英文:
Gradle build using IBM JDK not using TLS 1.2
问题
我们正在从Jenkins调用gradle构建,使用的Java版本是IBM Java 1.8。在构建完成后,打包的ear文件应该发布到Artifactory,但在这一步失败,因为它使用的是TLSv1,而Artifactory服务器使用的是TLSv1.2(接收到TLSv1.2 ALERT: fatal, protocol_version错误)。
我们已经指定了参数来尝试强制它使用TLSv1.2,但没有成功。
如果我们简单地将Java从IBM Java切换到OpenJDK,一切都能正常工作,但我们必须使用IBM JDK。
以下是日志摘录,希望能提供一些见解:
16:37:27 BUILD_ID=52
16:37:27 JAVA_TOOL_OPTIONS=-Duser.home=/home/jenkins -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=all -Djavax.net.debug=all -Dcom.ibm.jsse2.disablesslv3=false -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1
16:39:49 jdk.tls.client.protocols is defined as TLSv1.2
16:39:49 SSLv3 protocol was requested but was not enabled
16:39:49 SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
16:39:49 SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
16:39:49 CLIENT_DEFAULT: [TLSv1.2]
16:39:49 IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
16:39:49 IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
16:39:49 IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
16:39:49 IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default
16:39:49 IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
16:39:49
16:39:49 Is initial handshake: true
16:39:49 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
16:39:49 %% No cached client session
16:39:49 *** ClientHello, TLSv1
16:39:49 RandomCookie: GMT: 1595384853 bytes = { 107, 178, 131, 155, 114, 248, 46, 134, 176, 84, 230, 191, 243, 124, 238, 63, 233, 106, 234, 197, 151, 26, 164, 199, 46, 116, 41, 30 }
16:39:49 Session ID: {}
16:39:49 Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA]
16:39:49 Compression Methods: { 0 }
16:39:49 Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
16:39:49 Extension ec_point_formats, formats: [uncompressed]
16:39:49 Extension server_name, server_name: [type=host_name (0), value=artifactory..xxx.xxx]
16:39:49 ***
16:39:49 [write] MD5 and SHA1 hashes: len = 123
16:39:49 [Raw read]: length = 2
16:39:49 0000: 02 46 .F
16:39:49
16:39:49 pool-1-thread-1, READ: TLSv1 Alert, length = 2
16:39:49 pool-1-thread-1, RECV TLSv1.2 ALERT: fatal, protocol_version
**16:39:49 pool-1-thread-1, called closeSocket()
<details>
<summary>英文:</summary>
We are invoking gradle build from Jenkins and Java being used is IBM java 1.8. After the build is completed the packaged ear file is supposed to be published on Artifactory and thats where it fails because it is using TLSv1 whereas the artifactory server uses TLSv1.2 (RECV TLSv1.2 ALERT: fatal, protocol_version).
We have specified parameters to try to force it to use TLSv1.2 but to no avail.
If we simply switch the Java from IBM java to OpenJDK everything works but we have to use IBM JDK.
Below is extract from logs, any insight would be appreciated.
```16:37:27 JENKINS_URL=https://XXX:8080/ifs/
16:37:27 BUILD_ID=52
16:37:27 JAVA_TOOL_OPTIONS=-Duser.home=/home/jenkins -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=all -Djavax.net.debug=all -Dcom.ibm.jsse2.disablesslv3=false -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1
16:39:49 jdk.tls.client.protocols is defined as TLSv1.2
16:39:49 SSLv3 protocol was requested but was not enabled
16:39:49 SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
16:39:49 SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
16:39:49 CLIENT_DEFAULT: [TLSv1.2]
16:39:49 IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
16:39:49 IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
16:39:49 IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
16:39:49 IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default
16:39:49 IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
16:39:49
16:39:49 Is initial handshake: true
16:39:49 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
16:39:49 Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
16:39:49 %% No cached client session
16:39:49 *** ClientHello, TLSv1
16:39:49 RandomCookie: GMT: 1595384853 bytes = { 107, 178, 131, 155, 114, 248, 46, 134, 176, 84, 230, 191, 243, 124, 238, 63, 233, 106, 234, 197, 151, 26, 164, 199, 46, 116, 65, 30 }
16:39:49 Session ID: {}
16:39:49 Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA]
16:39:49 Compression Methods: { 0 }
16:39:49 Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
16:39:49 Extension ec_point_formats, formats: [uncompressed]
16:39:49 Extension server_name, server_name: [type=host_name (0), value=artifactory..xxx.xxx]
16:39:49 ***
16:39:49 [write] MD5 and SHA1 hashes: len = 123
16:39:49 [Raw read]: length = 2
16:39:49 0000: 02 46 .F
16:39:49
16:39:49 pool-1-thread-1, READ: TLSv1 Alert, length = 2
16:39:49 pool-1-thread-1, RECV TLSv1.2 ALERT: fatal, protocol_version
**16:39:49 pool-1-thread-1, called closeSocket()
16:39:49 pool-1-thread-1, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
16:39:49 Error occurred for request GET /artifactory/api/system/version HTTP/1.1: Received fatal alert: protocol_version.**```
</details>
# 答案1
**得分**: 1
尝试更新您的gradle.properties文件以包含:
systemProp.com.ibm.jsse2.overrideDefaultTLS=true
<details>
<summary>英文:</summary>
Try updating your gradle.properties to have:
systemProp.com.ibm.jsse2.overrideDefaultTLS=true
</details>
# 答案2
**得分**: 0
In your exception stack, it was mentioned:
"16:39:49 jdk.tls.client.protocols is defined as TLSv1.2
16:39:49 SSLv3 protocol was requested but was not enabled"
and In your command line options it mentioned "-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1"
can you try removing this property "-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1" and test your application.
<details>
<summary>英文:</summary>
In your exception stack, it was mentioned
"16:39:49 jdk.tls.client.protocols is defined as TLSv1.2
16:39:49 **SSLv3 protocol was requested but was not enabled**"
and In your command line options it mentioned **"-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1"**
can you try removing this property "-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1" and test your application.
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论