没有这样的算法:提供商SunPKCS11-NSSFIPS的SunTls12RsaPremasterSecret

时间:2014-02-11 18:26:07

标签: java apache security jsse nss

我将JRE更新为7u51后遇到了问题。在此之前,事情进展顺利。

我有一个在Tomcat上运行的Web应用程序,它在使用SSL / TLS时使用mozilla NSS库来实现FIPS 140-2合规性。为此,我必须将默认的SunJSSE提供程序更改为我的自定义SunPKCS11-NSSFIPS提供程序。

一切都很好。服务器显示它已准备就绪,但是当我尝试从Web浏览器中点击它时,出现“连接中断”错误。

查看服务器上的日志,我看到了:

Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE: 
java.lang.RuntimeException: Could not generate dummy secret
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.RuntimeException: Could not generate dummy secret
    at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:281)
    at sun.security.ssl.RSAClientKeyExchange.polishPreMasterSecretKey(RSAClientKeyExchange.java:245)
    at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:167)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:190)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
    at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
    ... 5 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSSFIPS
    at sun.security.jca.GetInstance.getService(GetInstance.java:100)
    at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109)
    at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:287)
    at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:269)
    at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:270)
    ... 15 more

我相信这种情况正在发生,因为浏览器正在尝试与TLSv1.2进行握手,但我的安全提供商无法处理它。有没有办法在仍然使用我的自定义提供程序时解决此问题?

在堆栈跟踪之后,日志文件中还有另一个:

Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE: 
java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: init() failed
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.ProviderException: java.security.InvalidAlgorithmParameterException: init() failed
    at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1064)
    at sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:999)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:234)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
    at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
    ... 5 more
Caused by: java.security.InvalidAlgorithmParameterException: init() failed
    at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:89)
    at javax.crypto.KeyGenerator.init(KeyGenerator.java:431)
    at javax.crypto.KeyGenerator.init(KeyGenerator.java:414)
    at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1052)
    ... 14 more
Caused by: java.security.InvalidKeyException: Could not create key
    at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:270)
    at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:175)
    at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:111)
    at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:87)
    ... 17 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
    at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
    at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:265)
    ... 20 more

任何帮助将不胜感激。

1 个答案:

答案 0 :(得分:0)

如果我没错,NSS还不支持tls1.2。所以你不应该初始化tls1.2的握手。某些浏览器已将默认TLS版本更改为1.2。您必须将其更改为TLS 1.1并重试。