0

将 JRE 更新到 7u51 后,我遇到了问题。在此之前,一切正常。

我有一个在 Tomcat 上运行的 Web 应用程序,它使用 mozilla NSS 库在使用 SSL/TLS 时实现 FIPS 140-2 合规性。为此,我必须将默认 SunJSSE 提供程序更改为我的自定义 SunPKCS11-NSSFIPS 提供程序。

一切开始正常。服务器显示它已准备就绪,但是当我尝试从 Web 浏览器中点击它时,我收到“连接已中断”错误。

查看服务器上的日志,我看到:

Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE: 
java.lang.RuntimeException: Could not generate dummy secret
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.RuntimeException: Could not generate dummy secret
    at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:281)
    at sun.security.ssl.RSAClientKeyExchange.polishPreMasterSecretKey(RSAClientKeyExchange.java:245)
    at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:167)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:190)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
    at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
    ... 5 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSSFIPS
    at sun.security.jca.GetInstance.getService(GetInstance.java:100)
    at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109)
    at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:287)
    at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:269)
    at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:270)
    ... 15 more

我相信这是因为浏览器正在尝试使用 TLSv1.2 执行握手,但我的安全提供商无法处理它。有没有办法在仍然使用我的自定义提供程序的同时解决这个问题?

在该堆栈跟踪之后,日志文件中有另一个:

Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE: 
java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: init() failed
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
    at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.ProviderException: java.security.InvalidAlgorithmParameterException: init() failed
    at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1064)
    at sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:999)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:234)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
    at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
    at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
    ... 5 more
Caused by: java.security.InvalidAlgorithmParameterException: init() failed
    at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:89)
    at javax.crypto.KeyGenerator.init(KeyGenerator.java:431)
    at javax.crypto.KeyGenerator.init(KeyGenerator.java:414)
    at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1052)
    ... 14 more
Caused by: java.security.InvalidKeyException: Could not create key
    at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:270)
    at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:175)
    at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:111)
    at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:87)
    ... 17 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
    at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
    at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:265)
    ... 20 more

任何帮助将不胜感激。

4

1 回答 1

0

如果我没记错的话,NSS 还不支持 tls1.2。所以你不应该初始化 tls1.2 的握手。一些浏览器已将默认 TLS 版本更改为 1.2。您必须将其更改为 TLS 1.1 并重试。

于 2014-04-22T04:22:30.323 回答