在appengine dev server SDK上强制使用TLS 1.2 [英] Force TLS 1.2 on appengine dev server SDK

问题描述

这与此问题类似：

⌘

code> + ，来调出Preferences，然后将Gradle JVM选项改为使用Project JDK ：
然后运行 gradle clean build 。然后运行 appengineRun gradle任务来启动开发系统，所有应该都可以。

第二个答案在这里：强制TLS> 1.0在Java的AppEngine本地开发服务器上 Java 8默认使用TLSv1.8。

尽管在JRE上开发和测试应用程序完全错误除了它将实际运行的那个之外，需要必须。 ：（

This is similar to this question: Force TLS > 1.0 on AppEngine local development server in Java except that the answer doesn't work because it assumes a static SDK location(?).

I have a Google App Engine application that uses a third party payment library (braintree) that communicates over HTTPS using TLSv1.2. However, whenever the braintree library makes calls to the braintree sandbox environment the resulting urlfetch always gives the following error:

Caused by: javax.net.ssl.SSLHandshakeException: Could not verify SSL certificate for URL: https://api.sandbox.braintreegateway.com:443/merchants/**********/client_token
    at com.google.appengine.api.urlfetch.URLFetchServiceImpl.convertApplicationException(URLFetchServiceImpl.java:174)
    at com.google.appengine.api.urlfetch.URLFetchServiceImpl.fetch(URLFetchServiceImpl.java:43)
    at com.google.apphosting.utils.security.urlfetch.URLFetchServiceStreamHandler$Connection.fetchResponse(URLFetchServiceStreamHandler.java:543)
    at com.google.apphosting.utils.security.urlfetch.URLFetchServiceStreamHandler$Connection.getInputStream(URLFetchServiceStreamHandler.java:422)
    at com.google.apphosting.utils.security.urlfetch.URLFetchServiceStreamHandler$Connection.getResponseCode(URLFetchServiceStreamHandler.java:275)
    at com.braintreegateway.util.Http.httpRequest(Http.java:120)

Whilst this error only happens on the App Engine development server (and not when deployed into App Engine land), it still means that I can't test the stuff I need to in development.

According to this: https://groups.google.com/forum/#!topic/google-appengine-stackoverflow/tdr4T1CJRn8 the problem is that App Engine isn't using TLSv1.2.

My application is an App Engine app (Standard Environment) using the SDK version 1.9.26.

The appengine section of my gradle configuration looks like so:

appengine {
    httpAddress = "0.0.0.0"
    httpPort = 8888
    downloadSdk = false

    appcfg {
        update {
            useJava7 = true
        }

        jvmFlags = ['-Ddatastore.backing_store=../../src/main/webapp/WEB-INF/appengine-generated/local_db.bin',
                    // Desperation:
                    '-Ddeployment.security.TLSv1.0=false',
                    '-Ddeployment.security.TLSv1.1=false',
                    '-Ddeployment.security.TLSv1.2=true',
                    '-Dhttps.protocols=TLSv1.2',
                    '-Dappengine.fullscan.seconds=5',
                    '-Xdebug',
                    '-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8889',
                    '-XX:MaxPermSize=512m']
        oauth2 = true
        extraOptions = appCfgOpts
    }

    enhancer {
        api = "jdo"
        version = "v1"
        enhanceOnBuild = true
    }

}

I have tried updating the dev_appserver.sh in my local appengine-sdk directory to read:

exec "${RUN_JAVA}" "${SCRIPT_NAME}" \
    -Dhttps.protocols=TLSv1.2 -Ddeployment.security.TLSv1.0=false -Ddeployment.security.TLSv1.1=false -Ddeployment.security.TLSv1.2=true -ea -cp "${JAR_FILE}" \
    com.google.appengine.tools.KickStart \
    com.google.appengine.tools.development.DevAppServerMain "$@"

and setting downloadSdk = false and setting the appengine.sdk.root so that the gradle appengineRun task actually uses it.

I cannot use Java 8. I have also tried putting this in my code: System.setProperty("https.protocols", "TLSv1.2");

None of this works. Either I'm barking up the wrong tree, and trying all the wrong things, or I'm doing something wrong.

How can I get this to work?

Update:

It looks like the problem is actually that the sslSocketFactory is never created, because urlfetch will never return an HttpsURLConnection (App Engine URLfetch to validate self-signed certificate)

Still searching for a resolution.

解决方案

To fix this I had to run the project locally under the Java 8 SDK. Even though Java 8 isn't supported on App Engine yet, at least I can make Braintree sandbox payments in development and actually test my workflow.

I can then rely on the build server to check it still builds under Java 7.

To do this in IntelliJ:

⌘+; to bring up Project Settings, then change the Project SDK to Java 1.8:

⌘+, to bring up Preferences, then change the Gradle JVM option to Use Project JDK:

Then run gradle clean build. Then run the appengineRun gradle task to start up the dev system and all should be fine.

As mentioned in the second answer here: Force TLS > 1.0 on AppEngine local development server in Java Java 8 uses TLSv1.8 by default.

Even though it feels totally wrong developing and testing your app on a JRE other than the one it will actually be run on, needs must. :(

这篇关于在appengine dev server SDK上强制使用TLS 1.2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！