Java 使用TLSv1偶数协议的应用程序配置为SSL\U TLSv2
你好 在UAT环境中,在WAS控制台设置中,我将协议配置为SSL_TLSv2 从 SSL_TLSv2支持所有SSL v3.0和TLS v1.0、v1.1和v1.2协议。接受以SSLv2格式hello封装的SSLv3或TLSv1 hello。我打电话给的第三方使用的是TLSv1.1及以上版本 然而,我不知道为什么我的应用程序一直使用TLSv1来调用这个第三方。但是,在我的本地应用程序中,我的应用程序将使用TLS1.2 日志很长,我只是在这里复制了一部分:Java 使用TLSv1偶数协议的应用程序配置为SSL\U TLSv2,java,ssl,websphere,protocols,tls1.2,Java,Ssl,Websphere,Protocols,Tls1.2,你好 在UAT环境中,在WAS控制台设置中,我将协议配置为SSL_TLSv2 从 SSL_TLSv2支持所有SSL v3.0和TLS v1.0、v1.1和v1.2协议。接受以SSLv2格式hello封装的SSLv3或TLSv1 hello。我打电话给的第三方使用的是TLSv1.1及以上版本 然而,我不知道为什么我的应用程序一直使用TLSv1来调用这个第三方。但是,在我的本地应用程序中,我的应用程序将使用TLS1.2 日志很长,我只是在这里复制了一部分: [5/31/17 11:01:30:295
[5/31/17 11:01:30:295 ICT] 000000ca SystemOut O Using SSLEngineImpl.
[5/31/17 11:01:30:295 ICT] 000000ca SystemOut O
Is initial handshake: true
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O WebContainer : 8, READ: TLSv1 Handshake, length = 206
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O *** ClientHello, TLSv1.2
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O RandomCookie: GMT: 831831437 bytes = { 93, 8, 167, 93, 70, 165, 107, 130, 22, 192, 168, 237, 31, 40, 47, 53, 32, 239, 89, 60, 125, 9, 14, 94, 61, 235, 71, 41 }
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Session ID: {89, 46, 54, 117, 144, 143, 67, 159, 175, 15, 159, 221, 239, 101, 197, 29, 5, 194, 1, 42, 237, 228, 5, 25, 227, 117, 0, 64, 30, 148, 37, 23}
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Cipher Suites: [Unknown 0x3a:0x3a, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Compression Methods: { 0 }
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_47802, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_23, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_35, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, signature:0x5), SHA384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension status_request, data: 01:00:00:00:00
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_18, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_30032, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Extension ec_point_formats, formats: [uncompressed]
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Extension elliptic_curves, curve names: {unknown curve 39578, unknown curve 29, secp256r1, secp384r1}
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_35466, data: 00
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O ***
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O [read] MD5 and SHA1 hashes: len = 206
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Sending request: CONNECT api3.infobip.com:443 HTTP/1.1
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "CONNECT api3.infobip.com:443 HTTP/1.1[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "Host: api3.infobip.com[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "Proxy-Connection: Keep-Alive[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "User-Agent: Apache-HttpClient/4.0.1 (java 1.5)[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> CONNECT api3.infobip.com:443 HTTP/1.1
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> Host: api3.infobip.com
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> Proxy-Connection: Keep-Alive
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> User-Agent: Apache-HttpClient/4.0.1 (java 1.5)
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "HTTP/1.0 200 Connection Established[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "Proxy-agent: IBM_HTTP_Server[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Receiving response: HTTP/1.0 200 Connection Established
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - << HTTP/1.0 200 Connection Established
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - << Proxy-agent: IBM_HTTP_Server
2017-05-31 11:01:30.779 [WebContainer : 8] DEBUG o.a.h.impl.client.DefaultHttpClient - [5001032maker] - Tunnel to target created.
2017-05-31 11:01:31.134 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Connection shut down
2017-05-31 11:01:31.134 [WebContainer : 8] DEBUG o.a.h.i.conn.SingleClientConnManager - [5001032maker] - Releasing connection org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@33b3d257
2017-05-31 11:01:31.144 [WebContainer : 8] ERROR o.a.c.processor.DeadLetterChannel - [5001032maker] - Failed delivery for exchangeId: ID-uatgibapp01.hlbho.hlbank.my/56300-1496200314511/0-9. On delivery attempt: 0 caught: retrofit.RetrofitError: peer not authenticated
retrofit.RetrofitError: peer not authenticated
at retrofit.RetrofitError.networkError(RetrofitError.java:27) ~[retrofit-1.9.0.jar:na]
at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:395) ~[retrofit-1.9.0.jar:na]
at retrofit.RestAdapter$RestHandler.invoke(RestAdapter.java:240) ~[retrofit-1.9.0.jar:na]
at infobip.api.client.$Proxy328.execute(Unknown Source) ~[na:na]
at infobip.api.client.SendSingleTextualSms.execute(SendSingleTextualSms.java:49) ~[infobip-api-java-client-1.1.0.jar:na]
at com.cv.ibs.infobip.notification.camel.InfoBipWebServiceProcessor.process(InfoBipWebServiceProcessor.java:43) ~[com.cv.ibs.cib.ws.jar:na]
at org.apache.camel.impl.converter.AsyncProcessorTypeConverter$ProcessorToAsyncProcessorBridge.process(AsyncProcessorTypeConverter.java:43) ~[camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DeadLetterChannel.process(DeadLetterChannel.java:172) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DeadLetterChannel.process(DeadLetterChannel.java:93) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.Pipeline.process(Pipeline.java:115) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.Pipeline.process(Pipeline.java:89) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.UnitOfWorkProcessor.process(UnitOfWorkProcessor.java:47) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:41) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:66) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:47) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.ProducerCache.sendExchange(ProducerCache.java:151) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.ProducerCache.send(ProducerCache.java:136) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:93) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:75) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.request(DefaultProducerTemplate.java:172) [camel-core-1.5.0.jar:1.5.0]
您显示的调试输出清楚地表明客户端和服务器都在使用TLS 1.2,即ClientHello的版本是TLS 1.2,ServerHello的版本也是TLS 1.2,共享密码也是仅在TLS 1.2之后才可用的密码。您可能想知道TLS 1.2 ClientHello被包装到了TLS 1.0记录中,但这很正常。意味着我的应用程序正在使用TLSv1.2进行连接?但我仍然遇到了未经身份验证的对等错误。我已经输入了错误日志,你能帮我看一下吗?@Panadolchung:peer not authenticated是另一个问题,与TLS协议版本无关。请不要改变问题的焦点,而是问一个有足够细节的新问题。我的猜测是,由于信任链不完整或根CA不受信任,客户端无法验证服务器的证书,但没有足够的信息来确定。因此,请提出一个新问题,并提供足够的详细信息。嗨@Steffen,如果TLS协议错误,我可以知道错误消息吗?因为我认为这是由日志中错误的TLS版本引起的。@Panadolchung:在这种情况下,通常会出现握手错误或警报错误协议。我将在此发布一个新问题。我应该提供哪些信息,以便人们了解详细信息?这里的错误是“对等未验证”。它与TLS版本没有任何关系。
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Sending request: CONNECT api3.infobip.com:443 HTTP/1.1
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "CONNECT api3.infobip.com:443 HTTP/1.1[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "Host: api3.infobip.com[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "Proxy-Connection: Keep-Alive[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "User-Agent: Apache-HttpClient/4.0.1 (java 1.5)[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> CONNECT api3.infobip.com:443 HTTP/1.1
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> Host: api3.infobip.com
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> Proxy-Connection: Keep-Alive
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> User-Agent: Apache-HttpClient/4.0.1 (java 1.5)
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "HTTP/1.0 200 Connection Established[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "Proxy-agent: IBM_HTTP_Server[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Receiving response: HTTP/1.0 200 Connection Established
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - << HTTP/1.0 200 Connection Established
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - << Proxy-agent: IBM_HTTP_Server
2017-05-31 11:01:30.779 [WebContainer : 8] DEBUG o.a.h.impl.client.DefaultHttpClient - [5001032maker] - Tunnel to target created.
2017-05-31 11:01:31.134 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Connection shut down
2017-05-31 11:01:31.134 [WebContainer : 8] DEBUG o.a.h.i.conn.SingleClientConnManager - [5001032maker] - Releasing connection org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@33b3d257
2017-05-31 11:01:31.144 [WebContainer : 8] ERROR o.a.c.processor.DeadLetterChannel - [5001032maker] - Failed delivery for exchangeId: ID-uatgibapp01.hlbho.hlbank.my/56300-1496200314511/0-9. On delivery attempt: 0 caught: retrofit.RetrofitError: peer not authenticated
retrofit.RetrofitError: peer not authenticated
at retrofit.RetrofitError.networkError(RetrofitError.java:27) ~[retrofit-1.9.0.jar:na]
at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:395) ~[retrofit-1.9.0.jar:na]
at retrofit.RestAdapter$RestHandler.invoke(RestAdapter.java:240) ~[retrofit-1.9.0.jar:na]
at infobip.api.client.$Proxy328.execute(Unknown Source) ~[na:na]
at infobip.api.client.SendSingleTextualSms.execute(SendSingleTextualSms.java:49) ~[infobip-api-java-client-1.1.0.jar:na]
at com.cv.ibs.infobip.notification.camel.InfoBipWebServiceProcessor.process(InfoBipWebServiceProcessor.java:43) ~[com.cv.ibs.cib.ws.jar:na]
at org.apache.camel.impl.converter.AsyncProcessorTypeConverter$ProcessorToAsyncProcessorBridge.process(AsyncProcessorTypeConverter.java:43) ~[camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DeadLetterChannel.process(DeadLetterChannel.java:172) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DeadLetterChannel.process(DeadLetterChannel.java:93) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.Pipeline.process(Pipeline.java:115) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.Pipeline.process(Pipeline.java:89) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.UnitOfWorkProcessor.process(UnitOfWorkProcessor.java:47) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:41) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:66) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:47) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.ProducerCache.sendExchange(ProducerCache.java:151) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.ProducerCache.send(ProducerCache.java:136) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:93) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:75) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.request(DefaultProducerTemplate.java:172) [camel-core-1.5.0.jar:1.5.0]
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:17) ~[na:6.0 build_20140221]
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:399) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:167) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:275) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:138) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:704) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:421) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at retrofit.client.ApacheClient.execute(ApacheClient.java:71) ~[retrofit-1.9.0.jar:na]
at retrofit.client.ApacheClient.execute(ApacheClient.java:65) ~[retrofit-1.9.0.jar:na]
at com.cv.ibs.infobip.notification.camel.ApacheHttpClient.execute(ApacheHttpClient.java:45) ~[com.cv.ibs.cib.ws.jar:na]
at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:326) ~[retrofit-1.9.0.jar:na]
... 173 common frames omitted
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O WebContainer : 8, READ: TLSv1 Handshake, length = 206
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O *** ClientHello, TLSv1.2
...
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O *** ServerHello, TLSv1.2
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O Cipher Suite: SSL_RSA_WITH_AES_128_GCM_SHA256