问题现象:
和客户对接时,客户请求我们的 https 接口报错 java.net.SocketException:Connection reset。
原因分析:
根据客户提供的服务异常信息,可以大略猜到是 SSL 的问题。
我们这边的 Nginx SSL 配置为 :
ssl_protocols TLSv1.1 TLSv1.2;
或者使用命令 nmap --script ssl-enum-ciphers -p 443 foobar.com 查看:
# nmap --script ssl-enum-ciphers -p 443 foobar.com
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-06 14:12 CST
Nmap scan report for foobar.com (120.77.XXX.XXX)
Host is up (0.00025s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
从客户那边了解到他们服务的 JDK 版本为 1.7 版本。
经过网上搜索发现 JDK 7 默认支持的 TLS 版本为 TLSv1 。
https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https
我们的 Nginx 没有启用 TLSv1 ,所以使用 JDK 7 的 Java 服务在请求我们的 https 接口时,在 TLS 握手阶段,就被 Nginx 断开连接了。
解决办法
1、修改 Nginx 配置添加 TLSv1 版本的支持。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
使用 nmap --script ssl-enum-ciphers -p 443 foobar.com 验证结果,可以查看支持了 TLSv1.0 。
# nmap --script ssl-enum-ciphers -p 443 foobar.com
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-06 11:34 CST
Nmap scan report for foobar.com (120.77.XXX.XXX)
Host is up (0.0032s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
2、Java 服务启动时加上 JVM 参数:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
参考:
- Diagnosing TLS, SSL, and HTTPS:https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https
- Enable TLS 1.1 and 1.2 for Clients on Java 7:https://superuser.com/questions/747377/enable-tls-1-1-and-1-2-for-clients-on-java-7
网友评论