javax.net.ssl.sslHandshakeException al usar dos servicios web con TLSV1.0 y TLSV1.2 -- java campo con cxf campo con tls1.2 camp Relacionados El problema

javax.net.ssl.SSLHandshakeException when using two web services with TLSv1.0 and TLSv1.2


0
vote

problema

Español

Whe A Java 8 Solicitud de ejecución en JBoss EAP 6.4 con dos servicios web:

  • servicio A : el primero se usa para obtener la autorización del usuario dentro de la solicitud. SOLO TLSV1.0 es compatible.
  • service B : el segundo envía datos a un servidor remoto y TLSV1.2 es obligatorio.

Si ibas a pasar por alto el servicio a usando un servicio simulado, entonces funciona bien . Cada vez que el servicio A está completamente activo, obtenemos una javax.net.ssl.sslHandshakeException cuando invoca el servicio B (TLSV1.2), y ambos servicios son completamente no relacionados :

  13:52:45,583 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) %% No cached client session  13:52:45,586 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) *** ClientHello, TLSv1  13:52:45,671 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) RandomCookie:  GMT: 1596389773 bytes = { 51, 254, 72, 33, 215, 73, 245, 224, 39, 70, 115, 215, 105, 88, 13, 193, 129, 242, 239, 64, 64, 80, 10, 84, 111, 21, 55, 170 }  13:52:45,675 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Session ID:  {}  13:52:45,677 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]  13:52:45,683 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Compression Methods:  { 0 }  13:52:45,686 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}  13:52:45,688 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Extension ec_point_formats, formats: [uncompressed]  13:52:45,691 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Extension server_name, server_name: [type=host_name (0), value=webpubpyf.igae.hacienda.gob.es]  13:52:45,692 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Extension renegotiation_info, renegotiated_connection: <empty>  13:52:45,694 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) ***  13:52:45,696 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, WRITE: TLSv1 Handshake, length = 179  13:52:45,717 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, READ: TLSv1 Alert, length = 2  13:52:45,724 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure  13:52:45,726 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, called closeSocket()  13:52:45,729 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure   

Parece que la comunicación no está utilizando TLSV1.2 debido al uso del servicio A (como si la versión del protocolo se estuviera estancada), aunque lo hemos especificado explícitamente en el CXF-CONFIG.XML:

  <http:conduit id="mockConduit"         name="{http://mockURL}mockPort.http-conduit">         <http:authorization>             <sec:UserName>user</sec:UserName>             <sec:Password />         </http:authorization>         <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="TLSv1.2">             <sec:trustManagers>                 <sec:keyStore type="JKS"                  password="xxxx"                     file="${truststore.file}" provider="SUN" />             </sec:trustManagers>             <sec:cipherSuitesFilter>                 <sec:include>.*_EXPORT_.*</sec:include>                 <sec:include>.*_EXPORT1024_.*</sec:include>                 <sec:include>.*_WITH_DES_.*</sec:include>                 <sec:include>.*_WITH_AES_.*</sec:include>                 <sec:include>.*_WITH_NULL_.*</sec:include>                 <sec:include>.*_DH_anon_.*</sec:include>             </sec:cipherSuitesFilter>         </http:tlsClientParameters>         <http:client AutoRedirect="true" Connection="Keep-Alive"  ReceiveTimeout="${timeout.reception}" ConnectionTimeout="${timeout.conection}"/> </http:conduit>   

Gracias por su ayuda.

Original en ingles

Whe a java 8 application runnging on JBoss EAP 6.4 with two web services:

  • Service A: The first one is used to get the user authorization inside de application. Only TLSv1.0 is supported.
  • Service B: The second one sends data to a remote server and TLSv1.2 is mandatory.

If we bypass service A using a mock service then everything works fine. Whenever service A is fully active, we get an javax.net.ssl.SSLHandshakeException when invoking service B (TLSv1.2), and both services are completely unrelated:

13:52:45,583 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) %% No cached client session  13:52:45,586 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) *** ClientHello, TLSv1  13:52:45,671 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) RandomCookie:  GMT: 1596389773 bytes = { 51, 254, 72, 33, 215, 73, 245, 224, 39, 70, 115, 215, 105, 88, 13, 193, 129, 242, 239, 64, 64, 80, 10, 84, 111, 21, 55, 170 }  13:52:45,675 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Session ID:  {}  13:52:45,677 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]  13:52:45,683 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Compression Methods:  { 0 }  13:52:45,686 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}  13:52:45,688 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Extension ec_point_formats, formats: [uncompressed]  13:52:45,691 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Extension server_name, server_name: [type=host_name (0), value=webpubpyf.igae.hacienda.gob.es]  13:52:45,692 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) Extension renegotiation_info, renegotiated_connection: <empty>  13:52:45,694 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) ***  13:52:45,696 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, WRITE: TLSv1 Handshake, length = 179  13:52:45,717 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, READ: TLSv1 Alert, length = 2  13:52:45,724 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure  13:52:45,726 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, called closeSocket()  13:52:45,729 INFO  [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 

It seems the communication is not using TLSv1.2 because of the use of service A (as if the protocol version got stucked), although we have explicitly specified it in the cxf-config.xml:

<http:conduit id="mockConduit"         name="{http://mockURL}mockPort.http-conduit">         <http:authorization>             <sec:UserName>user</sec:UserName>             <sec:Password />         </http:authorization>         <http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="TLSv1.2">             <sec:trustManagers>                 <sec:keyStore type="JKS"                  password="xxxx"                     file="${truststore.file}" provider="SUN" />             </sec:trustManagers>             <sec:cipherSuitesFilter>                 <sec:include>.*_EXPORT_.*</sec:include>                 <sec:include>.*_EXPORT1024_.*</sec:include>                 <sec:include>.*_WITH_DES_.*</sec:include>                 <sec:include>.*_WITH_AES_.*</sec:include>                 <sec:include>.*_WITH_NULL_.*</sec:include>                 <sec:include>.*_DH_anon_.*</sec:include>             </sec:cipherSuitesFilter>         </http:tlsClientParameters>         <http:client AutoRedirect="true" Connection="Keep-Alive"  ReceiveTimeout="${timeout.reception}" ConnectionTimeout="${timeout.conection}"/> </http:conduit> 

Thank you for your help.

        

Lista de respuestas


Relacionados problema

0  Se falló la carga HTTP de NSurlConnection (KCFStreamerrordomainsl, -9802) para el servicio web habilitado para HTTPS / SSL  ( Nsurlconnection http load failed kcfstreamerrordomainssl 9802 for https ssl ) 
Falló la carga de NSurlsession / NSurlConnection HTTP (kcfstreamerrordomainsl, -9802) mientras consume el servicio web a pesar de que el servicio web está ase...

0  No se puede llamar a SSL CERTIFICE habilitado (HTTPS) Services.Error Se ha encontrado: la conexión subyacente se cerró: se produjo un error inesperado en un envío  ( Unable to call ssl certificate enabled https services error found is the und ) 
No se pueden llamar a las API de HTTPS usando la aplicación .NET al mismo tiempo que deshabilita el cifrado "TLS_RSA_WITH_AES_128_CBC_SHA" en la PC que llama....

1  Cómo habilitar TLS 1.2 en ASP.NET Core 3.1  ( How to enable tls 1 2 in asp net core 3 1 ) 
Estoy trabajando en el proyecto ASP.NET Core 3.1. Estoy probando localmente. Comencé a conseguir errores como Su conexión no está completamente segura Este ...

1  Set TLS SSL versión 1.2 en la instancia de contenedores de Azure  ( Set tls ssl version 1 2 on azure container instance ) 
Por favor, ¿cómo configuro la instancia de Contenedor Azure para usar TLS 1.2 y NO TLS 1.0 y 1.1 Seguí este enlace < / a> Sin embargo, instaló TLS 1.0 y 1....

0  TLS 1.2 en Windows Server 2012  ( Tls 1 2 on windows server 2012 ) 
Estoy buscando una explicación de por qué funcionó este siguiente escenario, esto está dejando de desconcertar. He tomado una lectura a través del siguiente a...

1  Error de ZOOKEEPER TLS: Apretón de manos sin éxito con la sesión 0x0 (org.apache.zookeeper.server.nettyservercNxnFactory)  ( Zookeeper tls error unsuccessful handshake with session 0x0 org apache zookeep ) 
no puede iniciar ZOOKEEPER con TSL, ayúdame por favor! ZOOKEEPER Versión: 3.5.8-F439CA583E70862C3068A1F2A7D4D068EEC33315, Construido el 05/04/2020 15:53 ​​G...

0  TLS Cipher Suite Text to enteger o Hex Value Búsqueda en Java de alguna biblioteca?  ( Tls cipher suite text to integer or hex value lookups in java from some library ) 
Tengo alguna base de código que utiliza TLS y funciona con el procesamiento real de cifrado a través del valor entero del cifrado seleccionado. El cifrado sel...

0  Fallo que establece el canal TLS dependiendo de cómo creamos X509Certificate2  ( Failure establishing tls channel depending on how we create x509certificate2 ) 
Estamos investigando cómo integrar nuestra implementación personalizada de RSA con HTTPClient. Estamos jugando con el siguiente caso de prueba (ligeramente ed...

0  ¿Qué protocolo TLS tiene servidor.createobject ("msxml2.xmlhttp.6.0")?  ( What tls protocol does server createobjectmsxml2 xmlhttp 6 0 use ) 
Estoy usando Classic ASP ON IIS ON Windows Server 2012 , y Server.CreateObject("Msxml2.XMLHTTP.6.0") para hacer solicitudes de jabón contra un procesad...

0  Ejemplo de cliente HTTPS para la aplicación C ++  ( Example of https client for c application ) 
Hay varias bibliotecas de código abierto disponibles que proporcionan una implementación SSL para C ++. ¿Hay algún ejemplo que demuestre cómo crear el cliente...




© 2022 respuesta.top Reservados todos los derechos. Centro de preguntas y respuestas reservados todos los derechos