我在 Windows 10 机器上安装了 PostgreSQL 12.1。我正在尝试使用 PostgreSQL JDBC 42.2.10 连接到服务器,该服务器在使用 jlink 创建的 AdoptOpenJDK 11.0.7 中运行。服务器上使用的自签名证书使用带有 SHA256 签名的 2048 位 RSA。我通过打开证书验证了这一点,该证书将“签名算法”显示为sha256RSA,将“签名哈希算法”显示为sha256,将“公钥”显示为RSA (2048 Bits)。
我正在尝试使用 PostgreSQL JDBC 42.2.10 进行连接。ssl_max_protocol_version = 'TLSv1.2'
如果我通过添加到postgresql.conf禁用 TLS 1.3 ,那么一切正常。但是,如果没有此行,TLS 握手将失败并出现handshake_failure异常。当我查看 PostgreSQL 日志时,我看到一行内容:
无法接受 SSL 连接:没有合适的密钥共享
我假设这意味着可接受的密码套件与 PostgreSQL 服务器支持的密码套件之间没有重叠。有谁知道如何配置 Java 客户端或 PostgreSQL 服务器以使用 TLS 1.3 启用此类通信?
如果有帮助,这是我的 TLS ClientHello 消息,作为使用-Djavax.net.debug=all
命令行参数运行 Java 的输出。我的预感是问题是psk_key_exchange_modes部分中可用的单个选项:
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "<HEX DATA>",
"session id" : "<HEX DATA>",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301),
TLS_AES_256_GCM_SHA384(0x1302),
TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
TLS_RSA_WITH_AES_256_CBC_SHA(0x0035),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384,
rsa_pss_rsae_sha512,
rsa_pss_pss_sha256,
rsa_pss_pss_sha384,
rsa_pss_pss_sha512,
rsa_pkcs1_sha256,
rsa_pkcs1_sha384,
rsa_pkcs1_sha512,
dsa_sha256,
rsa_sha224,
dsa_sha224,
rsa_pkcs1_sha1,
dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384,
rsa_pss_rsae_sha512,
rsa_pss_pss_sha256,
rsa_pss_pss_sha384,
rsa_pss_pss_sha512,
rsa_pkcs1_sha256,
rsa_pkcs1_sha384,
rsa_pkcs1_sha512,
dsa_sha256,
rsa_sha224,
dsa_sha224,
rsa_pkcs1_sha1,
dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": ffdhe2048
"key_exchange": { <Hex Data> }
},
]
}
]
}