Question

我正在使用传统的Websphere 9.0.0.9，并尝试创建数据源来连接在IBM云上运行的postgresql。当我在数据源之后尝试测试连接时，我收到SSL握手异常。 SSL跟踪显示我的Websphere正在发送ClientHello，TLSv1，其中到Postgresql的所有连接均已启用TLS1.2。

我在Websphere中进行了以下配置，以强制进行TLSv1.2通信。但是它总是启动TLSv1调用。

在SSL设置的保护质量（QoP）设置中，选择TLSv1.2作为协议。以前选择了SSL_TLSv2
添加了-Djdk.tls.client.protocols = TLSv1.2 -Dhttps.protocols = TLSv1.2
在服务器中，ssl.client.props属性文件已更新com.ibm.ssl.protocol = TLSv1.2
重新启动了服务器，但是没有运气。

我在此处附加了SSL跟踪。你能帮我吗

    [3/9/19 20:10:27:031 UTC] 00000087 SystemOut     O WebContainer : 2, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:031 UTC] 00000087 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:032 UTC] 00000091 SystemOut     O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:032 UTC] 00000091 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut     O WebContainer : 2, RECV TLSv1.2 ALERT:  warning, close_notify
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut     O WebContainer : 2, closeInboundInternal()
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut     O WebContainer : 2, closeOutboundInternal()
[3/9/19 20:10:27:032 UTC] 00000087 SystemOut     O WebContainer : 2, SEND TLSv1.2 ALERT:  warning, description = close_notify
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut     O WebContainer : 6, RECV TLSv1.2 ALERT:  warning, close_notify
[3/9/19 20:10:27:033 UTC] 00000087 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut     O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut     O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut     O WebContainer : 6, SEND TLSv1.2 ALERT:  warning, description = close_notify
[3/9/19 20:10:27:033 UTC] 00000091 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:033 UTC] 00000087 SystemOut     O WebContainer : 2, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:034 UTC] 00000091 SystemOut     O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:038 UTC] 00000091 SystemOut     O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:038 UTC] 00000091 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut     O WebContainer : 6, RECV TLSv1.2 ALERT:  warning, close_notify
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut     O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut     O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut     O WebContainer : 6, SEND TLSv1.2 ALERT:  warning, description = close_notify
[3/9/19 20:10:27:039 UTC] 00000091 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:040 UTC] 00000091 SystemOut     O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:041 UTC] 00000086 SystemOut     O WebContainer : 1, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:041 UTC] 00000086 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:042 UTC] 00000086 SystemOut     O WebContainer : 1, RECV TLSv1.2 ALERT:  warning, close_notify
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut     O WebContainer : 1, closeInboundInternal()
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut     O WebContainer : 1, closeOutboundInternal()
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut     O WebContainer : 1, SEND TLSv1.2 ALERT:  warning, description = close_notify
[3/9/19 20:10:27:043 UTC] 00000086 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:044 UTC] 00000086 SystemOut     O WebContainer : 1, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:048 UTC] 00000091 SystemOut     O WebContainer : 6, READ: TLSv1.2 Alert, length = 26
[3/9/19 20:10:27:049 UTC] 00000091 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:049 UTC] 00000091 SystemOut     O WebContainer : 6, RECV TLSv1.2 ALERT:  warning, close_notify
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut     O WebContainer : 6, closeInboundInternal()
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut     O WebContainer : 6, closeOutboundInternal()
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut     O WebContainer : 6, SEND TLSv1.2 ALERT:  warning, description = close_notify
[3/9/19 20:10:27:050 UTC] 00000091 SystemOut     O CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
[3/9/19 20:10:27:051 UTC] 00000091 SystemOut     O WebContainer : 6, WRITE: TLSv1.2 Alert, length = 26
[3/9/19 20:10:28:893 UTC] 00000090 SystemOut     O X509KeyManager passed to SSLContext.init():  need an X509ExtendedKeyManager for SSLEngine use
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut     O SSLContextImpl:  Using X509KeyManager com.ibm.jsse2.ax
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut     O SSLContextImpl:  Using X509TrustManager org.postgresql.ssl.NonValidatingFactory$NonValidatingTM
[3/9/19 20:10:28:897 UTC] 00000090 SystemOut     O JsseJCE:  Using SecureRandom SHA2DRBG from provider IBMJCE version 1.8
[3/9/19 20:10:28:898 UTC] 00000090 SystemOut     O trigger seeding of SecureRandom
[3/9/19 20:10:28:942 UTC] 00000090 SystemOut     O done seeding SecureRandom
[3/9/19 20:10:28:946 UTC] 00000090 SystemOut     O 
Is initial handshake: true
[3/9/19 20:10:28:947 UTC] 00000090 SystemOut     O 
Is initial handshake: true
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:948 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:949 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[3/9/19 20:10:28:950 UTC] 00000090 SystemOut     O %% No cached client session
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut     O ALPNJSSEExt not initialzed for Client
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut     O *** ClientHello, TLSv1
[3/9/19 20:10:28:951 UTC] 00000090 SystemOut     O RandomCookie:  GMT: 1535384756 bytes = { 247, 108, 226, 59, 54, 187, 101, 14, 95, 251, 73, 147, 217, 248, 218, 111, 67, 202, 92, 205, 47, 42, 141, 87, 25, 87, 2, 68 }
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut     O Session ID:  {}
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut     O Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA]
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut     O Compression Methods:  { 0 }
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut     O Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, secp256k1}
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut     O Extension ec_point_formats, formats: [uncompressed]
[3/9/19 20:10:28:952 UTC] 00000090 SystemOut     O Extension extended_master_secret
[3/9/19 20:10:28:953 UTC] 00000090 SystemOut     O Extension server_name, server_name: [type=host_name (0), value=5a3ec84c-0eb5-49ba-899d-91a9339f02a9.d7deeff0d58745aba57fa5c84685d5b4.databases.appdomain.cloud]
[3/9/19 20:10:28:953 UTC] 00000090 SystemOut     O ***
[3/9/19 20:10:28:954 UTC] 00000090 SystemOut     O [write] MD5 and SHA1 hashes:  len = 217
[3/9/19 20:10:28:954 UTC] 00000090 SystemOut     O 0000: 01 00 00 d5 03 01 5c 84  1d b4 f7 6c e2 3b 36 bb  ...........l..6.
0010: 65 0e 5f fb 49 93 d9 f8  da 6f 43 ca 5c cd 2f 2a  e...I....oC.....
0020: 8d 57 19 57 02 44 00 00  2c 00 ff c0 0a c0 14 00  .W.W.D..........
0030: 35 c0 05 c0 0f 00 39 00  38 c0 09 c0 13 00 2f c0  5.....9.8.......
0040: 04 c0 0e 00 33 00 32 c0  08 c0 12 00 0a c0 03 c0  ....3.2.........
0050: 0d 00 16 00 13 01 00 00  80 00 0a 00 0a 00 08 00  ................
0060: 17 00 18 00 19 00 16 00  0b 00 02 01 00 00 17 00  ................
0070: 00 00 00 00 64 00 62 00  00 5f 35 61 33 65 63 38  ....d.b...5a3ec8
0080: 34 63 2d 30 65 62 35 2d  34 39 62 61 2d 38 39 39  4c.0eb5.49ba.899
0090: 64 2d 39 31 61 39 33 33  39 66 30 32 61 39 2e 64  d.91a9339f02a9.d
00a0: 37 64 65 65 66 66 30 64  35 38 37 34 35 61 62 61  7deeff0d58745aba
00b0: 35 37 66 61 35 63 38 34  36 38 35 64 35 62 34 2e  57fa5c84685d5b4.
00c0: 64 61 74 61 62 61 73 65  73 2e 61 70 70 64 6f 6d  databases.appdom
00d0: 61 69 6e 2e 63 6c 6f 75  64                       ain.cloud

[3/9/19 20:10:28:955 UTC] 00000090 SystemOut     O WebContainer : 5, WRITE: TLSv1 Handshake, length = 217
[3/9/19 20:10:29:485 UTC] 00000090 SystemOut     O WebContainer : 5, READ: TLSv1 Alert, length = 2
[3/9/19 20:10:29:485 UTC] 00000090 SystemOut     O WebContainer : 5, RECV TLSv1.2 ALERT:  fatal, handshake_failure
[3/9/19 20:10:29:486 UTC] 00000090 SystemOut     O WebContainer : 5, called closeSocket()
[3/9/19 20:10:29:486 UTC] 00000090 SystemOut     O WebContainer : 5, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[3/9/19 20:10:29:594 UTC] 00000090 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_83c02f89_19.03.09_20.10.29.512728361473924885244.txt com.ibm.ws.rsadapter.DSConfigHelper.getPooledConnection 568
[3/9/19 20:10:29:722 UTC] 00000090 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_83c02f89_19.03.09_20.10.29.7052740090681335855170.txt com.ibm.ws.rsadapter.DSConfigurationHelper.testConnectionToDataSource 1486
[3/9/19 20:10:29:727 UTC] 00000090 DSConfigurati W   DSRA8201W: DataSource Configuration: DSRA8040I: Failed to connect to the DataSource jdbc/SelfService.  Encountered java.sql.SQLException: SSL error: Received fatal alert: handshake_failure DSRA0010E: SQL State = 08006, Error Code = 0.
java.sql.SQLException: SSL error: Received fatal alert: handshake_failure DSRA0010E: SQL State = 08006, Error Code = 0
    at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
    at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
    at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
    at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
    at org.postgresql.Driver.makeConnection(Driver.java:454)
    at org.postgresql.Driver.connect(Driver.java:256)
    at java.sql.DriverManager.getConnection(DriverManager.java:675)
    at java.sql.DriverManager.getConnection(DriverManager.java:258)
    at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:94)
    at org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:79)

Answer 1

我为此苦苦挣扎了2天，通过HTTP客户端调用了一个休息服务。最终添加了以下2个设置：

SSL设置，保护质量（QoP）设置，选择TLSv1.2作为协议。以前已选择SSL_TLSv2
服务器>应用程序服务器> {服务器名称}>进程定义> Java虚拟机>定制属性> com.ibm.jsse2.overrideDefaultTLS = true

在这里https://issues.apache.org/jira/browse/HTTPCLIENT-1784找到了讨论我尝试单独使用选项2，并且将SSL_TLSv2设置为先前的设置，它似乎也可以使用。

Answer 2

过去10天，我一直在苦苦挣扎...通过设置以下参数终于解决了问题。

但是，我已经在环境（qop）级别启用了TLSv1.2，但是遇到了上述问题，然后在自定义属性下面添加了

以下属性强制IBM JDK使用TLSv1.2。

服务器>应用程序服务器> {服务器名称}>进程定义> Java虚拟机>定制属性>

com.ibm.jsse2.overrideDefaultTLS = true

Websphere 9始终发送ClientHello TLSv1进行SSL握手。我如何强制使用TLSv1.2

2 个答案: