5
在我的XPages應用程序下面的異常升高,當我嘗試打開一個HTTPS連接到另一臺服務器只允許使用TLSv1和更新(無的SSLv3):出現SSLHandshakeException由於多米諾失蹤TLS密碼JVM
javax.net.ssl.SSLHandshakeException: No appropriate protocol
設置javax.net.debug=ssl:handshake提供此附加信息:
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.hd
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.pc
IBMJSSE2 will ignore com.ibm.jsse2.overrideDefaultProtocol since was set to a non recognized value TLSv1
Installed Providers = IBMJSSE2, IBMJCE, IBMJGSSProvider, IBMCertPath, IBMSASL, IBMXMLCRYPTO, IBMXMLEnc, Policy, IBMSPNEGO
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
Is initial handshake: true
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.2
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.2
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJce: EC is available
Ignoring disabled cipher suite: SSL_RENEGO_PROTECTION_REQUEST for TLSv1
No available cipher suite for TLSv1
Thread-8, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
Thread-8, SEND TLSv1 ALERT: fatal,
description = handshake_failure
的主要問題似乎是「沒有可用的加密套件的TLSv1」。
充分利用SSL服務器套接字工廠(SSLServerSocketFactory.getDefault())的默認和支持的加密套件(getDefaultCipherSuites()/getSupportedCipherSuites())顯示,只有SSL密碼套件在Domino JVM是可用的,但沒有爲TLS。
我用來建立HTTPS連接的代碼在使用TLS密碼套件的非Domino JVM中正常工作。
任何人都可以告訴我如何在Domino JVM中提供TLS密碼套件嗎? 還是一般來說,如果有不同的問題,我誤解了調試信息幫助我?
信息:
的Domino版本:9.0.1 FP7
Java運行時版本:pwa6460sr16fp30-20160726_01(SR16 FP30)
JVM版本 :JRE 1.6.0 IBM J9 2.4 Windows 7 amd64-64 jvmwa6460sr16f p30-20160725_312906(啓用JIT,AOT啓用)J9VM - 20160725_312906 JIT - r9_20160725_121766 GC - GA24_Java6_SR16_20160725_1417_B312906
受限JCE策略文件已經安裝在Domino JVM。
TLSv1是一個協議,而不是密碼套件。 – EJP
@EJP:我知道,但是對於不同的協議有不同的密碼套件。在我的情況下,沒有密碼套件可用於TLSv1。 –
在Domino JVM版本爲1.6的情況下,我認爲在您需要的TLS版本的JVM版本中沒有可用的支持。 IBM已承諾升級JVM--最新的交付承諾是2017年第一季度。同時,我認爲解決方法是您能做到的最好的解決方案。看看這些文章,如果你還沒有:https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2和http://www-01.ibm.com/ support/docview.wss?uid = swg21985289 – jpishko