При запуске приложения java 8 на JBoss EAP 6.4 с двумя веб-сервисами:
- Сервис A : первый используется для авторизации пользователя внутри применение. Поддерживается только TLSv1.0.
- Service B : второй отправляет данные на удаленный сервер, и TLSv1.2 является обязательным.
Если мы обходим service A используя mock service, тогда все работает нормально . Когда служба A полностью активна, мы получаем исключение javax. net .ssl.SSLHandshakeException при вызове службы B (TLSv1.2), и обе службы совершенно не связаны :
13:52:45,583 INFO [stdout] (http-localhost/127.0.0.1:8080-1) %% No cached client session
13:52:45,586 INFO [stdout] (http-localhost/127.0.0.1:8080-1) *** ClientHello, TLSv1
13:52:45,671 INFO [stdout] (http-localhost/127.0.0.1:8080-1) RandomCookie: GMT: 1596389773 bytes = { 51, 254, 72, 33, 215, 73, 245, 224, 39, 70, 115, 215, 105, 88, 13, 193, 129, 242, 239, 64, 64, 80, 10, 84, 111, 21, 55, 170 }
13:52:45,675 INFO [stdout] (http-localhost/127.0.0.1:8080-1) Session ID: {}
13:52:45,677 INFO [stdout] (http-localhost/127.0.0.1:8080-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
13:52:45,683 INFO [stdout] (http-localhost/127.0.0.1:8080-1) Compression Methods: { 0 }
13:52:45,686 INFO [stdout] (http-localhost/127.0.0.1:8080-1) Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
13:52:45,688 INFO [stdout] (http-localhost/127.0.0.1:8080-1) Extension ec_point_formats, formats: [uncompressed]
13:52:45,691 INFO [stdout] (http-localhost/127.0.0.1:8080-1) Extension server_name, server_name: [type=host_name (0), value=webpubpyf.igae.hacienda.gob.es]
13:52:45,692 INFO [stdout] (http-localhost/127.0.0.1:8080-1) Extension renegotiation_info, renegotiated_connection: <empty>
13:52:45,694 INFO [stdout] (http-localhost/127.0.0.1:8080-1) ***
13:52:45,696 INFO [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, WRITE: TLSv1 Handshake, length = 179
13:52:45,717 INFO [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, READ: TLSv1 Alert, length = 2
13:52:45,724 INFO [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
13:52:45,726 INFO [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, called closeSocket()
13:52:45,729 INFO [stdout] (http-localhost/127.0.0.1:8080-1) http-localhost/127.0.0.1:8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Кажется, что для связи не используется TLSv1.2 из-за использования службы A (как если бы версия протокола зависла), хотя мы явно указали это в cxf-config. xml:
<http:conduit id="mockConduit"
name="{http://mockURL}mockPort.http-conduit">
<http:authorization>
<sec:UserName>user</sec:UserName>
<sec:Password />
</http:authorization>
<http:tlsClientParameters disableCNCheck="true" secureSocketProtocol="TLSv1.2">
<sec:trustManagers>
<sec:keyStore type="JKS"
password="xxxx"
file="${truststore.file}" provider="SUN" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:include>.*_DH_anon_.*</sec:include>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:client AutoRedirect="true" Connection="Keep-Alive" ReceiveTimeout="${timeout.reception}" ConnectionTimeout="${timeout.conection}"/>
</http:conduit>
Спасибо за вашу помощь.