Java 11 + Chrome/Firefox = TLS解密错误 [英] Java 11 + Chrome/Firefox = TLS decrypt error
问题描述
我目前正在将一些服务器软件从Java 8迁移到Java11.一切正常,除了当我的服务器在Java 11(仅11)上运行时,拒绝TLS连接的事实.即,当在Java 10或更高版本上运行时,一切正常.一旦切换到Java 11(当然,它们之间绝对没有代码更改),我就会收到TLS解密错误.否则,当我禁用SSL/TLS或使用IE/Edge(通过TLS)连接到服务器时,我的应用程序可以正常工作.使用Chrome 70或Firefox 62时,分别得到ERR_SSL_PROTOCOL_ERROR或SEC_ERROR_BAD_SIGNATURE.
我尝试使用WireShark对此进行分析(请参阅我的转储).我的结论是Java 11和Chrome/Firefox协商了一个错误的密码套件(rsa_pss_rsae_sha256),而该密码套件在某种程度上不适用于Java11.Java8和IE/Edge似乎协商了一个不同的密码套件(rsa_pkcs1_sha256),该密码套件有效. /p>
有人知道如何解决此问题或至少暂时解决此问题(当然,除了禁用SSL/TLS或使用IE/Edge以外)?预先感谢.
这很可能是与TLS 1.3中新PSS算法的兼容性失败.您可以在此处.
在修复此问题之前,您可以通过编辑lib/security/java.security并将TLSv1.3添加到jdk.tls.disabledAlgorithms属性来阻止服务器协商TLS 1.3.
I'm currently migrating some server software from Java 8 to Java 11. Everything works fine except for the fact that TLS connections are refused when my server runs on Java 11 (and only 11). I.e., everything works when running on up to and including Java 10. As soon as I switch to Java 11 (with absolutely no code changes inbetween, of course) I get a TLS decrypt error. My application works fine otherwise when I disable SSL/TLS or when I use IE/Edge to connect to my server (via TLS). When using Chrome 70 or Firefox 62 I get ERR_SSL_PROTOCOL_ERROR or SEC_ERROR_BAD_SIGNATURE, respectively.
I tried to analyze this using WireShark (see my dump). My conclusion is that Java 11 and Chrome/Firefox negotiate a bad cipher suite (rsa_pss_rsae_sha256), which somehow doesn't work with Java 11. Java 8 and IE/Edge seem to negotiate a different cipher suite (rsa_pkcs1_sha256), which works.
Does someone know how to fix this problem or at least work around it for the moment (other than disabling SSL/TLS or using IE/Edge, of course)? Thanks in advance.
This is likely to be a compatibility failure with the new PSS algorithms in TLS 1.3. You can read a good explanation for the reasoning behind the introduction of PSS here.
Until it's fixed you can prevent your server from negotiating TLS 1.3 by editing lib/security/java.security and adding TLSv1.3 to the jdk.tls.disabledAlgorithms property.
这篇关于Java 11 + Chrome/Firefox = TLS解密错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
