 版本或密码套件有问题。我没有这方面的经验。但是,我尝试生成新的自签名 SSL 证书,它工作正常。
使用 javax.net.debug 调试,得到不明确的消息。顺便说一句,使用 Firefox 和 Chrome 是不同的。这是 Firefox 的调试日志:
2022-09-20 15:26:33.448 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
2022-09-21 09:46:48.214 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|ERROR|F6|https-jsse-nio-5151-exec-1|2022-09-21 09:46:48.215 BST|TransportContext.java:363|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1764)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)}
)
有没有人有这方面的经验?
JDK 17 现在使用 TLS 1.3 作为安全握手的默认设置,如 https://blogs.oracle.com/javamagazine/post/java-jdk-17-generally-available
中所述JDK 17 中安全握手的默认设置是 TLS 1.3。
必须检查证书以了解它是否支持 TLS 1.3。根据传输层安全 (TLS) 协议版本 1.3 TLS 1.3 不支持 RSA 或 Diffie-Helman 密码套件
静态 RSA 和 Diffie-Hellman 密码套件已被删除。
如果不支持所有要求,则必须向满足这些要求的证书颁发机构(CA)申请颁发新的SSL证书,并在应用程序中使用它。