[英]How to upgrade TLS 1.0 to TLS 1.2 on wso2product
We are trying to upgrade TLS 1.0 to TLS 1.2 version in the WSO2 BPS.Following procedure for upgrading TLS latest version using this link Reference Link From WSO2 and our JAVA application is running in JDK 1.8. 我们正在尝试在WSO2 BPS中将TLS 1.0升级到TLS 1.2版本。以下使用此链接升级TLS最新版本的过程参考链接来自WSO2 ,我们的JAVA应用程序在JDK 1.8中运行。
Open the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml
file. 打开
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml
文件。
Removed the sslProtocol="TLS" attribute and replaced it with sslEnabledProtocols="TLSv1.2" as shown below. 删除了sslProtocol =“TLS”属性并将其替换为sslEnabledProtocols =“TLSv1.2”,如下所示。
> <Connector SSLEnabled="true" port="9443" > protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" > secure="true" server="WSO2 Carbon Server" > sslEnabledProtocols="TLSv1.2" > svns:secretAlias="Server.Service.Connector.keystorePass"/>
java -jar TestSSLServer.jar localhost 9443
and getting TLS configuration response as TLSv1.2 only, java -jar TestSSLServer.jar localhost 9443
并将TLS配置响应仅作为TLSv1.2, Supported versions: TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.2 DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ---------------------- Server certificate(s): 501fc1432d87155dc431382aeb843ed558ad61b1: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US ---------------------- Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: protected CRIME status: protected
We have changed jre/lib/security/java.security
as per @user7294900 instruction. 我们根据@ user7294900指令更改了
jre/lib/security/java.security
。 when we set configuration in that java.security file, we are facing this error message in wso2BPMN. 当我们在java.security文件中设置配置时,我们在wso2BPMN中面临此错误消息。 But we can able to view TLS version 1.2 in Wireshark capture with a handshake failure notification.
但我们可以通过握手失败通知查看Wireshark捕获中的TLS 1.2版。
Wso2BPMN, Wso2BPMN,
Caused by: org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.office365.com:587
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1398)
at org.apache.commons.mail.Email.send(Email.java:1423)
at org.activiti.engine.impl.bpmn.behavior.MailActivityBehavior.execute(MailActivityBehavior.java:102)
... 192 more
Caused by: javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1420)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1408)
at com.sun.mail.smtp.SMTPTransport.ehlo(SMTPTransport.java:847)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:384)
at javax.mail.Service.connect(Service.java:297)
at javax.mail.Service.connect(Service.java:156)
at javax.mail.Service.connect(Service.java:105)
at javax.mail.Transport.send0(Transport.java:168)
at javax.mail.Transport.send(Transport.java:98)
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1388)
... 194 more
So, is there any configuration required for TLSv1.2 version upgrade. 那么,是否需要TLSv1.2版本升级的任何配置。
You need to disable TLS below 1.2 您需要禁用低于1.2的TLS
set the
设置
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1
in the file jre/lib/security/java.security on the server.
在服务器上的jre / lib / security / java.security文件中。
Also try to reduce your ciphers as @Dimtri suggested 还试着减少你的密码,如@Dimtri建议的那样
set ciphers that are supported only by TLSv1.2
设置仅由TLSv1.2支持的密码
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
WSO2 opens many random ports. WSO2打开许多随机端口。 You can try disabling TLSv1 and TLSv1.1 in java.security.
您可以尝试在java.security中禁用TLSv1和TLSv1.1 。 Set below:
设置如下:
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1
in the file 在文件中
<PRODUCT_HOME>/jre/lib/security/java.security.
I tried this for Identity server. 我试过这个用于身份服务器。 You can give it a try for BPS.
你可以尝试一下BPS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.