我们正在使用Hana Cloud Platform Java应用程序外部的RESTful服务。我们能够在通过为应用JEE6配置文件和其他HCP库的一部分提供了Apache的HttpClient(v4.1.3)HCP这些目的地设置交互,应用程序配置为使用JRE 7当服务器不支持TLS 1.0时,HCP JEE6目标应用程序失败
的整合基础设施供应商我们正在连接到,最近禁用了TLSv1.0,从那时起我们在尝试连接到REST服务时出现错误。
这是堆栈跟踪:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:150)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:575)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
at com.sap.core.connectivity.httpdestination.client.RequestDirectorExtender.execute(RequestDirectorExtender.java:47)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper$2.execute(AbstractHttpClientWrapper.java:141)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper$2.execute(AbstractHttpClientWrapper.java:1)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.executeOperation(AbstractHttpClientWrapper.java:300)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.execute(AbstractHttpClientWrapper.java:277)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.execute(AbstractHttpClientWrapper.java:132)
at com.sap.core.connectivity.httpdestination.impl.AbstractHttpClientWrapper.execute(AbstractHttpClientWrapper.java:126)
at my.domain.hcp.HttpRequestSupport.service(HttpRequestSupport.java:124)
at my.domain.gap.proxy.ProxyServlet.service(ProxyServlet.java:36)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.sap.core.communication.server.CertValidatorFilter.doFilter(CertValidatorFilter.java:156)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.eclipse.virgo.web.enterprise.security.valve.OpenEjbSecurityInitializationValve.invoke(OpenEjbSecurityInitializationValve.java:44)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614)
at com.sap.core.jpaas.security.auth.service.lib.AbstractAuthenticator.invoke(AbstractAuthenticator.java:170)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at com.sap.core.tenant.valve.TenantValidationValve.invokeNextValve(TenantValidationValve.java:168)
at com.sap.core.tenant.valve.TenantValidationValve.invoke(TenantValidationValve.java:94)
at com.sap.js.statistics.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:38)
at com.sap.core.js.monitoring.tomcat.valve.RequestTracingValve.invoke(RequestTracingValve.java:27)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1083)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:640)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:807)
我们已经尝试添加了JVM参数Java应用程序中强制使用TLSv1.1或TLSv1.2工作,而不是使用TLSv1.0:
-Dhttps.protocols=TLSv1.1,TLSv1.2
设置JVM参数什么都不做,看起来像Apache HttpClient库忽略了这个设置。是否有另一种方法强制Apache HttpClient(v4.1.3)更新版本的TLS?
我在这里发布它,因为我认为有人可能会觉得这很有用。 TLS协议的问题通过使用以下优秀的工具来确定:https://www.ssllabs.com/ssltest/analyze.html – juanheyns