Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

由于Domino JVM中缺少TLS密码套件,导致java SSLHandshakeException

1 年,4 月 Questions & Answers

在我的XPages应用程序中,当我尝试打开到另一台服务器的HTTPS连接时,会引发以下异常,该服务器仅允许TLSv1和更新版本(无SSLv3):

javax.net.ssl.SSLHandshakeException: No appropriate protocol

设置javax.net.debug=ssl:handshake提供了以下附加信息:

SSLContextImpl:  Using X509ExtendedKeyManager com.ibm.jsse2.hd
SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.pc
IBMJSSE2 will ignore com.ibm.jsse2.overrideDefaultProtocol since was set to a non recognized value TLSv1
Installed Providers = IBMJSSE2, IBMJCE, IBMJGSSProvider, IBMCertPath, IBMSASL, IBMXMLCRYPTO, IBMXMLEnc, Policy, IBMSPNEGO
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
Is initial handshake: true
JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.2
JsseJCE:  Using signature SHA1withECDSA from provider TBD via init 
JsseJCE:  Using signature NONEwithECDSA from provider TBD via init 
JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.2
JsseJCE:  Using KeyPairGenerator EC from provider TBD via init 
JsseJce:  EC is available
Ignoring disabled cipher suite: SSL_RENEGO_PROTECTION_REQUEST for TLSv1
No available cipher suite for TLSv1
Thread-8, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
Thread-8, SEND TLSv1 ALERT: fatal, 
description = handshake_failure

主要问题似乎是“没有适用于TLSv1的密码套件”

从SSL服务器socket工厂(SSLServerSocketFactory.getDefault())获取默认和受支持的密码套件(getDefaultCipherSuites()/getSupportedCipherSuites())表明,Domino JVM中只有SSL密码套件可用,而TLS没有

我用来建立HTTPS连接的代码在带有TLS密码套件的非Domino JVM中运行良好

有人能告诉我如何在Domino JVM中提供TLS密码套件吗 或者,如果存在其他问题,并且我误解了调试信息,请帮助我

其他信息

Domino版本:9.0.1 FP7

Java运行时版本:pwa6460sr16fp30-20160726_01(SR16 FP30)

JVM版本:JRE 1.6.0 IBM J9 2.4 Windows 7 amd64-64 jvmwa6460sr16fp30-20160725_312906(启用JIT,启用AOT)J9VM-20160725_312906 JIT-r9_20160725_121766 GC-GA24_Java6_SR16_20160725_1417_B312906

在Domino JVM中安装了无限制的JCE策略文件


共 (1) 个答案

  1. # 1 楼答案

    这个问题似乎与how some Java SDKs limit the available cipher suites有关。例如,Dropbox Java SDK使用一个硬编码的密码套件名称列表,所有名称都以“TLS_uz开头”。但是,在dominojvm中,所有密码套件名称都以“SSL\uuuz”开头。因此,在创建的SSL套接字中,所有密码套件都将被禁用,因为它们的名称都不匹配