gpt4 book ai didi

java - 如何在 wso2product 上将 TLS 1.0 升级到 TLS 1.2

转载 作者:塔克拉玛干 更新时间:2023-11-02 08:30:34 24 4
gpt4 key购买 nike

我们正在尝试将 WSO2 BPS 中的 TLS 1.0 升级到 TLS 1.2 版本。使用此链接升级 TLS 最新版本的过程如下 Reference Link From WSO2我们的 JAVA 应用程序在 JDK 1.8 中运行。

  1. 打开 <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml文件。

  2. 删除了 sslProtocol="TLS"属性并将其替换为sslEnabledProtocols="TLSv1.2"如下所示。

> <Connector SSLEnabled="true"  port="9443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
> secure="true" server="WSO2 Carbon Server"
> sslEnabledProtocols="TLSv1.2"
> svns:secretAlias="Server.Service.Connector.keystorePass"/>
  1. 启动服务器。
  2. 为了验证配置是否全部设置正确,我们执行以下命令,java -jar TestSSLServer.jar localhost 9443并将 TLS 配置响应仅作为 TLSv1.2,
Supported versions: TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.2
DHE_RSA_WITH_AES_128_CBC_SHA
DHE_RSA_WITH_AES_256_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA256
DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
501fc1432d87155dc431382aeb843ed558ad61b1: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US
----------------------
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: protected
CRIME status: protected
  1. 但是,当我们捕获 pcap 文件并在 Wireshark 中显示为 TLSv1.0 时,仍然如下所示: PCap File

更新:

我们改变了 jre/lib/security/java.security 根据 @user7294900操作说明。当我们在那个 java.security 文件中设置配置时,我们在 wso2BPMN 中遇到这个错误消息。但是我们可以通过握手失败通知在 Wireshark 捕获中查看 TLS 版本 1.2。 wireshack

Wso2BPMN,

Caused by: org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.office365.com:587
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1398)
at org.apache.commons.mail.Email.send(Email.java:1423)
at org.activiti.engine.impl.bpmn.behavior.MailActivityBehavior.execute(MailActivityBehavior.java:102)
... 192 more
Caused by: javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1420)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1408)
at com.sun.mail.smtp.SMTPTransport.ehlo(SMTPTransport.java:847)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:384)
at javax.mail.Service.connect(Service.java:297)
at javax.mail.Service.connect(Service.java:156)
at javax.mail.Service.connect(Service.java:105)
at javax.mail.Transport.send0(Transport.java:168)
at javax.mail.Transport.send(Transport.java:98)
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1388)
... 194 more

那么,TLSv1.2版本升级需要什么配置吗?

最佳答案

您需要disable TLS below 1.2

set the

 jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

in the file jre/lib/security/java.security on the server.

同时尝试将密码减少为 @Dimtri suggested

set ciphers that are supported only by TLSv1.2

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

关于java - 如何在 wso2product 上将 TLS 1.0 升级到 TLS 1.2,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57359283/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com