设置:
- 2 个 Websphere 服务器(8.5 修复包 13),两者(乍一看)配置相同。
- 1 个应用程序(耳朵有 2 个 war )
问题:
2 台服务器中的 1 台 SSL 握手失败。
我启用了用于调试 SSL 的日志记录,并得出服务器之间的以下区别:
好的服务器:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O Client write key:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O 0000: 3d 82 67 06 09 d0 a8 93 01 8f 42 93 e3 24 6d c0 ..g.......B...m. 0010: 76 cb 4a 7f b9 a7 3e 61 c7 ac ca 60 08 77 a5 a0 v.J....a.....w..[12/18/18 8:08:52:466 CET] 0000017d SystemOut O Server write key:
[12/18/18 8:08:52:466 CET] 0000017d SystemOut O 0000: ad d4 83 5c b2 6f e8 ad a5 7e 5d 50 39 04 78 74 .....o.....P9.xt 0010: f7 7f 2d 73 c7 1f aa f0 5c 72 ac ce a5 cc 76 21 ...s.....r....v.
错误的服务器:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O Client write key:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O 0000: 2f 67 20 ee 13 d6 22 03 d6 aa bc 78 ca bf a9 0a .g.........x....[12/18/18 8:08:51:817 CET] 0000013d SystemOut O Server write key:
[12/18/18 8:08:51:817 CET] 0000013d SystemOut O 0000: fc 64 13 e2 98 00 af cc 10 ae 34 80 fb 2c ab 5d .d........4.....[12/18/18 8:08:51:817 CET] 0000013d SystemOut O ... no IV derived for this protocol
[12/18/18 8:08:51:817 CET] 0000013d SystemOut
O JsseJCE: Using signature SHA512withRSA from provider TBD via init
[12/18/18 8:08:51:818 CET] 0000013d SystemOut O Signatures: Using signature RSA from provider from initSignIBMJCE version 1.8
[12/18/18 8:08:51:821 CET] 0000013d SystemOut O CertificateVerify
[12/18/18 8:08:51:821 CET] 0000013d SystemOut
O Signature Algorithm SHA512withRSA
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O JsseJCE: Using KeyGenerator IbmTls12Prf from provider TBD via init
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Handshake, length = 136
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
[12/18/18 8:08:51:822 CET] 0000013d SystemOut O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.8
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O Finished
[12/18/18 8:08:51:823 CET] 0000013d SystemOut O verify_data: { 150, 40, 219, 56, 139, 255, 165, 51, 71, 246, 110, 176 }
[12/18/18 8:08:51:824 CET] 0000013d SystemOut O
[12/18/18 8:08:51:824 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Handshake, length = 64
[12/18/18 8:08:51:876 CET] 0000013d SystemOut O WebContainer : 0, READ: TLSv1.2 Change Cipher Spec, length = 1
[12/18/18 8:08:51:876 CET] 0000013d SystemOut O JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
[12/18/18 8:08:51:876 CET] 0000013d SystemOut O CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:876 CET] 0000013d SystemOut O JsseJCE: Using MAC HmacSHA1 from provider TBD via init
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O MAC: Using MessageDigest HmacSHA1 from provider IBMJCE version 1.8
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O WebContainer : 0, READ: TLSv1.2 Handshake, length = 64
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O Finished
[12/18/18 8:08:51:877 CET] 0000013d SystemOut O verify_data: { 217, 179, 178, 151, 190, 135, 169, 219, 85, 206, 55, 194 }
[12/18/18 8:08:51:878 CET] 0000013d SystemOut O
[12/18/18 8:08:51:878 CET] 0000013d SystemOut O JsseJCE: Using KeyGenerator IbmTls12Prf from provider TBD via init
[12/18/18 8:08:51:878 CET] 0000013d SystemOut O HandshakeMessage: TLS Keygenerator IbmTlsPrf from provider from init IBMJCE version 1.8
[12/18/18 8:08:51:878 CET] 0000013d SystemOut O %% Cached client session: [Session-129, SSL_RSA_WITH_AES_128_CBC_SHA]
[12/18/18 8:08:51:895 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Application Data, length = 336
[12/18/18 8:08:51:895 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Application Data, length = 5984
[12/18/18 8:08:52:053 CET] 0000013d SystemOut O WebContainer : 0, READ: TLSv1.2 Application Data, length = 1008
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, called close()
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, called closeInternal(true)
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, SEND TLSv1.2 ALERT: warning, description = close_notify
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, WRITE: TLSv1.2 Alert, length = 48
[12/18/18 8:08:52:054 CET] 0000013d SystemOut O WebContainer : 0, called closeSocket(true)
[12/18/18 8:08:52:603 CET] 0000013d SystemOut O SSLv3 protocol was requested but was not enabled
[12/18/18 8:08:52:604 CET] 0000013d SystemOut O
正如我在好的服务器中标记的那样,我在客户端和服务器中看到写入 key 部分 0010,坏服务器中没有什么。
我假设因为它不存在,所以 SSL 握手失败导致调用失败。
我们使用了很多网络服务,我们只有 2 个端点有问题,其他端点在两个服务器上都运行良好。
如果有人能指出我在哪里搜索的方向,我将不胜感激。
编辑:
- 尝试添加:
-Dcom.ibm.jsse2.overrideDefaultTLS=true作为启动参数,但没有帮助。
最佳答案
似乎坏服务器上的安全配置是标准的,而不是更安全的美国版本:
- JDK/jre/lib/security/local_policy.jar
- JDK/jre/lib/security/US_export_policy.jar
您可以在 this Dzone article. 中找到更多说明
关于java - SSL 握手失败 Websphere 1 of 2 servers,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53828388/