Apache Karaf启动时出现错误 – protocol_version

huangapple go评论48阅读模式
英文:

Apache Karaf starts with errors - protocol_version

问题

I am using Java 1.7 and Apache Karaf 4.0.1. When I start Karaf, I get the following:

> | 26 - org.apache.karaf.deployer.features - 4.0.1 | Unable to install
> features java.io.IOException: Error resolving artifact
> org.apache.cxf.dosgi:cxf-dosgi:xml:features:1.7.0: Could not transfer
> artifact org.apache.cxf.dosgi:cxf-dosgi:xml:features:1.7.0 from/to
> central (https://repo.maven.apache.org/maven2/): Received fatal alert:
> protocol_version :
> mvn:org.apache.cxf.dosgi/cxf-dosgi/1.7.0/xml/features

Any ideas how I can fix this?

When I do the maven build, I try setting the TLS version:

export JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF8 -Dhttps.protocols=TLSv1.2 -Xmx2048m -XX:MaxPermSize=1024m -Xms1024m"
export MAVEN_OPTS="-Dhttps.protocols=TLSv1.2"
mvn clean install -DskipTests -Dfile.encoding=UTF8 -Dhttps.protocols=TLSv1.2;

英文:

I am using Java 1.7 and Apache Karaf 4.0.1. When I strat Karaf, I get the following:

> | 26 - org.apache.karaf.deployer.features - 4.0.1 | Unable to install
> features java.io.IOException: Error resolving artifact
> org.apache.cxf.dosgi:cxf-dosgi:xml:features:1.7.0: Could not transfer
> artifact org.apache.cxf.dosgi:cxf-dosgi:xml:features:1.7.0 from/to
> central (https://repo.maven.apache.org/maven2/): Received fatal alert:
> protocol_version :
> mvn:org.apache.cxf.dosgi/cxf-dosgi/1.7.0/xml/features

Any ideas how I can fix this?

When I do the maven build, I try setting the TLS version:

export JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF8 -Dhttps.protocols=TLSv1.2 -Xmx2048m -XX:MaxPermSize=1024m -Xms1024m"
export MAVEN_OPTS="-Dhttps.protocols=TLSv1.2"
mvn clean install -DskipTests -Dfile.encoding=UTF8 -Dhttps.protocols=TLSv1.2;

答案1

得分: 1

首先,你确实应该停止使用JDK1.7。

但我理解你可能有自己的原因,我也曾经有过这样的原因。

所以,Karaf的功能部署器使用pax-url-aether,它使用aether-resolver,而aether-resolver使用Apache http client 4。

"-Dhttps.protocols=TLSv1.2" 系统属性只能用于配置通过 java.net.URL#openConnection() 获得的连接,对这里不起作用。

然而,在这种情况下,我成功地联系了TLS 1.2仓库,通过使用BouncyCastle安全提供程序。你需要做以下几件事:

  1. bcprov-jdk15on-1.60.jarbctls-jdk15on-1.60.jar 放入 $JAVA_HOME/jre/lib/ext 或任何其他目录,比如 /path/to/ext-Djava.ext.dirs=/path/to/ext 系统属性中使用这个目录。
  2. 通过复制原始的 $JAVA_HOME/jre/lib/security/java.security 文件来准备 java.policy 文件,并添加以下内容:
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider 
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

以及(在文件底部添加):

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, SSLv2Hello, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
jdk.tls.client.protocols=TLSv1.2

使用Bouncy Castle时,你也不应该使用 -Dhttps.protocols=TLSv1.2

这对我起了作用,所有的TLS通信都是使用BC提供程序完成的。

编辑:你不能使用更新版本的Bouncycastle,因为存在这个问题:https://github.com/bcgit/bc-java/issues/557

英文:

First - you should really stop using JDK1.7

But I understand that you may have reasons - I had them too.

So - features deployer of Karaf uses pax-url-aether, which uses aether-resolver, which uses Apache http client 4.

"-Dhttps.protocols=TLSv1.2" system property can be used only to configure connections obtained using java.net.URL#openConnection() and it won't help here.

I was however able to contact TLS 1.2 repositories in such scenario, by using BouncyCastle security provider. You have to do few things:

  1. put bcprov-jdk15on-1.60.jar and bctls-jdk15on-1.60.jar into either $JAVA_HOME/jre/lib/ext or any other directory like /path/to/ext and use this directory in -Djava.ext.dirs=/path/to/ext system property
  2. prepare java.policy file by copying original $JAVA_HOME/jre/lib/security/java.security and adding:
security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider 
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

and (at the bottom of this file):

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, SSLv2Hello, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
jdk.tls.client.protocols=TLSv1.2

With bouncy castle you should also NOT use -Dhttps.protocols=TLSv1.2

It worked for me and all TLS communication was done using BC provider.

EDIT: you can't use newer versions of Bouncycastle because of https://github.com/bcgit/bc-java/issues/557

huangapple
  • 本文由 发表于 2020年7月28日 20:20:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/63134015.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定