OpenShift 3.11是否会阻止安全路由上的任何SSLv3流量?
我的系统运行在OpenShift 3.11中 我必须实现https/REST与传统Java 1.6系统的集成,该系统只支持SSLv3 因此,我必须在我的web服务器上启用SSLv3加密,并且我对OpenShift路由使用直通模式 当我在我的pod终端内运行OpenShift 3.11是否会阻止安全路由上的任何SSLv3流量?,ssl,https,openssl,openshift,openshift-3,Ssl,Https,Openssl,Openshift,Openshift 3,我的系统运行在OpenShift 3.11中 我必须实现https/REST与传统Java 1.6系统的集成,该系统只支持SSLv3 因此,我必须在我的web服务器上启用SSLv3加密,并且我对OpenShift路由使用直通模式 当我在我的pod终端内运行openssl s_client-connectlocalhost:4430-ssl3以测试SSLv3连接时,一切正常: CONNECTED(00000003) Can't use SSL_get_servername depth=2 CN =
openssl s_client-connectlocalhost:4430-ssl3CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 CN = Test Root CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 CN = Test Root CA 2
verify return:1
depth=1 DC = ru, DC = sbrf, DC = ca, CN = Sberbank Test Issuing CA 2
verify return:1
depth=0 C = RU, ST = Some-State, L = Moscow, O = Sberbank, OU = MMB, CN = ift-spod.apps.test-ose.ca.sbrf.ru, emailAddress = Melnikov.D.Alek@sberbank.ru
verify return:1
---
Certificate chain
0 s:C = RU, ST = Some-State, L = Moscow, O = Sberbank, OU = MMB, CN = ift-spod.apps.test-ose.ca.sbrf.ru, emailAddress = Melnikov.D.Alek@sberbank.ru
i:DC = ru, DC = sbrf, DC = ca, CN = Sberbank Test Issuing CA 2
1 s:DC = ru, DC = sbrf, DC = ca, CN = Sberbank Test Issuing CA 2
i:CN = Test Root CA 2
2 s:CN = Test Root CA 2
i:CN = Test Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGlTCCBH2gAwIBAgIKK+85IAABAABHwDANBgkqhkiG9w0BAQsFADBjMRIwEAYK
CZImiZPyLGQBGRYCcnUxFDASBgoJkiaJk/IsZAEZFgRzYnJmMRIwEAYKCZImiZPy
LGQBGRYCY2ExIzAhBgNVBAMTGlNiZXJiYW5rIFRlc3QgSXNzdWluZyBDQSAyMB4X
DTE5MTEyOTA5NDAyMloXDTIyMDMwMjA5NTAyMlowgawxCzAJBgNVBAYTAlJVMRMw
EQYDVQQIEwpTb21lLVN0YXRlMQ8wDQYDVQQHEwZNb3Njb3cxETAPBgNVBAoTCFNi
ZXJiYW5rMQwwCgYDVQQLEwNNTUIxKjAoBgNVBAMTIWlmdC1zcG9kLmFwcHMudGVz
dC1vc2UuY2Euc2JyZi5ydTEqMCgGCSqGSIb3DQEJARYbTWVsbmlrb3YuRC5BbGVr
QHNiZXJiYW5rLnJ1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzSxN50/1A
vSwAaiUxYAR6o/6TPR4XdZPB5wqkmYg9813Sz1pShNrcf/ZXmxCzM1/E3WPwCJGT
YLJI8UzNy1Txj/GoC4sFMhqb4o+Wd42xB8FsYxMxuhtHQQlSFxsSCtgHLX7sXade
0HGdgH9Bn+pMvuw3YSCTdnd3+r2fBU1HCQIDAQABo4ICgzCCAn8wHQYDVR0OBBYE
FKa+/qrCaeji3EoR8aM4GP0hsWwbMB8GA1UdIwQYMBaAFFFf6r4mHk0gWLyLSxqv
9gWMoXUyMIIBbAYDVR0fBIIBYzCCAV8wggFboIIBV6CCAVOGRWh0dHA6Ly9wa2ku
c2JlcmJhbmsucnUvcGtpL2NkcC9TYmVyYmFuayUyMFRlc3QlMjBJc3N1aW5nJTIw
Q0ElMjAyLmNybIaBwGxkYXA6Ly8vQ049U2JlcmJhbmslMjBUZXN0JTIwSXNzdWlu
ZyUyMENBJTIwMixDTj1UVi1DRVJULVVCLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxEQz1VbmF2YWlsYWJsZUNvbmZpZ0ROP2Nl
cnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0
cmlidXRpb25Qb2ludIZHaHR0cDovL2ludHBraS5jYS5zYnJmLnJ1L3BraS9jZHAv
U2JlcmJhbmslMjBUZXN0JTIwSXNzdWluZyUyMENBJTIwMi5jcmwwgb4GCCsGAQUF
BwEBBIGxMIGuMFQGCCsGAQUFBzAChkhodHRwOi8vcGtpLnNiZXJiYW5rLnJ1L3Br
aS9haWEvU2JlcmJhbmslMjBUZXN0JTIwSXNzdWluZyUyMENBJTIwMigxKS5jcnQw
VgYIKwYBBQUHMAKGSmh0dHA6Ly9pbnRwa2kuY2Euc2JyZi5ydS9wa2kvYWlhL1Ni
ZXJiYW5rJTIwVGVzdCUyMElzc3VpbmclMjBDQSUyMDIoMSkuY3J0MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQELBQADggIBACmeFCWueax33BfBpOAykyZsKoAe2hNM
UZX8nbomw49w06KKjqfKdYtJfvW1rBpbUWyWr3980vpUjuqjdF3OyIO5BP1URmoU
6pc5M9WxZNHZbLwh6qtGUYB1za6ghVFmVlteKoONnPv74DDWA76Zc3pdzvkiyW5V
/V5iLsreUdoiUItBUETwJQcvDmHoQ1Y55saSHoJGKxLyclGjT79yZZFau6LWgDfd
OOpyI07SvrCvsV+TIv5Pp6oYLLMVJ2j8vWk6A0q/zfX5nMAwehNF8PY7i5SGr4Pe
q1EFpf1ja1cRyjaZhAjqLmFmcd3uFyCqRDqphRuDVc11RTfvTOybjoRCYx1MtkwW
VEdJBR1UX7bvoVCqWikiG9VU5earB7lcJAtTZthchpQZ36hAitD9PhaclByXVCyT
p+3/l4ZJx0haJruOYXb0EoeUSpH4sSkW7A1T6ue8rdI9xOpKAJLhuXcWVKzzWYPs
18YFekivgOcugYbux6yQo2fa8ekRP+z0lfEo4Pn+008HpGWhZKc+ZgsAa4bdecV7
fua4G1j5NXGn0r8kuaZnzUytdWza/It/TMZ6dTiKLCKKdEz9msRJk6HTOhakDfdM
SKJYworIrqa52CRFyIV3d39oNo0E1O6Y3X7uShJ7QVFRJj1vyqDdKKaYGwFWR+cr
oP19+obIZubH
-----END CERTIFICATE-----
subject=C = RU, ST = Some-State, L = Moscow, O = Sberbank, OU = MMB, CN = ift-spod.apps.test-ose.ca.sbrf.ru, emailAddress = Melnikov.D.Alek@sberbank.ru
issuer=DC = ru, DC = sbrf, DC = ca, CN = Sberbank Test Issuing CA 2
---
No client certificate CA names sent
---
SSL handshake has read 5893 bytes and written 270 bytes
Verification error: self signed certificate in certificate chain
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: ED516AC9E327AECF04ACA14AEB9BD5D5FCDD4337DEB0D446E23A23063325A8B0
Session-ID-ctx:
Master-Key: 34B45454DA572634B1F1DD24CCF98BEE7CED7B878C16DB554E6D3AF1B1B43E8E1DE2598C2A90CA106137B603472E8BA8
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1576863631
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
openssl s_客户端-ssl3-connect-ift-spod.apps.test-ose.ca.sbrf.ru:443CONNECTED(00000003)
140494325270400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1536:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1576864292
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
是的,我的组织中管理OpenShift的团队确认HAProxy正在阻止SSLv3。OpenShift 3.11 HAProxy路由器使用SNI。也许传入
-servername-servername ift spod.apps.test ose.ca.sbrf.ru-servername ift spod