如何在wso2product上将TLS 1.0升级到TLS 1.2

时间:2019-08-05 13:08:28

标签: java ssl wso2 tls1.2 wso2bps

我们正在尝试在WSO2 BPS中将TLS 1.0升级到TLS 1.2版本。按照以下过程使用此链接Reference Link From WSO2升级TLS最新版本,并且我们的JAVA应用程序正在JDK 1.8中运行。

  1. 打开<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml 文件。

  2. 删除了sslProtocol =“ TLS”属性,并将其替换为 sslEnabledProtocols =“ TLSv1.2”,如下所示。

> <Connector SSLEnabled="true"  port="9443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
> secure="true" server="WSO2 Carbon Server"
> sslEnabledProtocols="TLSv1.2"
> svns:secretAlias="Server.Service.Connector.keystorePass"/>
  1. 启动服务器。
  2. 要验证所有设置是否正确,我们执行以下命令java -jar TestSSLServer.jar localhost 9443并仅以TLSv1.2的形式获取TLS配置响应,
Supported versions: TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  TLSv1.2
     DHE_RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_256_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA256
     DHE_RSA_WITH_AES_256_CBC_SHA256
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
  501fc1432d87155dc431382aeb843ed558ad61b1: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US
----------------------
Minimal encryption strength:     strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: protected
CRIME status: protected
  1. 但是当我们捕获pcap文件并在Wireshark中时,它仍然像TLSv1.0一样显示,如下所示: PCap File

已更新:

我们已根据@user7294900的说明更改了 jre/lib/security/java.security 。 当我们在该java.security文件中设置配置时,我们在wso2BPMN中面临此错误消息。但是我们可以通过握手失败通知查看Wireshark捕获中的TLS版本1.2。 wireshack

Wso2BPMN,

Caused by: org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.office365.com:587
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1398)
at org.apache.commons.mail.Email.send(Email.java:1423)
at org.activiti.engine.impl.bpmn.behavior.MailActivityBehavior.execute(MailActivityBehavior.java:102)
... 192 more
Caused by: javax.mail.MessagingException: Can't send command to SMTP host;
  nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1420)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1408)
at com.sun.mail.smtp.SMTPTransport.ehlo(SMTPTransport.java:847)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:384)
at javax.mail.Service.connect(Service.java:297)
at javax.mail.Service.connect(Service.java:156)
at javax.mail.Service.connect(Service.java:105)
at javax.mail.Transport.send0(Transport.java:168)
at javax.mail.Transport.send(Transport.java:98)
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1388)
... 194 more

因此,TLSv1.2版本升级是否需要任何配置。

2 个答案:

答案 0 :(得分:2)

您需要disable TLS below 1.2

  

设置

 jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1
     

在服务器上的文件jre / lib / security / java.security中。

还尝试将密码简化为@Dimtri suggested

  

设置仅由TLSv1.2支持的密码

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

答案 1 :(得分:1)

WSO2打开许多随机端口。您可以尝试在java.security中禁用 TLSv1 TLSv1.1 。 设置如下:

  

jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

在文件

  

<PRODUCT_HOME>/jre/lib/security/java.security.

我为身份服务器尝试了此操作。您可以尝试使用BPS。

相关问题
最新问题