将Java HTTP客户端代码与WebSphere服务器URL连接时遇到错误。测试将抛出SSL握手错误消息:
使用Java7和Java8测试代码部署:
java -Djavax.net.ssl.keyStore=mykey.jks -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=ssl,handshake postHTTPWAS
日志文件:
..
jdk.tls.client.protocols is defined as TLSv1.2
SSLv3 protocol was requested but was not enabled
.. Extension server_name, server_name: [type=host_name (0), value=myhost.domain.com]
***
main, WRITE: TLSv1 Handshake, length = 155
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JRE的java.security设置配置如下:
...
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3
jdk.certpath.disabledAlgorithms=SSLv3
com.ibm.jsse2.disableSSLv3=true
问题:
1)为什么SSL跟踪显示对SSLv3的引用,SSLv3是在客户端安全设置中逻辑禁用的协议?
2)SSLHandshakeException的根错误是什么?
3)是否可以将TLSv1.2作为所有HTTPS客户端连接的默认选择,哪个是设置它的正确系统属性?
答案 0 :(得分:1)
我已经隔离了错误。
较新版本的WAS应用程序服务器(完整版)期望客户端将与TLSv1.2连接。对于手动Java JRE调用,请使用参数-Dhttps.protocols = TLSv1.2,如下所示:
print(args)
FullArgSpec(args=['self', 'arg1', 'kwarg1'], varargs=None, varkw=None, defaults=(None,), kwonlyargs=[], kwonlydefaults=None, annotations={})
对于Apache HTTPS客户端(&gt; V.4.5.2),我添加了一些其他部分,以使HTTPS与TLSv1.2连接。两个连接现在都正常工作。
/opt/java8/ibm-java-x86_64-80/bin/javac SSLTest.java && /opt/java8/ibm-java-x86_64-80/jre/bin/java -Dhttps.protocols=TLSv1.2 SSLTest