在我的XPage应用程序中,当我尝试打开到仅允许TLSv1和更新版本(没有SSLv3)的另一台服务器的HTTPS连接时,会引发以下异常:
javax.net.ssl.SSLHandshakeException: No appropriate protocol
设置javax.net.debug=ssl:handshake
提供了以下附加信息:
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.hd
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.pc
IBMJSSE2 will ignore com.ibm.jsse2.overrideDefaultProtocol since was set to a non recognized value TLSv1
Installed Providers = IBMJSSE2, IBMJCE, IBMJGSSProvider, IBMCertPath, IBMSASL, IBMXMLCRYPTO, IBMXMLEnc, Policy, IBMSPNEGO
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
Is initial handshake: true
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.2
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.2
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJce: EC is available
Ignoring disabled cipher suite: SSL_RENEGO_PROTECTION_REQUEST for TLSv1
No available cipher suite for TLSv1
Thread-8, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
Thread-8, SEND TLSv1 ALERT: fatal,
description = handshake_failure
主要问题似乎是" TLSv1没有可用的密码套件"。
从SSL服务器套接字工厂(getDefaultCipherSuites()
)获取默认和受支持的密码套件(getSupportedCipherSuites()
/ SSLServerSocketFactory.getDefault()
)表明Domino JVM中只有SSL密码套件可用,但是没有TLS。
用于建立HTTPS连接的代码在具有TLS密码套件的非Domino JVM中正常工作。
有人能告诉我如何在Domino JVM中提供TLS密码套件吗? 或者,如果存在不同的问题并且我误解了调试信息,通常会帮助我吗?
其他信息:
Domino版本:9.0.1 FP7
Java运行时版本:pwa6460sr16fp30-20160726_01(SR16 FP30)
JVM版本:JRE 1.6.0 IBM J9 2.4 Windows 7 amd64-64 jvmwa6460sr16fp30-20160725_312906(已启用JIT,已启用AOT)J9VM - 20160725_312906 JIT - r9_20160725_121766 GC - GA24_Java6_SR16_20160725_1417_B312906
Domino JVM中已安装无限制的JCE策略文件。
答案 0 :(得分:2)
问题似乎与how some Java SDKs limit the available cipher suites有关。例如,Dropbox Java SDK使用密码套件名称的硬编码列表,所有密码都以" TLS _ "开头。但是,在Domino JVM中,所有密码套件名称都以" SSL _ "开头。因此,所有密码套件在创建的SSL套接字中都会被禁用,因为它们的名称都不匹配。