我在使用TLS1.2连接到SQL Server 2012时遇到问题。以下是NMap的代码,网络跟踪和输出。从trace和Nmap输出我认为看起来有一个密码问题,但我不确定。跟踪告诉我握手从TLS 1.2开始,然后连接关闭,不知道为什么。如果是密码问题,握手如何确定使用哪个密码以及可能的密码存储在哪里?
使用:IBM Java 6,SQL Server 2012,sqljdbc4.jar
由于
public static void doConnect2()
{
try
{
System.setProperty("javax.net.debug", "all");
System.setProperty("javax.net.debug","ssl:handshake:verbose");
System.setProperty("com.ibm.jsse2.overrideDefaultTLS","true");
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver").newInstance();
Connection conn = DriverManager.getConnection(
"jdbc:sqlserver://MIMV-DBTE02;databaseName=CMS",
"userid",
"password");
}
catch(Exception e)
{
System.out.println(e.getMessage());
}
}
Network Trace:
IBMJSSE2 will not allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set to TRUE or default
IBMJSSEProvider2 Build-Level: -20171020
IBMJSSE2 will set SSLContext per com.ibm.jsse2.overrideDefaultTLS set to true
Installed Providers =
IBMPKCS11Impl
IBMJCE
IBMJSSE2
IBMJGSSProvider
IBMCertPath
IBMCMSProvider
IBMSPNEGO
IBMSASL
IBMXMLCRYPTO
IBMXMLEnc
Policy
keyStore is: C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts
keyStore type is: jks
keyStore provider is:
init keystore
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.id
SSLContextImpl: Using X509TrustManager com.microsoft.sqlserver.jdbc.TDSChannel$PermissiveX509TrustManager
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
Is initial handshake: true
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1505038140 bytes = { 3, 147, 184, 179, 43, 30, 167, 241, 216, 122, 188, 126, 82, 179, 249, 106, 59, 94, 84, 130, 211, 236, 170, 210, 180, 91, 234, 57 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSA
***
main, WRITE: TLSv1.2 Handshake, length = 101
main, called close()
main, called closeInternal(true)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket(selfInitiated)
main, waiting for close_notify or alert: state 5
main, received EOFException: ignored
main, called closeInternal(false)
main, close invoked again; state = 5
main, handling exception: java.io.IOException: SQL Server did not return a response. The connection has been closed. ClientConnectionId:8d6d75fb-67d7-4114-9f62-cd6886be0557
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
Mar 23, 2018 10:29:17 AM com.microsoft.sqlserver.jdbc.TDSChannel enableSSL
INFO: java.security path: C:\IBM\WebSphere85\AppServer\java\jre\lib\security
Security providers: [IBMPKCS11Impl version 1.6, IBMJCE version 1.2, IBMJSSE2 version 1.6, IBMJGSSProvider version 1.6, IBMCertPath version 1.1, IBMCMSProvider version 59.0, IBMSPNEGO version 1.0, IBMSASL version 1.5, IBMXMLCRYPTO version 1.0, IBMXMLEnc version 1.0, Policy version 1.0]
SSLContext provider info: IBM JSSE provider2 (implements IbmX509 key/trust factories, SSLv3, TLSv1)
SSLContext provider services:
[Provider IBMJSSE2 Service SSLContext.SSL com.ibm.jsse2.uc
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.SSL_TLSv2 com.ibm.jsse2.wc
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.TLSv1 com.ibm.jsse2.zc
Aliases []
Attributes {}, Provider IBMJSSE2 Service KeyManagerFactory.NewIbmX509 com.ibm.jsse2.rc$b_
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.SSL_TLS com.ibm.jsse2.vc
Aliases []
Attributes {}, Provider IBMJSSE2 Service TrustManagerFactory.IbmX509 com.ibm.jsse2.fd$b_
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.TLSv1.1 com.ibm.jsse2.ad
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.TLS com.ibm.jsse2.yc
Aliases []
Attributes {}, Provider IBMJSSE2 Service KeyManagerFactory.IbmX509 com.ibm.jsse2.rc$a_
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.TLSv1.2 com.ibm.jsse2.bd
Aliases []
Attributes {}, Provider IBMJSSE2 Service TrustManagerFactory.PKIX com.ibm.jsse2.fd$a_
Aliases [IbmPKIX, X509, X.509]
Attributes {}, Provider IBMJSSE2 Service SSLContext.Default com.ibm.jsse2.tc
Aliases []
Attributes {}]
java.ext.dirs: C:\IBM\WebSphere85\AppServer\java\jre\lib\ext
NMap:
1433/tcp open ms-sql-s
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A