升级spring Boot 和java 17后的SSL握手问题

j8ag8udp  于 2023-04-21  发布在  Spring
关注(0)|答案(1)|浏览(848)

我的Sping Boot 应用程序在升级到Spring Boot 2.6和Java 17后无法使用旧的SSL证书。调试后,似乎TLS版本或密码套件有问题。我没有这方面的经验。但是,我尝试生成新的自签名SSL证书,它工作正常。
用javax.net.debug调试,得到的消息不清楚。顺便说一下,用Firefox和Chrome是不一样的。下面是Firefox的调试日志:

2022-09-20 15:26:33.448 [WARN]  o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3

2022-09-21 09:46:48.214 [WARN]  o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|ERROR|F6|https-jsse-nio-5151-exec-1|2022-09-21 09:46:48.215 BST|TransportContext.java:363|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
  javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
    at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1764)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:833)}

)

有人有这方面的经验吗?

guz6ccqo

guz6ccqo1#

JDK 17现在使用TLS 1.3作为默认安全握手,如https://blogs.oracle.com/javamagazine/post/java-jdk-17-generally-available中所述
JDK 17中安全握手的默认值是TLS 1.3。
必须检查证书以了解它是否支持TLS 1.3。根据The Transport Layer Security (TLS) Protocol Version 1.3,TLS 1.3不支持RSA或Diffie-Helman密码套件
静态RSA和Diffie-Hellman密码套件已被删除。
如果它不支持所有要求,则必须向满足这些要求的证书颁发机构(CA)请求颁发新的SSL证书,并在应用程序中使用它。

相关问题