我将JRE更新为7u51后遇到了问题。在此之前,事情进展顺利。
我有一个在Tomcat上运行的Web应用程序,它在使用SSL / TLS时使用mozilla NSS库来实现FIPS 140-2合规性。为此,我必须将默认的SunJSSE提供程序更改为我的自定义SunPKCS11-NSSFIPS提供程序。
一切都很好。服务器显示它已准备就绪,但是当我尝试从Web浏览器中点击它时,出现“连接中断”错误。
查看服务器上的日志,我看到了:
Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE:
java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:281)
at sun.security.ssl.RSAClientKeyExchange.polishPreMasterSecretKey(RSAClientKeyExchange.java:245)
at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:167)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:190)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
... 5 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSSFIPS
at sun.security.jca.GetInstance.getService(GetInstance.java:100)
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:287)
at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:269)
at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:270)
... 15 more
我相信这种情况正在发生,因为浏览器正在尝试与TLSv1.2进行握手,但我的安全提供商无法处理它。有没有办法在仍然使用我的自定义提供程序时解决此问题?
在堆栈跟踪之后,日志文件中还有另一个:
Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE:
java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.ProviderException: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1064)
at sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:999)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:234)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
... 5 more
Caused by: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:89)
at javax.crypto.KeyGenerator.init(KeyGenerator.java:431)
at javax.crypto.KeyGenerator.init(KeyGenerator.java:414)
at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1052)
... 14 more
Caused by: java.security.InvalidKeyException: Could not create key
at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:270)
at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:175)
at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:111)
at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:87)
... 17 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:265)
... 20 more
任何帮助将不胜感激。
答案 0 :(得分:0)
如果我没错,NSS还不支持tls1.2。所以你不应该初始化tls1.2的握手。某些浏览器已将默认TLS版本更改为1.2。您必须将其更改为TLS 1.1并重试。