英文:
Apache Karaf starts with errors - protocol_version
问题
I am using Java 1.7 and Apache Karaf 4.0.1. When I start Karaf, I get the following:
> | 26 - org.apache.karaf.deployer.features - 4.0.1 | Unable to install
> features java.io.IOException: Error resolving artifact
> org.apache.cxf.dosgi:cxf-dosgi:xml:features:1.7.0: Could not transfer
> artifact org.apache.cxf.dosgi:cxf-dosgi:xml:features:1.7.0 from/to
> central (https://repo.maven.apache.org/maven2/): Received fatal alert:
> protocol_version :
> mvn:org.apache.cxf.dosgi/cxf-dosgi/1.7.0/xml/features
Any ideas how I can fix this?
When I do the maven build, I try setting the TLS version:
export JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF8 -Dhttps.protocols=TLSv1.2 -Xmx2048m -XX:MaxPermSize=1024m -Xms1024m"
export MAVEN_OPTS="-Dhttps.protocols=TLSv1.2"
mvn clean install -DskipTests -Dfile.encoding=UTF8 -Dhttps.protocols=TLSv1.2;
英文:
I am using Java 1.7 and Apache Karaf 4.0.1. When I strat Karaf, I get the following:
> | 26 - org.apache.karaf.deployer.features - 4.0.1 | Unable to install
> features java.io.IOException: Error resolving artifact
> org.apache.cxf.dosgi:cxf-dosgi:xml:features:1.7.0: Could not transfer
> artifact org.apache.cxf.dosgi:cxf-dosgi:xml:features:1.7.0 from/to
> central (https://repo.maven.apache.org/maven2/): Received fatal alert:
> protocol_version :
> mvn:org.apache.cxf.dosgi/cxf-dosgi/1.7.0/xml/features
Any ideas how I can fix this?
When I do the maven build, I try setting the TLS version:
export JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF8 -Dhttps.protocols=TLSv1.2 -Xmx2048m -XX:MaxPermSize=1024m -Xms1024m"
export MAVEN_OPTS="-Dhttps.protocols=TLSv1.2"
mvn clean install -DskipTests -Dfile.encoding=UTF8 -Dhttps.protocols=TLSv1.2;
答案1
得分: 1
首先,你确实应该停止使用JDK1.7。
但我理解你可能有自己的原因,我也曾经有过这样的原因。
所以,Karaf的功能部署器使用pax-url-aether,它使用aether-resolver,而aether-resolver使用Apache http client 4。
"-Dhttps.protocols=TLSv1.2" 系统属性只能用于配置通过 java.net.URL#openConnection() 获得的连接,对这里不起作用。
然而,在这种情况下,我成功地联系了TLS 1.2仓库,通过使用BouncyCastle安全提供程序。你需要做以下几件事:
- 将
bcprov-jdk15on-1.60.jar和bctls-jdk15on-1.60.jar放入$JAVA_HOME/jre/lib/ext或任何其他目录,比如/path/to/ext,并在-Djava.ext.dirs=/path/to/ext系统属性中使用这个目录。 - 通过复制原始的
$JAVA_HOME/jre/lib/security/java.security文件来准备java.policy文件,并添加以下内容:
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
以及(在文件底部添加):
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, SSLv2Hello, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
jdk.tls.client.protocols=TLSv1.2
使用Bouncy Castle时,你也不应该使用 -Dhttps.protocols=TLSv1.2。
这对我起了作用,所有的TLS通信都是使用BC提供程序完成的。
编辑:你不能使用更新版本的Bouncycastle,因为存在这个问题:https://github.com/bcgit/bc-java/issues/557
英文:
First - you should really stop using JDK1.7
But I understand that you may have reasons - I had them too.
So - features deployer of Karaf uses pax-url-aether, which uses aether-resolver, which uses Apache http client 4.
"-Dhttps.protocols=TLSv1.2" system property can be used only to configure connections obtained using java.net.URL#openConnection() and it won't help here.
I was however able to contact TLS 1.2 repositories in such scenario, by using BouncyCastle security provider. You have to do few things:
- put bcprov-jdk15on-1.60.jar and bctls-jdk15on-1.60.jar into either $JAVA_HOME/jre/lib/ext or any other directory like
/path/to/extand use this directory in-Djava.ext.dirs=/path/to/extsystem property - prepare
java.policyfile by copying original$JAVA_HOME/jre/lib/security/java.securityand adding:
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
and (at the bottom of this file):
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, SSLv2Hello, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
jdk.tls.client.protocols=TLSv1.2
With bouncy castle you should also NOT use -Dhttps.protocols=TLSv1.2
It worked for me and all TLS communication was done using BC provider.
EDIT: you can't use newer versions of Bouncycastle because of https://github.com/bcgit/bc-java/issues/557
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论