[英]How to establish a HTTPS connection between Java 7 and an OpenShift application?
OpenShift swiftly addressed the SSL 'Poodle' vulnerability around October 16th 2014. Since then the e-commerce provider I work with can no longer establish a secure HTTPS connection with my OpenShift PHP application. OpenShift于2014年10月16日左右迅速解决了SSL'Poodle'漏洞。此后,我与之合作的电子商务提供商不再能与我的OpenShift PHP应用程序建立安全的HTTPS连接。 I suspect this is, at least in part, because SSL3 is no longer an available protocol.
我怀疑这至少部分是因为SSL3不再是可用的协议。
The error logged at the e-commerce provider end is: 电子商务提供商端记录的错误为:
javax.net.ssl.SSLException
java.lang.RuntimeException: Could not generate DH keypair
Here's what I've tried and discovered so far: 到目前为止,这是我尝试并发现的内容:
The online SSL testing tool at https://www.ssllabs.com/ssltest/ indicates my SSL Certificate is installed correctly (installed via the OpenShift WebConsole), and it receives an 'A' grade. https://www.ssllabs.com/ssltest/上的在线SSL测试工具表明我的SSL证书已正确安装(通过OpenShift WebConsole安装),并且获得“ A”级。 HTTPS works fine when connecting to my OpenShift PHP application in a normal web browser.
在普通的Web浏览器中连接到我的OpenShift PHP应用程序时,HTTPS可以正常工作。 In general the SSL Certificate & installation itself seems fine.
通常,SSL证书和安装本身看起来不错。
As a test, I have tried using OpenShift's shared SSL Certificate instead of my own, with exactly the same result. 作为测试,我尝试使用OpenShift的共享SSL证书而不是我自己的证书,结果完全相同。
The remote e-commerce platform that is attempting to connect to my OpenShift PHP app via HTTPS uses Java 7. Tech support thinks the issue is that their Java 7 system doesn't support cipher key lengths > 1024 bits. 尝试通过HTTPS连接到我的OpenShift PHP应用程序的远程电子商务平台使用Java7。技术支持认为,问题在于他们的Java 7系统不支持大于1024位的密码密钥长度。 Unfortunately they're not in a position to upgrade their system to Java 8 at present, so their hands are a bit tied.
不幸的是,他们目前无法将其系统升级到Java 8,因此他们的双手有些束手无策。
The ssllabs analysis of my SSL Certficate includes a useful Handshake Simulation test with various clients. 我的SSL证书的ssllabs分析包括对各种客户端的有用的握手模拟测试。 This actually shows a Java 7 simulation connecting OK using TLS1.0, however the Java 6 simulation fails with a 'Client does not support DH parameters > 1024 bits' error - roughly echoing what e-commerce tech support is seeing reported by their Java 7 based system.
这实际上显示了使用TLS1.0连接OK的Java 7模拟,但是Java 6模拟失败,出现“客户端不支持DH参数> 1024位”错误-大致呼应了Java 7所报告的电子商务技术支持基于系统。
How might I solve this? 我该如何解决? To narrow the question down a little:
将问题缩小一点:
Is there a simple adjustment my e-commerce provider could make at their end to enable HTTPS connections to OpenShift applications, without them having to upgrade Java or make significant changes that could impact others? 我的电子商务提供商可以对它们进行简单的调整,以实现与OpenShift应用程序的HTTPS连接,而无需升级Java或进行可能影响其他应用程序的重大更改吗? eg An option to accept DH parameters > 1024 bits.
例如,可以接受DH参数> 1024位的选项。
Is there anything I can adjust at my end (perhaps an OpenShift or PHP setting) to enable their Java 7 based system to establish a HTTPS connection with my OpenShift application successfully? 我到底有什么可以调整的(也许是OpenShift或PHP设置),以使其基于Java 7的系统能够与我的OpenShift应用程序成功建立HTTPS连接? eg An option instructing OpenShift to provide DH parameters <= 1024 bits.
例如,指示OpenShift提供DH参数<= 1024位的选项。
Restarting your application should resolve the issue as it will pick up the latest JDK that should contain the latest fixes for this issue. 重新启动您的应用程序应该可以解决该问题,因为它将获取应该包含此问题的最新修复程序的最新JDK。
https://bugzilla.redhat.com/show_bug.cgi?id=1035818 https://bugzilla.redhat.com/show_bug.cgi?id=1035818
https://bugzilla.redhat.com/show_bug.cgi?id=1080125 https://bugzilla.redhat.com/show_bug.cgi?id=1080125
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.