Агент Elasti c APM java вмешивается в набор клиентских шифров HTTPs - PullRequest
Новая
       72

Агент Elasti c APM java вмешивается в набор клиентских шифров HTTPs

0 голосов
/ 25 марта 2020

У меня есть приложение, работающее с openjdk 11, которое подключается к серверу HTTP. Используя wireshark, я вижу, что приложение java предлагает следующий набор шифров в рукопожатии TLS1.2: 

Client Cipher Suites (29 suites) (without Elastic APM agent loaded)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)              also with APM loaded
    Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
    Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)          also with APM loaded
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)          also with APM loaded
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)                 also with APM loaded
    Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
    Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)             also with APM loaded
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)             also with APM loaded
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)              also with APM loaded
    Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
    Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)          also with APM loaded
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)          also with APM loaded
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)        insecure
    Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)          insecure
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)                insecure
    Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)         insecure
    Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)           insecure
    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)            insecure
    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)            insecure
    Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Но я загружаю агент Elasti c APM (версия 1.14. 0) приложение java больше не может подключаться к серверу HTTP, что приводит к сбою рукопожатия TLS.

Сервер HTTP настроен на прием только шифра TLS_ECDHE_RSA_AES *, но все эти шифры удаляются после того, как агент Это загрузка, как вы можете видеть ниже: 

Client Cipher Suites (21 suites) (with Elastic APM agent loaded)
    Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)                   only with APM agent loaded
    Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)                   only with APM agent loaded
    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)          only with APM agent loaded
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)      only with APM agent loaded
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)      only with APM agent loaded
    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)          only with APM agent loaded
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)      only with APM agent loaded
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)      only with APM agent loaded
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)             only with APM agent loaded
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)         only with APM agent loaded
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)         only with APM agent loaded
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)             only with APM agent loaded
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Вопрос: как я могу включить отсутствующие шифры?

Версии: * openjdk 11.0.5 + 10 * elasti c Агент APM: 1.14.0

Агент Elasti c APM загружается следующим образом: 

java
...
-javaagent:/opt/elk_apm/elastic-apm-agent.jar
-Delastic.apm.service_name=my_application
-Delastic.apm.server_urls=http://192.168.1.100:8200/
-Delastic.apm.application_packages=package1,package2

Спасибо.

...