如何在 Alpine docker 容器上使用 openjdk 14 启用 ECDHE 密码?
How to enable ECDHE ciphers with openjdk 14 on an Alpine docker container?
一个 API 我必须为我的应用程序使用仅支持 ECDHE 密码的 TLS 连接。
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap 完成:在 15.16 秒内扫描了 1 个 IP 地址(启动了 1 个主机)
看来我的应用不支持这些,我得到:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
这是我在日志中看到的密码列表:
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "FE 6E D4 06 07 51 D0 66 1A 6A B8 60 84 B0 C7 9F 07 82 8F 92 13 48 2A 72 DC BD 80 39 B9 33 7A 1D",
"session id" : "8C 37 D0 37 88 6C D6 5C 59 94 5B AD E6 6E 0F 50 1D F2 9E 06 F6 17 3F 85 44 AB 12 82 E1 1F F5 53",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
还有我的 Dockerfile
FROM alpine:3.10 as jdk-14-alpine
# Add the musl-based JDK 14 distribution
RUN apk update \
&& apk add wget \
&& apk --no-cache add ca-certificates
RUN wget -q https://download.java.net/java/early_access/alpine/12/binaries/openjdk-14-ea+12_linux-x64-musl_bin.tar.gz && \
echo "f6247b208eae214562ec69ec928a238ec26a15b7d18a435523c3ceb3f3f18a7c *openjdk-14-ea+12_linux-x64-musl_bin.tar.gz" | sha256sum -c -
RUN tar -x -f openjdk-14-ea+12_linux-x64-musl_bin.tar.gz -C /opt
RUN rm openjdk-14-ea+12_linux-x64-musl_bin.tar.gz
# Set up env variables
ENV JAVA_HOME=/opt/jdk-14
ENV PATH=$PATH:$JAVA_HOME/bin
# Strip away unnecessary parts of the JDK
# The java.desktop module is needed because Jersey's RenderedImageProvider references java.awt.image.RenderedImage
# The java.sql module is needed because Snakeyaml's Tag references java.sql.Date
RUN jlink --module-path /opt/jdk-14/jmods \
--add-modules java.base,java.logging,java.xml,jdk.unsupported,java.desktop,java.management,java.naming,java.sql,jdk.jdi,jdk.jdwp.agent \
--compress 2 \
--no-header-files \
--output /opt/jdk-14-alpine-linked
CMD ["/opt/jdk-14-alpine-linked/bin/java", "-version"]
FROM alpine:3.10
# Copy the stripped JDK 14 from the previous stage
COPY --from=jdk-14-alpine /opt/jdk-14-alpine-linked /opt/jdk-14
COPY --from=jdk-14-alpine /opt/jdk-14-alpine-linked /opt/jre-14
ENV JAVA_HOME=/opt/jre-14
ENV PATH=$PATH:$JAVA_HOME/bin
# Add the application jar file
ADD target/app-backend.jar /opt/app/app-backend.jar
ADD run.sh /opt/app/run.sh
RUN chmod +x /opt/app/run.sh
CMD ["sh", "/opt/app/run.sh"]
我尝试通过添加
来启用无限安全
Security.setProperty("crypto.policy", "unlimited");
但这并没有什么不同。我还尝试在我的 pom 文件中添加 bouncycastle,但我却得到了:
Caused by: java.lang.RuntimeException: Could not generate XDH keypair
这可以通过应用 here 中描述的解决方案来解决,但随后我又回到了最初的错误。
知道我能做什么吗?我在本地机器上工作,只有在部署时才会出现问题。
此应用程序使用 Apache http,因此替代方法是直接在该级别注入对这些密码的支持。可以吗?
这实际上与 Alpine 或 OpenJDK 14 无关。我在 http://www.gubatron.com/blog/2019/04/25/solving-received-fatal-alert-handshake_failure-error-when-performing-https-connections-on-a-custom-made-jre-with-jlink/ 找到了解决方案,只需将 jdk.crypto.cryptoki 添加到要使用 jlink
添加的模块列表中
一个 API 我必须为我的应用程序使用仅支持 ECDHE 密码的 TLS 连接。
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap 完成:在 15.16 秒内扫描了 1 个 IP 地址(启动了 1 个主机)
看来我的应用不支持这些,我得到:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
这是我在日志中看到的密码列表:
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "FE 6E D4 06 07 51 D0 66 1A 6A B8 60 84 B0 C7 9F 07 82 8F 92 13 48 2A 72 DC BD 80 39 B9 33 7A 1D",
"session id" : "8C 37 D0 37 88 6C D6 5C 59 94 5B AD E6 6E 0F 50 1D F2 9E 06 F6 17 3F 85 44 AB 12 82 E1 1F F5 53",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
还有我的 Dockerfile
FROM alpine:3.10 as jdk-14-alpine
# Add the musl-based JDK 14 distribution
RUN apk update \
&& apk add wget \
&& apk --no-cache add ca-certificates
RUN wget -q https://download.java.net/java/early_access/alpine/12/binaries/openjdk-14-ea+12_linux-x64-musl_bin.tar.gz && \
echo "f6247b208eae214562ec69ec928a238ec26a15b7d18a435523c3ceb3f3f18a7c *openjdk-14-ea+12_linux-x64-musl_bin.tar.gz" | sha256sum -c -
RUN tar -x -f openjdk-14-ea+12_linux-x64-musl_bin.tar.gz -C /opt
RUN rm openjdk-14-ea+12_linux-x64-musl_bin.tar.gz
# Set up env variables
ENV JAVA_HOME=/opt/jdk-14
ENV PATH=$PATH:$JAVA_HOME/bin
# Strip away unnecessary parts of the JDK
# The java.desktop module is needed because Jersey's RenderedImageProvider references java.awt.image.RenderedImage
# The java.sql module is needed because Snakeyaml's Tag references java.sql.Date
RUN jlink --module-path /opt/jdk-14/jmods \
--add-modules java.base,java.logging,java.xml,jdk.unsupported,java.desktop,java.management,java.naming,java.sql,jdk.jdi,jdk.jdwp.agent \
--compress 2 \
--no-header-files \
--output /opt/jdk-14-alpine-linked
CMD ["/opt/jdk-14-alpine-linked/bin/java", "-version"]
FROM alpine:3.10
# Copy the stripped JDK 14 from the previous stage
COPY --from=jdk-14-alpine /opt/jdk-14-alpine-linked /opt/jdk-14
COPY --from=jdk-14-alpine /opt/jdk-14-alpine-linked /opt/jre-14
ENV JAVA_HOME=/opt/jre-14
ENV PATH=$PATH:$JAVA_HOME/bin
# Add the application jar file
ADD target/app-backend.jar /opt/app/app-backend.jar
ADD run.sh /opt/app/run.sh
RUN chmod +x /opt/app/run.sh
CMD ["sh", "/opt/app/run.sh"]
我尝试通过添加
来启用无限安全Security.setProperty("crypto.policy", "unlimited");
但这并没有什么不同。我还尝试在我的 pom 文件中添加 bouncycastle,但我却得到了:
Caused by: java.lang.RuntimeException: Could not generate XDH keypair
这可以通过应用 here 中描述的解决方案来解决,但随后我又回到了最初的错误。
知道我能做什么吗?我在本地机器上工作,只有在部署时才会出现问题。
此应用程序使用 Apache http,因此替代方法是直接在该级别注入对这些密码的支持。可以吗?
这实际上与 Alpine 或 OpenJDK 14 无关。我在 http://www.gubatron.com/blog/2019/04/25/solving-received-fatal-alert-handshake_failure-error-when-performing-https-connections-on-a-custom-made-jre-with-jlink/ 找到了解决方案,只需将 jdk.crypto.cryptoki 添加到要使用 jlink
添加的模块列表中