我们使用的是Redisson客户端,它使用netty连接到Redis服务器。有了netty 4.1.42.Final,一切都很顺利。但在升级到netty 4.1.48.Final后,TLSv1 ClientHello被发送,因此无法连接到服务器。尝试通过设置jdk.tls.client.procols系统属性来指定TLSv1.2,但netty似乎没有遵守它。
打开Java跟踪后,在跟踪文件中可以看到以下内容:
对于netty 4.1.48,默认协议只有TLSv1:
jdk.tls.client.protocols is defined as TLSv1.2
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1.2]
IBMJSSE2 will enable CBC protection
12:00:41.624 [redisson-netty-2-9] DEBUG io.netty.handler.ssl.JdkSslContext - Default protocols (JDK): [TLSv1]
对于netty 4.1.42,默认协议包括TLSv1.2:
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
10:18:00.008 [redisson-netty-2-23] DEBUG io.netty.handler.ssl.JdkSslContext - Default protocols (JDK): [TLSv1.2, TLSv1.1, TLSv1]
未设置jdk.tls.client.procols系统属性时的netty 4.1.48跟踪:
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
IBMJSSE2 will enable CBC protection
09:54:19.626 [redisson-netty-2-25] DEBUG io.netty.handler.ssl.JdkSslContext - Default protocols (JDK): [TLSv1]
java版本输出:
java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 8.0.5.27 - pwa6480sr5fp27-20190104_01(SR5 FP27))
IBM J9 VM (build 2.9, JRE 1.8.0 Windows 10 amd64-64-Bit Compressed References 20181219_405297 (JIT enabled, AOT enabled)
OpenJ9 - 3f2d574
OMR - 109ba5b
IBM - e2996d1)
JCL - 20190104_01 based on Oracle jdk8u191-b26
其他人遇到这个问题或知道如何解决这个问题吗?
谢谢!
将jdk.tls.client.procols系统属性设置为TLSv1.2在netty 4.1.48 中不起作用
我不能100%确定我们的解决方案是否能解决您的问题,但我在您的跟踪日志中看到了IBM。我们在Netty:中也遇到了默认密码设置为TLSv1的问题
io.netty.handler.ssl.JdkSslContext.java:97 - Default protocols (JDK): [TLSv1]
io.netty.handler.ssl.JdkSslContext.java:98 - Default cipher suites (JDK):
[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA]
这是IBMJVM的一个问题。以下代码在AIX下默认显示[TLSv1]。不好。在Redhat和Solaris下,它会吐出[TLSv1, TLSv1.1, TLSv1.2]。
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, null, null);
String[] supportedProtocols = context.getDefaultSSLParameters().getProtocols();
System.out.println(Arrays.toString(supportedProtocols));
根据这篇IBM文档和其他文档,解决方案是向JVM添加以下属性:
-Dcom.ibm.jsse2.overrideDefaultTLS=true
我真的不喜欢这个答案,但我还没有找到启用TLSv1.2的java.security文件行或其他系统范围的设置。以下是我正在使用的JVM的详细信息:
$ java -version
java version "1.8.0_144"
Java(TM) SE Runtime Environment (build 8.0.5.0 - pap6480sr5-20170905_01(SR5))
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References 20170901_363591
(JIT enabled, AOT enabled)
J9VM - d56eb84
JIT - tr.open_20170901_140853_d56eb84
OMR - b033a01)
JCL - 20170823_01 based on Oracle jdk8u144-b01