我正在使用用于Microsoft SQL Server 2012和2014的Progress DataDirect(荣耀的...)JDBC驱动程序。这两个服务器都是完全更新的Windows窗口,也是SQL Server的明智选择。两者都执行加密。

我现在正尝试使用FIPS兼容的信任库,通过带有适当的java.security文件,jar,无限强度密码套件的Java客户端应用程序,与它们连接。信任库包含我自己的CA的自签名证书。使用的算法是RSA。

使用JDK 1.7.0_21可以正常工作,但是当我更改为1.8.0_74(最新afaik)时,它会失败,因为SQL Server不想在ClientHello之后进行回复。之后,它只是通过重置连接断开连接。

此外,我尝试将这些属性独立设置为不同的组合,但不适用于JDK 1.8。

  • -Dhttps.protocols = TLSv1
  • -Dcom.sun.net.ssl.enableECC = false
  • -Djdk.tls.client.protocols = TLSv1

  • JDBC连接属性也是开/关不同的组合:
  • CryptoProtocolVersion = TLSv1.2
  • HostNameInCertificate = my.host.com

  • 我尝试使用TLS 1.2、1.1和1,但没有任何效果。

    当它与JDK 1.7一起使用时,我倾向于认为JDK 1.8打破了这种机制。

    JDK 1.8的调试日志包含此日志条目,该日志条目与JDK 1.7完全不同

    1.8:
    Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
    Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
    Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    

    1.7
    Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    

    我还可以尝试其他什么方法来解决此问题?不幸的是,切换回1.7对我来说不是一种选择,或者是不可能的。

    编辑:

    这是-Djavax.net.debug = all的最后一部分:
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: 1440778452 bytes = { 133, 30, 185, 72, 50, 27, 253, 188, 73, 244, 59, 197, 169, 24, 142, 134, 78, 66, 122, 216, 60, 62, 232, 121, 107, 245, 32, 53 }
    Session ID:  {}
    Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
    Compression Methods:  { 0 }
    Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
    Extension server_name, server_name: [type=host_name (0), value=my.sqlserver.com]
    ***
    [write] MD5 and SHA1 hashes:  len = 130
    <HEX DUMP>
    main, WRITE: TLSv1.2 Handshake, length = 130
    [Raw write]: length = 135
    <HEX DUMP>
    

    调用代码是这样的:
    Connection connection = DriverManager.getConnection(url, getProps());
    
      private static Properties getProps()
      {
        Properties properties = new Properties();
        properties.setProperty("User", "sa");
        properties.setProperty("Password", "password");
        properties.setProperty("EncryptionMethod", "SSL");
        properties.setProperty("HostNameInCertificate", "my.sqlserver.com");
        properties.setProperty("TrustStore", "<Path to trust store");
        properties.setProperty("TrustStorePassword", "password");
        properties.setProperty("ValidateServerCertificate", "true");
        properties.setProperty("CryptoProtocolVersion", "TLSv1.2");
    
        return properties;
      }
    

    最佳答案

    对我来说,在stricter policy for allowed (TLS) crypto algorithms上升级到JDK8(更新191)失败。我只是通过修改3DES_EDE_CBC文件再次启用了${jdk.home}/jre/lib/security/java.security:

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
        EC keySize < 224, 3DES_EDE_CBC
    

    到:
    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
        EC keySize < 224
    

    或以编程方式:
    java.security.Security.setProperty("jdk.tls.disabledAlgorithms",
        "SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224");
    

    或在 Spring :
    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="targetClass" value="java.security.Security" />
        <property name="targetMethod" value="setProperty" />
        <property name="arguments">
            <list>
                <value>jdk.tls.disabledAlgorithms</value>
                <value>SSLv3, RC4, MD5withRSA, DH keySize &lt; 1024, EC keySize &lt; 224</value>
            </list>
        </property>
    </bean>
    

    另请参阅this answer related to SSLv3

    10-07 19:27
    查看更多