与SSL的mysql jdbc连接在tls握手级别失败 [英] mysql jdbc connection with SSL fails at tls handshake level

问题描述

我们的mysql服务器配置为仅接受与ssl密码DHE-RSA-AES256-GCM-SHA384的连接.

Our mysql server is configured to accept only connection with ssl cipher DHE-RSA-AES256-GCM-SHA384.

我正在使用Java mysql-connector-java(8.0.15)和Java 8(openjdk版本"1.8.0_191"OpenJDK运行时环境(内部版本1.8.0_191-8u191-b12-2ubuntu0.16.04.1-b12)

I am using java mysql-connector-java (8.0.15) and java 8 (openjdk version "1.8.0_191" OpenJDK Runtime Environment (build 1.8.0_191-8u191-b12-2ubuntu0.16.04.1-b12)

当我使用以下程序列出可用的密码时，我得到 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 密码可用.

When I list the available ciphers using the below program I get the TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher as available.

下面是列出可用密码的程序 https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java

Below is the program to list the ciphers available https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java

但是当我在ssl上启用调试模式时，我得到了忽略不受支持的密码套件:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.

But when I enable debug mode on ssl I get Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.

以及以下消息

即将进行的握手状态:server_hello [2]

upcoming handshake states: server_hello[2]

*** ClientHello，TLSv1.1RandomCookie:GMT:1535642319字节= {168，0，213，212，68，19，189，131，12，147，76，108，65，77，56，170，35，147，119，196，102，161、241、133、49、97、153、200}会话ID:{}密码套件:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA，TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA，TLS_RSA_WITH_AES_256_CBC_SHA，TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA，TLS_ECDH_RSA_WITH_AES_256_CBC_SHA，TLS_DHE_RSA_WITH_AES_256_CBC_SHA，TLS_DHE_DSS_WITH_AES_256_CBC_SHA，TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA，TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA，TLS_RSA_WITH_AES_128_CBC_SHA，TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA，TLS_ECDH_RSA_WITH_AES_128_CBC_SHA，TLS_DHE_RSA_WITH_AES_128_CBC_SHA，TLS_DHE_DSS_WITH_AES_128_CBC_SHA，TLS_EMPTY_RENEGOTIATION_INFO_SCSV]压缩方式:{0}

*** ClientHello, TLSv1.1 RandomCookie: GMT: 1535642319 bytes = { 168, 0, 213, 212, 68, 19, 189, 131, 12, 147, 76, 108, 65, 77, 56, 170, 35, 147, 119, 196, 102, 161, 241, 133, 49, 97, 153, 200 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 }

当服务器使用TLSv1.2时，客户端开始通过TLSv1.1进行通信

Here the client starts communicating through TLSv1.1 when the server is using TLSv1.2

我还注意到ExportControlled.java(包com.mysql.cj.protocol;)创建SSLContext为(第563行)

I also noticed that the ExportControlled.java (package com.mysql.cj.protocol;) creates SSLContext as (line 563)

try{
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(kms, tms.toArray(new TrustManager[tms.size()]), null);
        return sslContext;

    }

请帮助我了解为什么会忽略可用密码以及如何连接到服务器

Please help me understand why the available cipher is ignored and what should I do to connect to the server

推荐答案

这很简单，我只需要将enabledTLSProtocols参数添加到jdbc网址

It is very simple, I just had to add the enabledTLSProtocols parameter to the jdbc url

例如:-

jdbc:mysql://<hostname>:3115/<schema>?enabledTLSProtocols=TLSv1.2

这篇关于与SSL的mysql jdbc连接在tls握手级别失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！