美好的一天,
在我的UAT环境中,在我的WAS控制台设置中,我将协议配置为SSL_TLSv2。
SSL_TLSv2启用所有SSL v3.0和TLS v1.0,v1.1和v1.2协议。接受封装在SSLv2格式hello中的SSLv3或TLSv1 hello。正如我所称的第三方正在使用TLSv1.1及更高版本。
但是,我不确定为什么我的应用程序继续使用TLSv1来呼叫此第三方。但是,在我的本地,我的应用程序将使用TLS1.2。
日志很长,我只是在这里复制部分内容:
[5/31/17 11:01:30:295 ICT] 000000ca SystemOut O Using SSLEngineImpl.
[5/31/17 11:01:30:295 ICT] 000000ca SystemOut O
Is initial handshake: true
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O WebContainer : 8, READ: TLSv1 Handshake, length = 206
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O *** ClientHello, TLSv1.2
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O RandomCookie: GMT: 831831437 bytes = { 93, 8, 167, 93, 70, 165, 107, 130, 22, 192, 168, 237, 31, 40, 47, 53, 32, 239, 89, 60, 125, 9, 14, 94, 61, 235, 71, 41 }
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Session ID: {89, 46, 54, 117, 144, 143, 67, 159, 175, 15, 159, 221, 239, 101, 197, 29, 5, 194, 1, 42, 237, 228, 5, 25, 227, 117, 0, 64, 30, 148, 37, 23}
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Cipher Suites: [Unknown 0x3a:0x3a, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Compression Methods: { 0 }
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_47802, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_23, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_35, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, signature:0x5), SHA384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension status_request, data: 01:00:00:00:00
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_18, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_30032, data:
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Extension ec_point_formats, formats: [uncompressed]
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Extension elliptic_curves, curve names: {unknown curve 39578, unknown curve 29, secp256r1, secp384r1}
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O Unsupported extension type_35466, data: 00
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O ***
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O [read] MD5 and SHA1 hashes: len = 206
...
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O %% Resuming [Session-31, SSL_RSA_WITH_AES_128_GCM_SHA256]
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O JsseJCE: Using MessageDigest SHA-256 from provider IBMJCE version 1.2
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O *** ServerHello, TLSv1.2
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O RandomCookie: GMT: 1496203290 bytes = { 165, 172, 157, 204, 255, 125, 192, 235, 102, 241, 157, 82, 77, 251, 31, 138, 77, 225, 201, 196, 50, 133, 137, 206, 255, 217, 204, 160 }
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O Session ID: {89, 46, 54, 117, 144, 143, 67, 159, 175, 15, 159, 221, 239, 101, 197, 29, 5, 194, 1, 42, 237, 228, 5, 25, 227, 117, 0, 64, 30, 148, 37, 23}
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O Cipher Suite: SSL_RSA_WITH_AES_128_GCM_SHA256
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O Compression Method: 0
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O ***
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O Cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O JsseJCE: Using KeyGenerator IbmTls12KeyMaterial from provider TBD via init
[5/31/17 11:01:30:297 ICT] 000000ca SystemOut O CONNECTION KEYGEN:
[5/31/17 11:01:30:298 ICT] 000000ca SystemOut O Client Nonce:
...
但在我的本地,知道使用TLSv1.2非常聪明。
请使用TLSv1.2建议如何制作应用程序。
错误日志如下:
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Sending request: CONNECT api3.infobip.com:443 HTTP/1.1
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "CONNECT api3.infobip.com:443 HTTP/1.1[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "Host: api3.infobip.com[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "Proxy-Connection: Keep-Alive[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "User-Agent: Apache-HttpClient/4.0.1 (java 1.5)[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - >> "[EOL]"
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> CONNECT api3.infobip.com:443 HTTP/1.1
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> Host: api3.infobip.com
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> Proxy-Connection: Keep-Alive
2017-05-31 11:01:30.421 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - >> User-Agent: Apache-HttpClient/4.0.1 (java 1.5)
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "HTTP/1.0 200 Connection Established[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "Proxy-agent: IBM_HTTP_Server[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.wire - [5001032maker] - << "[EOL]"
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Receiving response: HTTP/1.0 200 Connection Established
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - << HTTP/1.0 200 Connection Established
2017-05-31 11:01:30.778 [WebContainer : 8] DEBUG org.apache.http.headers - [5001032maker] - << Proxy-agent: IBM_HTTP_Server
2017-05-31 11:01:30.779 [WebContainer : 8] DEBUG o.a.h.impl.client.DefaultHttpClient - [5001032maker] - Tunnel to target created.
2017-05-31 11:01:31.134 [WebContainer : 8] DEBUG o.a.h.i.conn.DefaultClientConnection - [5001032maker] - Connection shut down
2017-05-31 11:01:31.134 [WebContainer : 8] DEBUG o.a.h.i.conn.SingleClientConnManager - [5001032maker] - Releasing connection org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@33b3d257
2017-05-31 11:01:31.144 [WebContainer : 8] ERROR o.a.c.processor.DeadLetterChannel - [5001032maker] - Failed delivery for exchangeId: ID-uatgibapp01.hlbho.hlbank.my/56300-1496200314511/0-9. On delivery attempt: 0 caught: retrofit.RetrofitError: peer not authenticated
retrofit.RetrofitError: peer not authenticated
at retrofit.RetrofitError.networkError(RetrofitError.java:27) ~[retrofit-1.9.0.jar:na]
at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:395) ~[retrofit-1.9.0.jar:na]
at retrofit.RestAdapter$RestHandler.invoke(RestAdapter.java:240) ~[retrofit-1.9.0.jar:na]
at infobip.api.client.$Proxy328.execute(Unknown Source) ~[na:na]
at infobip.api.client.SendSingleTextualSms.execute(SendSingleTextualSms.java:49) ~[infobip-api-java-client-1.1.0.jar:na]
at com.cv.ibs.infobip.notification.camel.InfoBipWebServiceProcessor.process(InfoBipWebServiceProcessor.java:43) ~[com.cv.ibs.cib.ws.jar:na]
at org.apache.camel.impl.converter.AsyncProcessorTypeConverter$ProcessorToAsyncProcessorBridge.process(AsyncProcessorTypeConverter.java:43) ~[camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DeadLetterChannel.process(DeadLetterChannel.java:172) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DeadLetterChannel.process(DeadLetterChannel.java:93) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.Pipeline.process(Pipeline.java:115) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.Pipeline.process(Pipeline.java:89) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.UnitOfWorkProcessor.process(UnitOfWorkProcessor.java:47) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:41) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:66) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:47) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.ProducerCache.sendExchange(ProducerCache.java:151) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.ProducerCache.send(ProducerCache.java:136) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:93) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:75) [camel-core-1.5.0.jar:1.5.0]
at org.apache.camel.impl.DefaultProducerTemplate.request(DefaultProducerTemplate.java:172) [camel-core-1.5.0.jar:1.5.0]
...
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.ibm.jsse2.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:17) ~[na:6.0 build_20140221]
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:399) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:167) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:275) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:138) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:704) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:421) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554) ~[com.ibm.ws.prereq.jaxrs.jar:na]
at retrofit.client.ApacheClient.execute(ApacheClient.java:71) ~[retrofit-1.9.0.jar:na]
at retrofit.client.ApacheClient.execute(ApacheClient.java:65) ~[retrofit-1.9.0.jar:na]
at com.cv.ibs.infobip.notification.camel.ApacheHttpClient.execute(ApacheHttpClient.java:45) ~[com.cv.ibs.cib.ws.jar:na]
at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:326) ~[retrofit-1.9.0.jar:na]
... 173 common frames omitted
答案 0 :(得分:1)
[5/31/17 11:01:30:296 ICT] 000000ca SystemOut O WebContainer : 8, READ: TLSv1 Handshake, length = 206 [5/31/17 11:01:30:296 ICT] 000000ca SystemOut O *** ClientHello, TLSv1.2 ... [5/31/17 11:01:30:297 ICT] 000000ca SystemOut O *** ServerHello, TLSv1.2 [5/31/17 11:01:30:297 ICT] 000000ca SystemOut O Cipher Suite: SSL_RSA_WITH_AES_128_GCM_SHA256
您显示的调试输出清楚地表明客户端和服务器都使用TLS 1.2,即ClientHello的版本是TLS 1.2,也是ServerHello的版本,共享密码也是仅在TLS 1.2之后可用的密码。您可能想知道TLS 1.2 ClientHello被包装到TLS 1.0记录中,但这很正常。