由于 Domino JVM 中缺少 TLS 密码套件导致 SSLHandshakeException
SSLHandshakeException due to missing TLS cipher suites in Domino JVM
在我的 XPages 应用程序中,当我尝试打开与另一台仅允许 TLSv1 和更新版本(无 SSLv3)的服务器的 HTTPS 连接时,出现以下异常:
javax.net.ssl.SSLHandshakeException: No appropriate protocol
设置 javax.net.debug=ssl:handshake 提供了以下附加信息:
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.hd
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.pc
IBMJSSE2 will ignore com.ibm.jsse2.overrideDefaultProtocol since was set to a non recognized value TLSv1
Installed Providers = IBMJSSE2, IBMJCE, IBMJGSSProvider, IBMCertPath, IBMSASL, IBMXMLCRYPTO, IBMXMLEnc, Policy, IBMSPNEGO
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
Is initial handshake: true
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.2
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.2
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJce: EC is available
Ignoring disabled cipher suite: SSL_RENEGO_PROTECTION_REQUEST for TLSv1
No available cipher suite for TLSv1
Thread-8, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
Thread-8, SEND TLSv1 ALERT: fatal,
description = handshake_failure
主要问题似乎是“TLSv1 没有可用的密码套件”。
从 SSL 服务器套接字工厂 (SSLServerSocketFactory.getDefault()) 获取默认和受支持的密码套件 (getDefaultCipherSuites() / getSupportedCipherSuites()) 表明在 Domino JVM 中只有 SSL 密码套件可用, 但 none 对于 TLS。
我用来建立 HTTPS 连接的代码在具有 TLS 密码套件的非 Domino JVM 中工作正常。
谁能告诉我如何使 TLS 密码套件在 Domino JVM 中可用?
或者如果有不同的问题并且我误解了调试信息,通常会帮助我?
附加信息:
Domino 版本:9.0.1 FP7
Java运行时版本:pwa6460sr16fp30-20160726_01(SR16 FP30)
JVM 版本:JRE 1.6.0 IBM J9 2.4 Windows 7 amd64-64 jvmwa6460sr16fp30-20160725_312906(启用 JIT,启用 AOT)J9VM - 20160725_312906 JIT - r9_20160725_121766 GC - GA24_Java6_SR16_20160725_1417_B312906
已在 Domino JVM 中安装不受限制的 JCE 策略文件。
问题似乎与 . The Dropbox Java SDK 有关,例如,使用硬编码的密码套件名称列表,这些名称均以“TLS_”开头。然而,在 Domino JVM 中,所有密码套件名称都以“SSL_”开头。因此,所有密码套件在创建的 SSL 套接字中都被禁用,因为它们的 none 个名称匹配。
在我的 XPages 应用程序中,当我尝试打开与另一台仅允许 TLSv1 和更新版本(无 SSLv3)的服务器的 HTTPS 连接时,出现以下异常:
javax.net.ssl.SSLHandshakeException: No appropriate protocol
设置 javax.net.debug=ssl:handshake 提供了以下附加信息:
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.hd
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.pc
IBMJSSE2 will ignore com.ibm.jsse2.overrideDefaultProtocol since was set to a non recognized value TLSv1
Installed Providers = IBMJSSE2, IBMJCE, IBMJGSSProvider, IBMCertPath, IBMSASL, IBMXMLCRYPTO, IBMXMLEnc, Policy, IBMSPNEGO
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
Is initial handshake: true
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.2
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.2
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJce: EC is available
Ignoring disabled cipher suite: SSL_RENEGO_PROTECTION_REQUEST for TLSv1
No available cipher suite for TLSv1
Thread-8, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
Thread-8, SEND TLSv1 ALERT: fatal,
description = handshake_failure
主要问题似乎是“TLSv1 没有可用的密码套件”。
从 SSL 服务器套接字工厂 (SSLServerSocketFactory.getDefault()) 获取默认和受支持的密码套件 (getDefaultCipherSuites() / getSupportedCipherSuites()) 表明在 Domino JVM 中只有 SSL 密码套件可用, 但 none 对于 TLS。
我用来建立 HTTPS 连接的代码在具有 TLS 密码套件的非 Domino JVM 中工作正常。
谁能告诉我如何使 TLS 密码套件在 Domino JVM 中可用? 或者如果有不同的问题并且我误解了调试信息,通常会帮助我?
附加信息:
Domino 版本:9.0.1 FP7
Java运行时版本:pwa6460sr16fp30-20160726_01(SR16 FP30)
JVM 版本:JRE 1.6.0 IBM J9 2.4 Windows 7 amd64-64 jvmwa6460sr16fp30-20160725_312906(启用 JIT,启用 AOT)J9VM - 20160725_312906 JIT - r9_20160725_121766 GC - GA24_Java6_SR16_20160725_1417_B312906
已在 Domino JVM 中安装不受限制的 JCE 策略文件。
问题似乎与