没有服务器的SSL握手与Java 1.8

时间:2016-03-10 14:14:57

标签: java ssl jdbc sql-server-2012 sql-server-2014

我正在使用Microsoft SQL Server 2012的Progress DataDirect(光荣......)JDBC驱动程序。两个服务器都是完全更新的窗口以及SQL服务器。两者都强制执行加密。

我现在正在尝试使用符合FIPS标准的信任库以及相应的java.security文件,jars,无限强度密码套件,使用我的Java客户端应用程序连接到它们。信任库包含我自己的CA的自签名证书。使用的算法是RSA。

使用JDK 1.7.0_21它完美无缺,但是当我更改为1.8.0_74(最近的afaik)时它失败了,因为SQL服务器不希望在ClientHello之后回复。之后它只是断开连接重置。

此外,我尝试以不同的组合设置这些属性,但不适用于JDK 1.8。

  • -Dhttps.protocols =使用TLSv1
  • -Dcom.sun.net.ssl.enableECC =假
  • -Djdk.tls.client.protocols =使用TLSv1

JDBC连接属性也是开/关的不同组合:

  • CryptoProtocolVersion = TLSv1.2工作
  • HostNameInCertificate = my.host.com

我尝试过TLS 1.2,1.1和1,但没有任何效果。

由于它适用于JDK 1.7,我倾向于认为JDK 1.8打破了这种机制。

使用JDK 1.8的调试日志包含此日志条目,该日志条目与JDK 1.7完全不同

1.8:

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

1.7 

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

我还可以尝试解决这个问题吗?遗憾的是,切换回1.7不是我的选择或可能。

修改

这是-Djavax.net.debug = all:

的最后一部分 
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1440778452 bytes = { 133, 30, 185, 72, 50, 27, 253, 188, 73, 244, 59, 197, 169, 24, 142, 134, 78, 66, 122, 216, 60, 62, 232, 121, 107, 245, 32, 53 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=my.sqlserver.com]
***
[write] MD5 and SHA1 hashes:  len = 130
<HEX DUMP>
main, WRITE: TLSv1.2 Handshake, length = 130
[Raw write]: length = 135
<HEX DUMP>

调用代码是这样的:

Connection connection = DriverManager.getConnection(url, getProps());

  private static Properties getProps()
  {
    Properties properties = new Properties();
    properties.setProperty("User", "sa");
    properties.setProperty("Password", "password");
    properties.setProperty("EncryptionMethod", "SSL");
    properties.setProperty("HostNameInCertificate", "my.sqlserver.com");
    properties.setProperty("TrustStore", "<Path to trust store");
    properties.setProperty("TrustStorePassword", "password");
    properties.setProperty("ValidateServerCertificate", "true");
    properties.setProperty("CryptoProtocolVersion", "TLSv1.2");

    return properties;
  }

1 个答案:

答案 0 :(得分:0)

对我来说,升级到JDK8(更新191)的stricter policy for allowed (TLS) crypto algorithms失败。我只是通过修改我的3DES_EDE_CBC文件再次启用了${jdk.home}/jre/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC

收件人:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
    EC keySize < 224

或以编程方式:

java.security.Security.setProperty("jdk.tls.disabledAlgorithms", 
    "SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224");

或在春季:

<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
    <property name="targetClass" value="java.security.Security" />
    <property name="targetMethod" value="setProperty" />
    <property name="arguments">
        <list>
            <value>jdk.tls.disabledAlgorithms</value>
            <value>SSLv3, RC4, MD5withRSA, DH keySize &lt; 1024, EC keySize &lt; 224</value>
        </list>
    </property>
</bean>

另请参阅this answer related to SSLv3

相关问题
最新问题