Gradle构建使用IBM JDK而不是使用TLS 1.2。

huangapple
go评论99阅读模式
英文:

Gradle build using IBM JDK not using TLS 1.2

问题

我们正在从Jenkins调用gradle构建,使用的Java版本是IBM Java 1.8。在构建完成后,打包的ear文件应该发布到Artifactory,但在这一步失败,因为它使用的是TLSv1,而Artifactory服务器使用的是TLSv1.2(接收到TLSv1.2 ALERT: fatal, protocol_version错误)。
我们已经指定了参数来尝试强制它使用TLSv1.2,但没有成功。

如果我们简单地将Java从IBM Java切换到OpenJDK,一切都能正常工作,但我们必须使用IBM JDK。

以下是日志摘录,希望能提供一些见解:

  1. 16:37:27  BUILD_ID=52
  2. 16:37:27  JAVA_TOOL_OPTIONS=-Duser.home=/home/jenkins -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=all -Djavax.net.debug=all  -Dcom.ibm.jsse2.disablesslv3=false -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1
  3. 16:39:49  jdk.tls.client.protocols is defined as TLSv1.2
  4. 16:39:49  SSLv3 protocol was requested but was not enabled
  5. 16:39:49  SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
  6. 16:39:49  SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
  7. 16:39:49  CLIENT_DEFAULT: [TLSv1.2]
  8. 16:39:49  IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
  9. 16:39:49  IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
  10. 16:39:49  IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
  11. 16:39:49  IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default
  12. 16:39:49  IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
  13. 16:39:49  
  14. 16:39:49  Is initial handshake: true
  15. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  16. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  17. 16:39:49  Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
  18. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  19. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
  20. 16:39:49  Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
  21. 16:39:49  Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
  22. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  23. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  24. 16:39:49  Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
  25. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  26. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
  27. 16:39:49  Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
  28. 16:39:49  Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
  29. 16:39:49  %% No cached client session
  30. 16:39:49  *** ClientHello, TLSv1
  31. 16:39:49  RandomCookie:  GMT: 1595384853 bytes = { 107, 178, 131, 155, 114, 248, 46, 134, 176, 84, 230, 191, 243, 124, 238, 63, 233, 106, 234, 197, 151, 26, 164, 199, 46, 116, 41, 30 }
  32. 16:39:49  Session ID:  {}
  33. 16:39:49  Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA]
  34. 16:39:49  Compression Methods:  { 0 }
  35. 16:39:49  Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
  36. 16:39:49  Extension ec_point_formats, formats: [uncompressed]
  37. 16:39:49  Extension server_name, server_name: [type=host_name (0), value=artifactory..xxx.xxx]
  38. 16:39:49  ***
  39. 16:39:49  [write] MD5 and SHA1 hashes:  len = 123
  40. 16:39:49  [Raw read]: length = 2
  41. 16:39:49  0000: 02 46                                              .F
  42. 16:39:49  
  43. 16:39:49  pool-1-thread-1, READ: TLSv1 Alert, length = 2
  44. 16:39:49  pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, protocol_version
  45. **16:39:49  pool-1-thread-1, called closeSocket()
  46. <details>
  47. <summary>英文:</summary>
  48. We are invoking gradle build from Jenkins and Java being used is IBM java 1.8. After the build is completed the packaged ear file is supposed to be published on Artifactory and thats where it fails because it is using TLSv1 whereas the artifactory server uses TLSv1.2 (RECV TLSv1.2 ALERT:  fatal, protocol_version). 
  49. We have specified parameters to try to force it to use TLSv1.2 but to no avail.
  50. If we simply switch the Java from IBM java to OpenJDK everything works but we have to use IBM JDK.
  51. Below is extract from logs, any insight would be appreciated.
  52. ```16:37:27  JENKINS_URL=https://XXX:8080/ifs/
  53. 16:37:27  BUILD_ID=52
  54. 16:37:27  JAVA_TOOL_OPTIONS=-Duser.home=/home/jenkins -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=all -Djavax.net.debug=all  -Dcom.ibm.jsse2.disablesslv3=false -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1
  55. 16:39:49  jdk.tls.client.protocols is defined as TLSv1.2
  56. 16:39:49  SSLv3 protocol was requested but was not enabled
  57. 16:39:49  SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
  58. 16:39:49  SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
  59. 16:39:49  CLIENT_DEFAULT: [TLSv1.2]
  60. 16:39:49  IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
  61. 16:39:49  IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
  62. 16:39:49  IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
  63. 16:39:49  IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default
  64. 16:39:49  IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
  65. 16:39:49  
  66. 16:39:49  Is initial handshake: true
  67. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  68. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  69. 16:39:49  Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
  70. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  71. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
  72. 16:39:49  Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
  73. 16:39:49  Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
  74. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  75. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  76. 16:39:49  Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
  77. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  78. 16:39:49  Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
  79. 16:39:49  Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
  80. 16:39:49  Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
  81. 16:39:49  %% No cached client session
  82. 16:39:49  *** ClientHello, TLSv1
  83. 16:39:49  RandomCookie:  GMT: 1595384853 bytes = { 107, 178, 131, 155, 114, 248, 46, 134, 176, 84, 230, 191, 243, 124, 238, 63, 233, 106, 234, 197, 151, 26, 164, 199, 46, 116, 65, 30 }
  84. 16:39:49  Session ID:  {}
  85. 16:39:49  Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA]
  86. 16:39:49  Compression Methods:  { 0 }
  87. 16:39:49  Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
  88. 16:39:49  Extension ec_point_formats, formats: [uncompressed]
  89. 16:39:49  Extension server_name, server_name: [type=host_name (0), value=artifactory..xxx.xxx]
  90. 16:39:49  ***
  91. 16:39:49  [write] MD5 and SHA1 hashes:  len = 123
  92. 16:39:49  [Raw read]: length = 2
  93. 16:39:49  0000: 02 46                                              .F
  94. 16:39:49  
  95. 16:39:49  pool-1-thread-1, READ: TLSv1 Alert, length = 2
  96. 16:39:49  pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, protocol_version
  97. **16:39:49  pool-1-thread-1, called closeSocket()
  98. 16:39:49  pool-1-thread-1, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
  99. 16:39:49  Error occurred for request GET /artifactory/api/system/version HTTP/1.1: Received fatal alert: protocol_version.**```
  100. </details>
  101. # 答案1
  102. **得分**: 1
  103. 尝试更新您的gradle.properties文件以包含:
  104. systemProp.com.ibm.jsse2.overrideDefaultTLS=true
  105. <details>
  106. <summary>英文:</summary>
  107. Try updating your gradle.properties to have:
  108. systemProp.com.ibm.jsse2.overrideDefaultTLS=true
  109. </details>
  110. # 答案2
  111. **得分**: 0
  112. In your exception stack, it was mentioned:
  113. "16:39:49  jdk.tls.client.protocols is defined as TLSv1.2
  114. 16:39:49  SSLv3 protocol was requested but was not enabled"
  115. and In your command line options it mentioned "-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1"
  116. can you try removing this property "-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1" and test your application.
  117. <details>
  118. <summary>英文:</summary>
  119. In your exception stack, it was mentioned 
  120. &quot;16:39:49  jdk.tls.client.protocols is defined as TLSv1.2
  121. 16:39:49  **SSLv3 protocol was requested but was not enabled**&quot;
  122. and In your command line options it mentioned **&quot;-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1&quot;** 
  123. can you try removing this property &quot;-Djdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1&quot; and test your application. 
  124. </details>

huangapple
  • 本文由 发表于 2020年7月23日 05:31:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/63043520.html
  • gradle
  • ibm-jdk
  • java
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定