我有一個使用LDAP來驗證和授權用戶的Java web應用程序(點燃實時xmpp服務器)。DHPublicKey不符合算法約束
最近,LDAP服務器將其密碼套件升級爲更安全的密碼。在我降級/jre/lib/security/java.security文件中允許的最小keySize之前,我無法讓我的應用程序與此LDAP服務器通信。
#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024
我加了JCE 8在應用程序使用的JRE來更新密碼,新密碼出現了(我用this program和之前相比並後)
我能在webapp的管理控制檯的密碼 - 具體做法是:
> * TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
我用this program看到LDAP服務器用什麼密碼:
結果如下:
Testing server - upgraded endpoint
Given this client's capabilities ([SSLv3, TLSv1, TLSv1.1, TLSv1.2]), the server prefers protocol=TLSv1.2, cipher=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Testing server - non-upgraded endpoint
Given this client's capabilities ([SSLv3, TLSv1, TLSv1.1, TLSv1.2]), the server prefers protocol=TLSv1.2, cipher=TLS_RSA_WITH_AES_128_CBC_SHA
,該應用可能跟老LDAP(在集羣中的未升級端點)具有以下java.security設置:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 2048
當終點是升級後(它被放在F5負載均衡器後面),我無法讓應用連接,直到降級最低keySize。 LDAP的證書鏈(新舊終端)沒有改變。
openssl s_client -connect newLDAP:636
顯示了2048公鑰,因爲它的oldLDAP,唯一不同的是更強的密碼 - 也許TLS版本1比1.2取決於我試圖從OpenSSL的的s_client.First機器上的OpenSSL的版本。
該應用程序的xmpp網絡應用程序:5223和管理控制檯:9091也使用SSL,並且每個這些也都有2048位公鑰。
在應用程序的日誌文件中的錯誤是:
"DHPublicKey does not comply to algorithm constraints"
上面我所提到的約束相信引用jdk.tls.disabledAlgorithms java.security文件屬性。
我很困惑,爲什麼顯然更安全的密碼現在需要一個較小的最小keySize爲應用程序和LDAP連接工作。
我必須錯過某些東西或做錯事。
下面是從應用程序的日誌一些堆棧跟蹤:
2017.07.25 18:54:32 WARN [Jetty-QTP-AdminConsole-98]: org.jivesoftware.admin.LoginLimitManager - Failed admin console login attempt by <myuserid> from <myIP>
2017.07.25 18:54:33 INFO [Server SR - 881162561]: org.jivesoftware.openfire.net.SocketReadingMode - STARTTLS negotiation (with: [email protected] socket: Socket[addr=/78.46.93.108,port=57984,localport=5269] session: [email protected]3cab status: 1 address: <xyz>.com/5c3gn5yu6p id: 5c3gn5yu6p) failed.
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:241)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:178)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 95)
at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode. java:87)
at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMod e.java:138)
at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java: 76)
at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:145)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
at sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237)
at sun.security.ssl.ServerHandshaker.clientKeyExchange(ServerHandshaker.java:1599)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:269)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:34 4)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:254)
... 7 more
2017.07.25 18:54:36 INFO [Server SR - 1692736043]: org.jivesoftware.openfire.net.SocketReadingMode - STARTTLS negotiation (with: [email protected] socket: Socket[addr=/136.243.42.223,port=47704,localport=5269] session: org.jivesoftware.openfire.sessi[email protected] status: 1 address: <xyz>.com/5rljrbkums id: 5rljrbkums) failed.
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:241)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:178)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 95)
at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode. java:87)
at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMod e.java:138)
at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java: 76)
at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:145)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
at sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237)
at sun.security.ssl.ServerHandshaker.clientKeyExchange(ServerHandshaker.java:1599)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:269)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:34 4)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:254)
... 7 more
2017.07.25 19:03:00 ERROR [Jetty-QTP-AdminConsole-56]: org.jivesoftware.openfire.ldap.LdapAuthProvider - Error connecting to LDAP server
javax.naming.CommunicationException: <myLDAP>:636 [Root exception is javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:226)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.ja va:64)
at com.sun.jndi.ldap.pool.Connections.<init>(Connections.java:115)
at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Pool.java:132)
at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(LdapPoolManager.java:329)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1606)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.jivesoftware.util.JiveInitialLdapContext.<init>(JiveInitialLdapContext.java :43)
at org.jivesoftware.openfire.ldap.LdapManager.getContext(LdapManager.java:568)
at org.jivesoftware.openfire.ldap.LdapManager.findUserDN(LdapManager.java:975)
at org.jivesoftware.openfire.ldap.LdapManager.findUserDN(LdapManager.java:928)
at org.jivesoftware.openfire.ldap.LdapAuthProvider.authenticate(LdapAuthProvider.j ava:126)
at org.jivesoftware.openfire.auth.AuthFactory.authenticate(AuthFactory.java:217)
at org.jivesoftware.openfire.admin.login_jsp._jspService(login_jsp.java:175)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1669)
at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:39)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)
at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)
at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:53)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)
at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:80)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)
at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:162)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1652)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:22 3)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:11 27)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:106 1)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandler Collection.java:215)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.jav a:110)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
at sun.security.ssl.DHCrypt.checkConstraints(DHCrypt.java:237)
at sun.security.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:712)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:268)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:376)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
... 56 more
感謝任何見解, SM
我不確定你在問什麼。服務器顯然是在使用2048位之前使用1024位DH組。抱怨服務器管理員。 –
如何驗證服務器(我假定您的意思是LDAP)正在使用1024位組?我提到用openssl s_client和Java SSLTest程序連接到LDAP服務器。 Openssl顯示公鑰是2048位,SSLTest程序顯示TLS版本和密碼。 –
帶有DHE密碼套件的「公鑰」有兩個公鑰,通常是RSA的長期身份驗證公鑰和每個連接都會改變的DH公鑰。我總是使用ssllabs.com上的服務器測試工具來獲得服務器SSL功能的良好配置。 –