目前说如何在Open Liberty上启用TLSv1.2启用了TLSV1

时间:2019-04-29 23:14:11

标签: ssl websphere-liberty open-liberty

我们已经使用Open Liberty Web配置文件8构建了一个Docker映像,并且当前对salesforce API的HTTPS出站调用失败,并且从日志中似乎仅启用了TLSV1,并且从所有阅读中来看,似乎需要使用TLSV1.2已启用。我是Open Linberty的新手,我不知道该怎么做。在My Server.xml文件中,我具有以下条目:-

<keyStore id="defaultKeyStore" password="Liberty"/>

<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/>

但是即使在那之后,我仍然遇到错误,并且HTTPS调用失败:-

phx.salesforceliveagent.com/136.147.100.1:443 with timeout 0
2019-04-29T23:05:08.840527853Z 2019-04-29 23:05:08.839 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Enabled protocols: [TLSv1]
2019-04-29T23:05:08.848027084Z 2019-04-29 23:05:08.845 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Enabled cipher suites:[SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
2019-04-29T23:05:08.852594802Z 2019-04-29 23:05:08.851 DEBUG 1 --- [cutor-thread-16] o.a.h.c.ssl.SSLConnectionSocketFactory   : Starting handshake
2019-04-29T23:05:08.905209219Z [err] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2019-04-29T23:05:09.063121768Z [err]    at com.ibm.jsse2.k.a(k.java:42)
2019-04-29T23:05:09.067062984Z [err]    at com.ibm.jsse2.k.a(k.java:37)
2019-04-29T23:05:09.098532614Z [err]    at com.ibm.jsse2.av.b(av.java:549)
2019-04-29T23:05:09.101687527Z [err]    at com.ibm.jsse2.av.a(av.java:715)

我不确定如何解决handhake_failure问题?有帮助吗?

更新04/30/2019:-已解决:-开发团队在此修复了代码,以确保强制执行TSLv1.2,目前已为我们解决了该问题。感谢Alasdair提供的关于创建jvm.options文件和创建用于设置为TLSv1.2的环境变量的想法,以防万一将来有人遇到麻烦时可以这么做。

UPDATE 05.01 / 2019-> IBM的Alasdir和Brian S Paskin也帮助了我使用jvm.options文件,它看起来应该像这样:-

-Dhttps.protocols=TLSv12
-Djdk.tls.client.protocols=TLSv12
-Dhttps.protocols=TLSv12
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12

万一有人想走这条路。

1 个答案:

答案 0 :(得分:0)

对于绊倒这个问题及其答案的任何人, 答案中有一种。缺少一个点,这将禁用所有TLS通信(取决于您的JDK / JRE)。

func customTextField (xco: CGFloat, yco: CGFloat, widthLength: CGFloat, heightLength: CGFloat, printSize: CGFloat) {

    let passWordTextField =  UITextField(frame: CGRect(x: xco, y: yco, width: widthLength, height: heightLength ))
    let fontSize = CGFloat (printSize)
    passWordTextField.placeholder = "Enter text here" //set placeholder text
    passWordTextField.font = UIFont.systemFont(ofSize: fontSize) // set font size of text field

    //passWordTextField.borderStyle = UITextField.BorderStyle.init(rawValue: 30)!
    passWordTextField.layer.cornerRadius = 30.0
   // passWordTextField.borderStyle = UITextField.BorderStyle.roundedRect
    passWordTextField.autocorrectionType = UITextAutocorrectionType.no
    passWordTextField.keyboardType = UIKeyboardType.default
    passWordTextField.returnKeyType = UIReturnKeyType.done
    passWordTextField.clearButtonMode = UITextField.ViewMode.whileEditing
    passWordTextField.contentVerticalAlignment = UIControl.ContentVerticalAlignment.center
    passWordTextField.delegate = self as? UITextFieldDelegate
    self.view.addSubview(passWordTextField)

如果您不想为旧版服务器禁用TLSv1.1,则可以使用以下方法:

-Dhttps.protocols=TLSv1.2
-Djdk.tls.client.protocols=TLSv1.2
-Dhttps.protocols=TLSv1.2
-Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv1.2

最后一个设置在IBM J9 VM和Eclipse OpenJ9 VM上尤其重要。您可以从appendopenjdk.net获得这些文件(以防万一)。

相关问题
最新问题