将 JRE 更新到 7u51 后,我遇到了问题。在此之前,一切正常。
我有一个在 Tomcat 上运行的 Web 应用程序,它使用 mozilla NSS 库在使用 SSL/TLS 时实现 FIPS 140-2 合规性。为此,我必须将默认 SunJSSE 提供程序更改为我的自定义 SunPKCS11-NSSFIPS 提供程序。
一切开始正常。服务器显示它已准备就绪,但是当我尝试从 Web 浏览器中点击它时,我收到“连接已中断”错误。
查看服务器上的日志,我看到:
Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE:
java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:281)
at sun.security.ssl.RSAClientKeyExchange.polishPreMasterSecretKey(RSAClientKeyExchange.java:245)
at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:167)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:190)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
... 5 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSSFIPS
at sun.security.jca.GetInstance.getService(GetInstance.java:100)
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:287)
at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:269)
at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:270)
... 15 more
我相信这是因为浏览器正在尝试使用 TLSv1.2 执行握手,但我的安全提供商无法处理它。有没有办法在仍然使用我的自定义提供程序的同时解决这个问题?
在该堆栈跟踪之后,日志文件中有另一个:
Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE:
java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.ProviderException: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1064)
at sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:999)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:234)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
... 5 more
Caused by: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:89)
at javax.crypto.KeyGenerator.init(KeyGenerator.java:431)
at javax.crypto.KeyGenerator.init(KeyGenerator.java:414)
at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1052)
... 14 more
Caused by: java.security.InvalidKeyException: Could not create key
at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:270)
at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:175)
at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:111)
at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:87)
... 17 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:265)
... 20 more
任何帮助将不胜感激。