2016-07-19 11 views
0

Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-91-generic x86_64)Jetty 9.3.8.v20160314 lehnt TLSv1 und TLSv1.1 aber nicht TLSv1.2 Verbindungen

java version "1.8.0_91" Java (TM) SE Runtime Environment (build 1.8.0_91-b14) HotSpot Java (TM) 64-Bit-Server VM (build 25,91-b14, mixed mode)

Anlegestelle 9.3.8.v2016031 Verbinder wie nachstehend konfiguriert :

SslContextFactory sslContextFactory = new SslContextFactory(); 
sslContextFactory.setKeyStorePath(sslKeystore); 
sslContextFactory.setKeyStorePassword(SystemUtils.getEnvOrThrow("SERVER_SSL_PASSWORD")); 
sslContextFactory.setKeyManagerPassword(SystemUtils.getEnvOrThrow("SERVER_SSL_KEY_PASSWORD")); 

HttpConfiguration https_config = new HttpConfiguration(); 
https_config.setOutputBufferSize(32768); 
https_config.addCustomizer(new SecureRequestCustomizer()); 

ServerConnector https = new ServerConnector(
    server, 
    new SslConnectionFactory(sslContextFactory, "http/1.1"), 
    new HttpConnectionFactory(https_config)); 

https.setPort(Integer.valueOf(SystemUtils.getEnvOrThrow("SERVER_SSL_PORT"))); 
https.setIdleTimeout(60000); 

server.setConnectors(new Connector[] { https }); 

ich kann TLSv1.2 Verbindungen herstellen:

curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.2 

* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0) 
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 

aber wenn ich versuche TLSv1.0 oder TLSv1.1 bekomme ich diese:

curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.0 

* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0) 
* Server aborted the SSL handshake 

Liste der aktiviert und unterstützten Protokolle ist:

Enabled protocol: SSLv2Hello 
Enabled protocol: TLSv1 
Enabled protocol: TLSv1.1 
Enabled protocol: TLSv1.2 

Supported protocol: SSLv2Hello 
Supported protocol: SSLv3 
Supported protocol: TLSv1 
Supported protocol: TLSv1.1 
Supported protocol: TLSv1.2 

Und ich weiß nicht, wo das Problem liegt. Ich habe einige Clients, die nichts anderes als TLSv1.0 verwenden können.

Update 1 - hinzugefügt sslscan Ausgang

Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 
Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384 
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 
Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA 
Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA 
Failed SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA 
Failed SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA 
Failed SSLv3 256 bits SRP-AES-256-CBC-SHA 
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384 
Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384 
Failed SSLv3 256 bits DHE-RSA-AES256-SHA256 
Failed SSLv3 256 bits DHE-DSS-AES256-SHA256 
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA 
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA 
Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA 
Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA 
Rejected SSLv3 256 bits AECDH-AES256-SHA 
Failed SSLv3 256 bits ADH-AES256-GCM-SHA384 
Failed SSLv3 256 bits ADH-AES256-SHA256 
Rejected SSLv3 256 bits ADH-AES256-SHA 
Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA 
Failed SSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384 
Failed SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384 
Failed SSLv3 256 bits ECDH-RSA-AES256-SHA384 
Failed SSLv3 256 bits ECDH-ECDSA-AES256-SHA384 
Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA 
Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA 
Failed SSLv3 256 bits AES256-GCM-SHA384 
Failed SSLv3 256 bits AES256-SHA256 
Rejected SSLv3 256 bits AES256-SHA 
Rejected SSLv3 256 bits CAMELLIA256-SHA 
Failed SSLv3 256 bits PSK-AES256-CBC-SHA 
Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA 
Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA 
Failed SSLv3 168 bits SRP-DSS-3DES-EDE-CBC-SHA 
Failed SSLv3 168 bits SRP-RSA-3DES-EDE-CBC-SHA 
Failed SSLv3 168 bits SRP-3DES-EDE-CBC-SHA 
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA 
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA 
Rejected SSLv3 168 bits AECDH-DES-CBC3-SHA 
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA 
Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA 
Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA 
Rejected SSLv3 168 bits DES-CBC3-SHA 
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA 
Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256 
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 
Failed SSLv3 128 bits ECDHE-RSA-AES128-SHA256 
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256 
Rejected SSLv3 128 bits ECDHE-RSA-AES128-SHA 
Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA 
Failed SSLv3 128 bits SRP-DSS-AES-128-CBC-SHA 
Failed SSLv3 128 bits SRP-RSA-AES-128-CBC-SHA 
Failed SSLv3 128 bits SRP-AES-128-CBC-SHA 
Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256 
Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256 
Failed SSLv3 128 bits DHE-RSA-AES128-SHA256 
Failed SSLv3 128 bits DHE-DSS-AES128-SHA256 
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA 
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA 
Rejected SSLv3 128 bits DHE-RSA-SEED-SHA 
Rejected SSLv3 128 bits DHE-DSS-SEED-SHA 
Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA 
Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA 
Rejected SSLv3 128 bits AECDH-AES128-SHA 
Failed SSLv3 128 bits ADH-AES128-GCM-SHA256 
Failed SSLv3 128 bits ADH-AES128-SHA256 
Rejected SSLv3 128 bits ADH-AES128-SHA 
Rejected SSLv3 128 bits ADH-SEED-SHA 
Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA 
Failed SSLv3 128 bits ECDH-RSA-AES128-GCM-SHA256 
Failed SSLv3 128 bits ECDH-ECDSA-AES128-GCM-SHA256 
Failed SSLv3 128 bits ECDH-RSA-AES128-SHA256 
Failed SSLv3 128 bits ECDH-ECDSA-AES128-SHA256 
Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA 
Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA 
Failed SSLv3 128 bits AES128-GCM-SHA256 
Failed SSLv3 128 bits AES128-SHA256 
Rejected SSLv3 128 bits AES128-SHA 
Rejected SSLv3 128 bits SEED-SHA 
Rejected SSLv3 128 bits CAMELLIA128-SHA 
Failed SSLv3 128 bits PSK-AES128-CBC-SHA 
Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA 
Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA 
Rejected SSLv3 128 bits AECDH-RC4-SHA 
Rejected SSLv3 128 bits ADH-RC4-MD5 
Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA 
Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA 
Rejected SSLv3 128 bits RC4-SHA 
Rejected SSLv3 128 bits RC4-MD5 
Failed SSLv3 128 bits PSK-RC4-SHA 
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA 
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA 
Rejected SSLv3 56 bits ADH-DES-CBC-SHA 
Rejected SSLv3 56 bits DES-CBC-SHA 
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA 
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA 
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA 
Rejected SSLv3 40 bits EXP-DES-CBC-SHA 
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5 
Rejected SSLv3 40 bits EXP-RC4-MD5 
Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA 
Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA 
Rejected SSLv3 0 bits AECDH-NULL-SHA 
Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA 
Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA 
Failed SSLv3 0 bits NULL-SHA256 
Rejected SSLv3 0 bits NULL-SHA 
Rejected SSLv3 0 bits NULL-MD5 
Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384 
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 
Failed TLSv1 256 bits ECDHE-RSA-AES256-SHA384 
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384 
Rejected TLSv1 256 bits ECDHE-RSA-AES256-SHA 
Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA 
Failed TLSv1 256 bits SRP-DSS-AES-256-CBC-SHA 
Failed TLSv1 256 bits SRP-RSA-AES-256-CBC-SHA 
Failed TLSv1 256 bits SRP-AES-256-CBC-SHA 
Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384 
Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384 
Failed TLSv1 256 bits DHE-RSA-AES256-SHA256 
Failed TLSv1 256 bits DHE-DSS-AES256-SHA256 
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA 
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA 
Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA 
Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA 
Rejected TLSv1 256 bits AECDH-AES256-SHA 
Failed TLSv1 256 bits ADH-AES256-GCM-SHA384 
Failed TLSv1 256 bits ADH-AES256-SHA256 
Rejected TLSv1 256 bits ADH-AES256-SHA 
Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA 
Failed TLSv1 256 bits ECDH-RSA-AES256-GCM-SHA384 
Failed TLSv1 256 bits ECDH-ECDSA-AES256-GCM-SHA384 
Failed TLSv1 256 bits ECDH-RSA-AES256-SHA384 
Failed TLSv1 256 bits ECDH-ECDSA-AES256-SHA384 
Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA 
Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA 
Failed TLSv1 256 bits AES256-GCM-SHA384 
Failed TLSv1 256 bits AES256-SHA256 
Rejected TLSv1 256 bits AES256-SHA 
Rejected TLSv1 256 bits CAMELLIA256-SHA 
Failed TLSv1 256 bits PSK-AES256-CBC-SHA 
Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA 
Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA 
Failed TLSv1 168 bits SRP-DSS-3DES-EDE-CBC-SHA 
Failed TLSv1 168 bits SRP-RSA-3DES-EDE-CBC-SHA 
Failed TLSv1 168 bits SRP-3DES-EDE-CBC-SHA 
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA 
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA 
Rejected TLSv1 168 bits AECDH-DES-CBC3-SHA 
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA 
Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA 
Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA 
Rejected TLSv1 168 bits DES-CBC3-SHA 
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA 
Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256 
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 
Failed TLSv1 128 bits ECDHE-RSA-AES128-SHA256 
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256 
Rejected TLSv1 128 bits ECDHE-RSA-AES128-SHA 
Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA 
Failed TLSv1 128 bits SRP-DSS-AES-128-CBC-SHA 
Failed TLSv1 128 bits SRP-RSA-AES-128-CBC-SHA 
Failed TLSv1 128 bits SRP-AES-128-CBC-SHA 
Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256 
Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256 
Failed TLSv1 128 bits DHE-RSA-AES128-SHA256 
Failed TLSv1 128 bits DHE-DSS-AES128-SHA256 
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA 
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA 
Rejected TLSv1 128 bits DHE-RSA-SEED-SHA 
Rejected TLSv1 128 bits DHE-DSS-SEED-SHA 
Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA 
Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA 
Rejected TLSv1 128 bits AECDH-AES128-SHA 
Failed TLSv1 128 bits ADH-AES128-GCM-SHA256 
Failed TLSv1 128 bits ADH-AES128-SHA256 
Rejected TLSv1 128 bits ADH-AES128-SHA 
Rejected TLSv1 128 bits ADH-SEED-SHA 
Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA 
Failed TLSv1 128 bits ECDH-RSA-AES128-GCM-SHA256 
Failed TLSv1 128 bits ECDH-ECDSA-AES128-GCM-SHA256 
Failed TLSv1 128 bits ECDH-RSA-AES128-SHA256 
Failed TLSv1 128 bits ECDH-ECDSA-AES128-SHA256 
Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA 
Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA 
Failed TLSv1 128 bits AES128-GCM-SHA256 
Failed TLSv1 128 bits AES128-SHA256 
Rejected TLSv1 128 bits AES128-SHA 
Rejected TLSv1 128 bits SEED-SHA 
Rejected TLSv1 128 bits CAMELLIA128-SHA 
Failed TLSv1 128 bits PSK-AES128-CBC-SHA 
Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA 
Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA 
Rejected TLSv1 128 bits AECDH-RC4-SHA 
Rejected TLSv1 128 bits ADH-RC4-MD5 
Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA 
Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA 
Rejected TLSv1 128 bits RC4-SHA 
Rejected TLSv1 128 bits RC4-MD5 
Failed TLSv1 128 bits PSK-RC4-SHA 
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA 
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA 
Rejected TLSv1 56 bits ADH-DES-CBC-SHA 
Rejected TLSv1 56 bits DES-CBC-SHA 
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA 
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA 
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA 
Rejected TLSv1 40 bits EXP-DES-CBC-SHA 
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5 
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5 
Rejected TLSv1 40 bits EXP-RC4-MD5 
Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA 
Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA 
Rejected TLSv1 0 bits AECDH-NULL-SHA 
Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA 
Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA 
Failed TLSv1 0 bits NULL-SHA256 
Rejected TLSv1 0 bits NULL-SHA 
Rejected TLSv1 0 bits NULL-MD5 

Update 2 - detailliertere curl Ausgabe

* Hostname was NOT found in DNS cache 
* Trying 123.45.67.890... 
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0) 
* successfully set certificate verify locations: 
* CAfile: none 
    CApath: /etc/ssl/certs 
* SSLv3, TLS handshake, Client hello (1): 
* Unknown SSL protocol error in connection to <hidden_hostname>:443 
* Closing connection 0 
    curl: (35) Unknown SSL protocol error in connection to <hidden_hostname>:443 

Antwort

0

TLSv1.0 ist unsicher und anfällig betrachtet.

Die Standardkonfiguration auf Jetty (und einigen Java-Versionen) weist die erforderlichen Verschlüsselungscodes für TLS 1.0 auf.

Hier ist, wie Sie es kurzfristig beheben können.

Hinweis: einmal TLS 1.3 ist eine Realität, und Java unterstützt, dann auch diese kurzfristige Korrektur nicht möglich sein wird, wie TLS 1.3 Pläne völliges Verbot bekannt verwundbar Ciphers hat von für jede Unterstützung vorhanden ist, Niveau.

Sie müssen diese Clients bald aktualisieren, sonst werden Sie auf altem Java, alten Jetty und sogar alten OS-Installationen feststecken, ohne eine gültige Option, diese zu aktualisieren.

Zuerst Ihre SslContextFactory hat eine declared set of exclude ciphers, werden Sie diese Ausschlüsse anpassen müssen, um Ihre Umgebung die beste Art und Weise möglich passen.

Sie können dies tun, indem Sie Ihre ausgeschlossenen Ziffern erneut deklarieren.

Wenn dies Ihnen immer noch nicht hilft, dann haben Sie wahrscheinlich auch Java-Level deaktiviert Chiffren.

Überprüfen Sie die $JAVA_HOME/jre/lib/security/java.security Datei für alle Konfigurationen, die „Chiffren“ oder „Algorithmen“ sind zu deaktivieren (der Name kann Ihre Wahl der JVM variieren je nach)

+0

Ja, ich bin mir dessen bewusst das Risiko mit diesem Ansatz. Danke für Ihre Hilfe. Ich werde es versuchen und ich werde es euch wissen lassen. – aguyngueran

+0

Als schnelle Lösung habe ich sslContextFactory.setExcludeCipherSuites() hinzugefügt und es funktioniert. In Zukunft werde ich versuchen, die Clients zu aktualisieren. Vielen Dank. – aguyngueran