如何在wso2product上将TLS 1.0升级到TLS 1.2
[英]How to upgrade TLS 1.0 to TLS 1.2 on wso2product
问题描述
We are trying to upgrade TLS 1.0 to TLS 1.2 version in the WSO2 BPS.Following procedure for upgrading TLS latest version using this link Reference Link From WSO2 and our JAVA application is running in JDK 1.8. 
我们正在尝试在WSO2 BPS中将TLS 1.0升级到TLS 1.2版本。以下使用此链接升级TLS最新版本的过程参考链接来自WSO2 ,我们的JAVA应用程序在JDK 1.8中运行。
Open the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xmlfile.打开<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml文件。Removed the sslProtocol="TLS" attribute and replaced it with sslEnabledProtocols="TLSv1.2" as shown below.
删除了sslProtocol =“TLS”属性并将其替换为sslEnabledProtocols =“TLSv1.2”,如下所示。
> <Connector SSLEnabled="true" port="9443" > protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" > secure="true" server="WSO2 Carbon Server" > sslEnabledProtocols="TLSv1.2" > svns:secretAlias="Server.Service.Connector.keystorePass"/>
- Start the server. 启动服务器。
- To verify that the configurations are all set correct or not we execute the following command,
java -jar TestSSLServer.jar localhost 9443and getting TLS configuration response as TLSv1.2 only,要验证配置是否都设置正确,我们执行以下命令: java -jar TestSSLServer.jar localhost 9443并将TLS配置响应仅作为TLSv1.2,
Supported versions: TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.2 DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ---------------------- Server certificate(s): 501fc1432d87155dc431382aeb843ed558ad61b1: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US ---------------------- Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: protected CRIME status: protected
- But when we captured the pcap file and in Wireshark it is showing like TLSv1.0 still as shown below: 但是当我们捕获pcap文件并在Wireshark中它显示如TLSv1.0仍然如下所示:
Updated: 更新:
We have changed jre/lib/security/java.security as per @user7294900 instruction. 我们根据@ user7294900指令更改了jre/lib/security/java.security 。 when we set configuration in that java.security file, we are facing this error message in wso2BPMN. 当我们在java.security文件中设置配置时,我们在wso2BPMN中面临此错误消息。 But we can able to view TLS version 1.2 in Wireshark capture with a handshake failure notification. 但我们可以通过握手失败通知查看Wireshark捕获中的TLS 1.2版。
Wso2BPMN, Wso2BPMN,
Caused by: org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.office365.com:587
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1398)
at org.apache.commons.mail.Email.send(Email.java:1423)
at org.activiti.engine.impl.bpmn.behavior.MailActivityBehavior.execute(MailActivityBehavior.java:102)
... 192 more
Caused by: javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1420)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1408)
at com.sun.mail.smtp.SMTPTransport.ehlo(SMTPTransport.java:847)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:384)
at javax.mail.Service.connect(Service.java:297)
at javax.mail.Service.connect(Service.java:156)
at javax.mail.Service.connect(Service.java:105)
at javax.mail.Transport.send0(Transport.java:168)
at javax.mail.Transport.send(Transport.java:98)
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1388)
... 194 more
So, is there any configuration required for TLSv1.2 version upgrade. 那么,是否需要TLSv1.2版本升级的任何配置。
2 个解决方案
解决方案1
2 2019-09-05 08:26:38
You need to disable TLS below 1.2 您需要禁用低于1.2的TLS
set the
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1in the file jre/lib/security/java.security on the server.
Also try to reduce your ciphers as @Dimtri suggested 还试着减少你的密码,如@Dimtri建议的那样
set ciphers that are supported only by TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
解决方案2
1 2019-09-04 17:45:11
WSO2 opens many random ports. WSO2打开许多随机端口。 You can try disabling TLSv1 and TLSv1.1 in java.security. 您可以尝试在java.security中禁用TLSv1和TLSv1.1 。 Set below: 设置如下:
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1
in the file 在文件中
<PRODUCT_HOME>/jre/lib/security/java.security.
I tried this for Identity server. 我试过这个用于身份服务器。 You can give it a try for BPS. 你可以尝试一下BPS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.