SSL jdbc连接因Diffie-Hellman(DH_ANON)密码套件而失败

时间:2015-01-29 19:28:04

标签: ssl encryption jdbc oracle11g diffie-hellman

我正在尝试使用jdbc创建一个启用SSL的Oracle数据库11g(版本11.2.0.1.0)连接。我只想使用SSL进行加密而不是身份验证,这就是我使用Diffie-Hellman匿名密码套件的原因,但它失败了。

我完全理解匿名密码套件不可取,并且本身就不会受到中间人攻击的影响,我可能不会在生产中使用它。但我仍然想知道我的实现有什么问题阻止了ssl连接。以下是代码的摘录

    String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<IP>)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=<service_name>)) )";
    Properties props = new Properties();
    props.setProperty("user", "hr");
    props.setProperty("password", "hr");
    props.setProperty("oracle.net.ssl_cipher_suites",    "(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA)");

    // commented out since Diffie-Hellman cipher suite should not require trust store or key-store, but the connection works only if I uncomment it.
    //props.setProperty("javax.net.ssl.trustStore", "/truststore/cwallet.sso");
    //props.setProperty("javax.net.ssl.trustStoreType", "SSO");

    Connection conn = null;
    try {
        //Security.insertProviderAt(new oracle.security.pki.OraclePKIProvider(),3);
        Class.forName("oracle.jdbc.OracleDriver");
        conn = DriverManager.getConnection(url, props);
        System.out.println("conn " + conn);
    } catch (Exception e) {
        e.printStackTrace();
    }

IN sqlnet.ora我添加了以下内容以确保客户端未经过身份验证,客户端服务器使用相同的密码套件:

SSL_CLIENT_AUTHENTICATION = FALSE
SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)

然而,当我运行代码时,我收到以下错误:

java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
  at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:419)
  at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:538)
  at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:228)
  at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
  at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)
  at java.sql.DriverManager.getConnection(DriverManager.java:582)
  at java.sql.DriverManager.getConnection(DriverManager.java:154)
  at oracle.bi.modeling.Test.createConnection(Test.java:50)
  at oracle.bi.modeling.Test.main(Test.java:18)
    Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
  at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:375)
  at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:422)
  at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:686)
  at oracle.net.ns.NSProtocol.connect(NSProtocol.java:246)
  at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1056)
  at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:308)
  ... 8 more
    Caused by: oracle.net.ns.NetException: Unable to initialize ssl context.
  at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:327)
  at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:110)
  at oracle.net.nt.ConnOption.connect(ConnOption.java:130)
  at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:353)
  ... 13 more
Caused by: oracle.net.ns.NetException: Unable to initialize the trust store.
  at oracle.net.nt.CustomSSLSocketFactory.getTrustManagerArray(CustomSSLSocketFactory.java:415)
  at oracle.net.nt.CustomSSLSocketFactory.getSSLSocketFactory(CustomSSLSocketFactory.java:311)
  ... 16 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
  at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
  at java.security.KeyStore.load(KeyStore.java:1185)
  at oracle.net.nt.CustomSSLSocketFactory.getTrustManagerArray(CustomSSLSocketFactory.java:406)
  ... 17 more
    Caused by: java.security.UnrecoverableKeyException: Password verification failed
  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
  ... 20 more

如果指定信任存储,那么当我取消注释以下行时,连接正常工作:

props.setProperty("javax.net.ssl.trustStore", "/truststore/cwallet.sso");
props.setProperty("javax.net.ssl.trustStoreType", "SSO");

但Diffie-Hellman密码套件不应该要求信任库或密钥库。那么我做错了什么?

我确实在oracle文档中看到以下内容: http://docs.oracle.com/cd/B28359_01/network.111/b28530/asossl.htm#i1009717

&#34;有一个已知的错误,即使使用带有DH_ANON的密码套件,OCI客户端也需要钱包,而DH_ANON不会对客户端进行身份验证。&#34;

但是我没有使用OCI客户端。相反,我使用的是JDBC(ojdbc6.jar)。即使在JDBC中也存在相同的情况吗?如果是这样,使用Diffie-Hellman密码套件的工作是什么?

由于

Joyjit

0 个答案:

没有答案
相关问题
最新问题