SSL 握手失败 Websphere 1 of 2 servers
SSL handshake failure Websphere 1 of 2 servers
设置:
- 2 个 websphere 服务器 (8.5 fixpack 13),两者(乍一看)配置相同。
- 1 次申请(耳朵有 2 次战争)
问题:
2 台服务器中的 1 台 SSL 握手失败。
我启用了用于调试 SSL 的日志记录,并得出服务器之间的以下区别:
好服务器:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O Client write key:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O 0000: 3d 82 67 06
09 d0 a8 93 01 8f 42 93 e3 24 6d c0 ..g.......B...m. 0010: 76 cb 4a
7f b9 a7 3e 61 c7 ac ca 60 08 77 a5 a0 v.J....a.....w..
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O Server write key:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O 0000: ad d4 83 5c b2 6f e8 ad a5 7e 5d 50 39 04 78 74 .....o.....P9.xt 0010: f7 7f 2d
73 c7 1f aa f0 5c 72 ac ce a5 cc 76 21 ...s.....r....v.
服务器错误:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O Client write
key:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O 0000: 2f
67 20 ee 13 d6 22 03 d6 aa bc 78 ca bf a9 0a .g.........x....
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O Server write
key:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O 0000: fc
64 13 e2 98 00 af cc 10 ae 34 80 fb 2c ab 5d .d........4.....
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O ... no IV derived
for this protocol
[12/18/18 8:08:51:817 CET] 0000013d SystemOut
O JsseJCE: Using signature SHA512withRSA from provider TBD via init
[12/18/18 8:08:51:818 CET] 0000013d SystemOut O Signatures:
Using signature RSA from provider from initSignIBMJCE version 1.8
[12/18/18 8:08:51:821 CET] 0000013d SystemOut O
CertificateVerify
[12/18/18 8:08:51:821 CET] 0000013d SystemOut
O Signature Algorithm SHA512withRSA
[12/18/18 8:08:51:822 CET]
0000013d SystemOut O JsseJCE: Using KeyGenerator IbmTls12Prf from
provider TBD via init
[12/18/18 8:08:51:822 CET] 0000013d
SystemOut O HandshakeMessage: TLS Keygenerator IbmTlsPrf from
provider from init IBMJCE version 1.8
[12/18/18 8:08:51:822 CET]
0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Handshake,
length = 136
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O
WebContainer : 0, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O JsseJCE: Using
cipher AES/CBC/NoPadding from provider TBD via init
[12/18/18
8:08:51:822 CET] 0000013d SystemOut O CipherBox: Using cipher
AES/CBC/NoPadding from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O JsseJCE: Using
MAC HmacSHA1 from provider TBD via init
[12/18/18 8:08:51:823
CET] 0000013d SystemOut O MAC: Using MessageDigest HmacSHA1 from
provider IBMJCE version 1.8
[12/18/18 8:08:51:823 CET] 0000013d
SystemOut O Finished
[12/18/18 8:08:51:823 CET] 0000013d
SystemOut O verify_data: { 150, 40, 219, 56, 139, 255, 165, 51,
71, 246, 110, 176 }
[12/18/18 8:08:51:824 CET] 0000013d SystemOut
O
[12/18/18 8:08:51:824 CET] 0000013d SystemOut O
WebContainer : 0, WRITE: TLSv1.2 Handshake, length = 64
[12/18/18
8:08:51:876 CET] 0000013d SystemOut O WebContainer : 0, READ:
TLSv1.2 Change Cipher Spec, length = 1
[12/18/18 8:08:51:876 CET]
0000013d SystemOut O JsseJCE: Using cipher AES/CBC/NoPadding from
provider TBD via init
[12/18/18 8:08:51:876 CET] 0000013d
SystemOut O CipherBox: Using cipher AES/CBC/NoPadding from
provider from init IBMJCE version 1.8
[12/18/18 8:08:51:876 CET]
0000013d SystemOut O JsseJCE: Using MAC HmacSHA1 from provider
TBD via init
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O
MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version
1.8
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O WebContainer : 0, READ: TLSv1.2 Handshake, length = 64
[12/18/18
8:08:51:877 CET] 0000013d SystemOut O Finished
[12/18/18
8:08:51:877 CET] 0000013d SystemOut O verify_data: { 217, 179,
178, 151, 190, 135, 169, 219, 85, 206, 55, 194 }
[12/18/18
8:08:51:878 CET] 0000013d SystemOut O
[12/18/18 8:08:51:878
CET] 0000013d SystemOut O JsseJCE: Using KeyGenerator IbmTls12Prf
from provider TBD via init
[12/18/18 8:08:51:878 CET] 0000013d
SystemOut O HandshakeMessage: TLS Keygenerator IbmTlsPrf from
provider from init IBMJCE version 1.8
[12/18/18 8:08:51:878 CET]
0000013d SystemOut O %% Cached client session: [Session-129,
SSL_RSA_WITH_AES_128_CBC_SHA]
[12/18/18 8:08:51:895 CET] 0000013d
SystemOut O WebContainer : 0, WRITE: TLSv1.2 Application Data,
length = 336
[12/18/18 8:08:51:895 CET] 0000013d SystemOut O
WebContainer : 0, WRITE: TLSv1.2 Application Data, length = 5984
[12/18/18 8:08:52:053 CET] 0000013d SystemOut O WebContainer : 0,
READ: TLSv1.2 Application Data, length = 1008
[12/18/18
8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, called
close()
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O
WebContainer : 0, called closeInternal(true)
[12/18/18
8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, SEND
TLSv1.2 ALERT: warning, description = close_notify
[12/18/18
8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, WRITE:
TLSv1.2 Alert, length = 48
[12/18/18 8:08:52:054 CET] 0000013d
SystemOut O WebContainer : 0, called closeSocket(true)
[12/18/18 8:08:52:603 CET] 0000013d SystemOut O SSLv3 protocol was
requested but was not enabled
[12/18/18 8:08:52:604 CET] 0000013d
SystemOut O
正如我在好的服务器中标记的那样,我在客户端和服务器中看到写入密钥部分0010,而在坏服务器中没有。
我假设因为它不存在,所以 SSL 握手失败导致调用失败。
我们使用了很多 Web 服务,只有 2 个端点有问题,其他端点在两个服务器上都运行良好。
如果有人能指出我在哪里搜索的方向,我将不胜感激。
编辑:
- 尝试添加:
-Dcom.ibm.jsse2.overrideDefaultTLS=true 作为启动参数但没有帮助。
似乎坏服务器上的安全配置是标准的,而不是更安全的美国版本:
- JDK/jre/lib/security/local_policy.jar
- JDK/jre/lib/security/US_export_policy.jar
您可以在 this Dzone article.
中找到更多说明
设置:
- 2 个 websphere 服务器 (8.5 fixpack 13),两者(乍一看)配置相同。
- 1 次申请(耳朵有 2 次战争)
问题:
2 台服务器中的 1 台 SSL 握手失败。
我启用了用于调试 SSL 的日志记录,并得出服务器之间的以下区别:
好服务器:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O Client write key:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O 0000: 3d 82 67 06 09 d0 a8 93 01 8f 42 93 e3 24 6d c0 ..g.......B...m. 0010: 76 cb 4a 7f b9 a7 3e 61 c7 ac ca 60 08 77 a5 a0 v.J....a.....w..[12/18/18 8:08:52:466 CET] 0000017d SystemOut O Server write key:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O 0000: ad d4 83 5c b2 6f e8 ad a5 7e 5d 50 39 04 78 74 .....o.....P9.xt 0010: f7 7f 2d 73 c7 1f aa f0 5c 72 ac ce a5 cc 76 21 ...s.....r....v.
服务器错误:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O Client write key:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O 0000: 2f 67 20 ee 13 d6 22 03 d6 aa bc 78 ca bf a9 0a .g.........x....[12/18/18 8:08:51:817 CET] 0000013d SystemOut O Server write key:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O 0000: fc 64 13 e2 98 00 af cc 10 ae 34 80 fb 2c ab 5d .d........4.....[12/18/18 8:08:51:817 CET] 0000013d SystemOut O ... no IV derived for this protocol
[12/18/18 8:08:51:817 CET] 0000013d SystemOut
O JsseJCE: Using signature SHA512withRSA from provider TBD via init
[12/18/18 8:08:51:818 CET] 0000013d SystemOut O Signatures: Using signature RSA from provider from initSignIBMJCE version 1.8
[12/18/18 8:08:51:821 CET] 0000013d SystemOut O CertificateVerify
[12/18/18 8:08:51:821 CET] 0000013d SystemOut
O Signature Algorithm SHA512withRSA
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O JsseJCE: Using KeyGenerator IbmTls12Prf from provider TBD via init
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Handshake, length = 136
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.8
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O Finished
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O verify_data: { 150, 40, 219, 56, 139, 255, 165, 51, 71, 246, 110, 176 }
[12/18/18 8:08:51:824 CET] 0000013d SystemOut O
[12/18/18 8:08:51:824 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Handshake, length = 64
[12/18/18 8:08:51:876 CET] 0000013d SystemOut O WebContainer : 0, READ: TLSv1.2 Change Cipher Spec, length = 1
[12/18/18 8:08:51:876 CET] 0000013d SystemOut O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
[12/18/18 8:08:51:876 CET] 0000013d SystemOut O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:876 CET] 0000013d SystemOut O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.8
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O WebContainer : 0, READ: TLSv1.2 Handshake, length = 64
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O Finished
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O verify_data: { 217, 179, 178, 151, 190, 135, 169, 219, 85, 206, 55, 194 }
[12/18/18 8:08:51:878 CET] 0000013d SystemOut O
[12/18/18 8:08:51:878 CET] 0000013d SystemOut O JsseJCE: Using KeyGenerator IbmTls12Prf from provider TBD via init
[12/18/18 8:08:51:878 CET] 0000013d SystemOut O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:878 CET] 0000013d SystemOut O %% Cached client session: [Session-129, SSL_RSA_WITH_AES_128_CBC_SHA]
[12/18/18 8:08:51:895 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Application Data, length = 336
[12/18/18 8:08:51:895 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Application Data, length = 5984
[12/18/18 8:08:52:053 CET] 0000013d SystemOut O WebContainer : 0, READ: TLSv1.2 Application Data, length = 1008
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, called close()
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, called closeInternal(true)
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, SEND TLSv1.2 ALERT: warning, description = close_notify
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Alert, length = 48
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, called closeSocket(true)
[12/18/18 8:08:52:603 CET] 0000013d SystemOut O SSLv3 protocol was requested but was not enabled
[12/18/18 8:08:52:604 CET] 0000013d SystemOut O
正如我在好的服务器中标记的那样,我在客户端和服务器中看到写入密钥部分0010,而在坏服务器中没有。
我假设因为它不存在,所以 SSL 握手失败导致调用失败。
我们使用了很多 Web 服务,只有 2 个端点有问题,其他端点在两个服务器上都运行良好。
如果有人能指出我在哪里搜索的方向,我将不胜感激。
编辑:
- 尝试添加:
-Dcom.ibm.jsse2.overrideDefaultTLS=true作为启动参数但没有帮助。
似乎坏服务器上的安全配置是标准的,而不是更安全的美国版本:
- JDK/jre/lib/security/local_policy.jar
- JDK/jre/lib/security/US_export_policy.jar
您可以在 this Dzone article.
中找到更多说明