JMS connection handshake is failing for SSLCipherS

2019-02-28 10:08发布

问题:

I am using Spring boot 1.2.2 and JDK1.8.0.40, I have specified the SSL cipher suit as SSL_RSA_WITH_3DES_EDE_CBC_SHA and also import cer file to keystore.

When I run my project, I set the jvm arguments as following:

-Djavax.net.debug=all -Djavax.net.ssl.keyStore=/java_home/jre/lib/security/cacerts -Djava.net.keyStorePassword=changeit

But I always get

handing exception:javax.net.ssl.SSLHandshakeException: No appropriate protocol(protocol is disabled or cipher suites are inappropriate)
SEND TLSv1.2 ALERT: fatal, description = handshake_failure
WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28       ......(
called closeSocket()
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'XXXX' with connection mode 'Client' and host name 'xxx.xxx.com(xxxxx)'.

Indeed I have do several operations to fix the issue, such as:

  1. Replace jce jars to unlimit encrypt
  2. Import cer file to jks
  3. specified jks path in jvm arguments
  4. Using matched SSL Cipher Suite
  5. Using SSL channel

But now, I still failed on handshake and the error logs are same as above.

Or do I need generate the cer from my machine and upload to the server? Could you kindly give some advice?

回答1:

SSL_RSA_WITH_3DES_EDE_CBC_SHA is an SSL 3 cipher suite. SSL 3 is insecure and disabled by default in Java 8. Is there any reason why you're using a ciphersuite for an insecure protocol?

If you want to stick to a single cipher suite, you can pick one that Java 8 supports.



回答2:

New JDK versions keep on updating the minimal security level, which is good. But it's not always easy (or possible) to keep these protocol restrictions up-to-date on all components involved.

The best way is really to pick a cipher suite that is supported.

But if you are in development (and know what you are doing) you can, for testing, remove this restriction by editing your JDK's jre\lib\security\java.security file.

Search for jdk.tls.disabledAlgorithms and remove or edit the restrictions

# previously: 
# jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 768


标签: ssl jms ibm-mq