Nifi安全连接没有密码
Nifi secure connection no ciphers
我正在使用 nifi,我开始为 https 配置它以启用用户。 Nifi 不工作,码头 Web 服务器失败,说没有密码。不知道如何调试这个,有什么提示吗?
相同的证书已经在我的计算机上进行了测试并且可以正常工作。
任何帮助表示赞赏
更新
嗯...我启用了 SSL 日志记录。
最大的区别是关于 Java 环境,在生产服务器上是 java-1.8.0-openjdk,在我的本地机器上是 java-8-oracle。
日志之间仍然存在一些重要差异。
作为 ssl 协商参考,请参阅此 POST 关于协议应该如何工作以及涉及的会话。
最显着的区别是
生产主机上没有 *** ECDH ServerKeyExchange 会话。
从 ClientHello 开始的日志在两台机器上有很大不同:
本地(我截断了太长的行并且只报告了很少的日志会话)
*** ClientHello, TLSv1.2
RandomCookie: GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie: RandomCookie: GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID: {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14,
Session ID: {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT: fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
....
在生产上有所不同:
(我截断了太长的行,只报告了很少的日志会话)
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec@7862cc21, java.security.s
***
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating: [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18
Session ID: {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
***
Cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
:
.
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
更新 2
我要求安装 Java 8,现在 keyexchange 可以工作了,此时我的问题将消失。
如果您可以提供 $NIFI_HOME/logs/nifi-app.log 和 $NIFI_HOME/logs/nifi-bootstrap.log 的输出(如有必要,已清理),以及您的硬件、OS、JRE 和 NiFi 版本使用,这将有助于诊断。以下是几个常见原因:
- 密钥库中的证书无效(已过期、尚未生效、无法验证链),因此 Jetty 会跳过依赖 RSA/DSA 密钥进行签名或加密的可用密码套件.您可以通过在
$NIFI_HOME/conf/bootstrap.conf 中添加一个新参数来检查这一点:java.arg.15=-Djavax.net.debug=ssl,handshake(更新参数编号以确保它不会与现有参数冲突)。这将向您的日志文件添加大量输出,涵盖信任库配置和每次 TLS 握手协商,包括 Jetty 认为哪些密码套件可用。
- 存在一个小问题,加载到密钥库中的动态生成的证书无法用于在测试用例中提供
TLSv1.1 密码套件。参见 NIFI-1688 PR 624
- JRE 运行ning NiFi 不提供浏览器可以接受的任何密码套件。这种情况不太常见,但 JRE 7 将
TLSv1.0 设置为默认值,并且某些浏览器(夜间构建等)可能会将 TLS 限制为仅 TLSv1.1 或 TLSv1.2。您可以通过 运行 执行以下命令来验证这一点:$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>。 NiFi 0.x 可以在 Java 7 上 运行,但 NiFi 1.x 需要 Java 8+。如果您仅限于 Java 7,则可以通过另一个 Java 参数明确启用这些协议:java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2。
我正在使用 nifi,我开始为 https 配置它以启用用户。 Nifi 不工作,码头 Web 服务器失败,说没有密码。不知道如何调试这个,有什么提示吗? 相同的证书已经在我的计算机上进行了测试并且可以正常工作。 任何帮助表示赞赏
更新
嗯...我启用了 SSL 日志记录。
最大的区别是关于 Java 环境,在生产服务器上是 java-1.8.0-openjdk,在我的本地机器上是 java-8-oracle。
日志之间仍然存在一些重要差异。
作为 ssl 协商参考,请参阅此 POST 关于协议应该如何工作以及涉及的会话。
最显着的区别是
生产主机上没有 *** ECDH ServerKeyExchange 会话。
从 ClientHello 开始的日志在两台机器上有很大不同:
本地(我截断了太长的行并且只报告了很少的日志会话)
*** ClientHello, TLSv1.2
RandomCookie: GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie: RandomCookie: GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID: {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14,
Session ID: {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT: fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
....
在生产上有所不同:
(我截断了太长的行,只报告了很少的日志会话)
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec@7862cc21, java.security.s
***
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating: [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18
Session ID: {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
***
Cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
:
.
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
更新 2
我要求安装 Java 8,现在 keyexchange 可以工作了,此时我的问题将消失。
如果您可以提供 $NIFI_HOME/logs/nifi-app.log 和 $NIFI_HOME/logs/nifi-bootstrap.log 的输出(如有必要,已清理),以及您的硬件、OS、JRE 和 NiFi 版本使用,这将有助于诊断。以下是几个常见原因:
- 密钥库中的证书无效(已过期、尚未生效、无法验证链),因此 Jetty 会跳过依赖 RSA/DSA 密钥进行签名或加密的可用密码套件.您可以通过在
$NIFI_HOME/conf/bootstrap.conf中添加一个新参数来检查这一点:java.arg.15=-Djavax.net.debug=ssl,handshake(更新参数编号以确保它不会与现有参数冲突)。这将向您的日志文件添加大量输出,涵盖信任库配置和每次 TLS 握手协商,包括 Jetty 认为哪些密码套件可用。- 存在一个小问题,加载到密钥库中的动态生成的证书无法用于在测试用例中提供
TLSv1.1密码套件。参见 NIFI-1688 PR 624
- 存在一个小问题,加载到密钥库中的动态生成的证书无法用于在测试用例中提供
- JRE 运行ning NiFi 不提供浏览器可以接受的任何密码套件。这种情况不太常见,但 JRE 7 将
TLSv1.0设置为默认值,并且某些浏览器(夜间构建等)可能会将 TLS 限制为仅TLSv1.1或TLSv1.2。您可以通过 运行 执行以下命令来验证这一点:$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>。 NiFi0.x可以在 Java 7 上 运行,但 NiFi1.x需要 Java 8+。如果您仅限于 Java 7,则可以通过另一个 Java 参数明确启用这些协议:java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2。