Статус: Активный участник
Группы: Участники
Зарегистрирован: 15.05.2019(UTC)
Сообщений: 33
|
По примеру https://zoltanaltfatter....tificate-authentication/ реализовал сервис SOAP с доступом по HTTPS. Хочу переделать на использование ГОСТ алгоритмов через JCP с контейнером типа HDImageStore. Установил JCP, выпустил сертификаты через тестовый удостоверяющий центр https://testca2.cryptopro.ru ГОСТ Р 34.11/34.10-2001. Скопировал в хранилище JCP в c:\\Users\\dim\\AppData\\Local\\Crypto Pro\\ в настройках приложения: server.ssl.protocol = TLS
server.ssl.client-auth = need
server.ssl.enabled = true
server.ssl.key-store=c:\\Users\\dim\\AppData\\Local\\Crypto Pro\\
server.ssl.key-store-provider=JCP
server.ssl.key-store-password=pass123
server.ssl.key-alias=server
server.ssl.key-store-type=HDImageStore
server.ssl.trust-store=classpath:keys/truststore.jks
server.ssl.trust-store-password=pass789 Ошибка Caused by: java.io.IOException: Неверный формат хранилища.
at ru.CryptoPro.JCP.KeyStore.TrustStore.engineLoad(Unknown Source) ~[JCP.jar:40035]
at ru.CryptoPro.JCP.KeyStore.JCPKeyStore.engineLoad(Unknown Source) ~[JCP.jar:40035]
at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_91]
at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:66) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:209) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:206) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:272) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
... 20 common frames omitted Прошу помощи. В какую сторону искать.
|
|
|
|
|
|
Статус: Активный участник
Группы: Участники
Зарегистрирован: 15.05.2019(UTC)
Сообщений: 33
|
Для работы хранилищем контейнеров HDImageStore создал в хранилище сертификатов хранилище и добавил туда сертификат Поменял в настройках server.ssl.protocol = GostTLS
server.ssl.client-auth = need
server.ssl.enabled = true
server.ssl.key-store=c:\store.store
server.ssl.key-store-provider: JCP
server.ssl.key-store-password=pass123
server.ssl.key-alias=server
server.ssl.key-store-type=HDImageStore
server.ssl.trust-store=c:\trust.store
server.ssl.trust-store-password=pass123
теперь ошибка такая
java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
at ru.CryptoPro.ssl.cl_8.a(Unknown Source) ~[cpSSL.jar:40035]
at ru.CryptoPro.ssl.cl_13.<init>(Unknown Source) ~[cpSSL.jar:40035]
at ru.CryptoPro.ssl.SSLEngineImpl.setEnabledCipherSuites(Unknown Source) ~[cpSSL.jar:40035]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLEngine(AbstractJsseEndpoint.java:134) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:329) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:175) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1392) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.17.jar:9.0.17]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.17.jar:9.0.17]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91]
Отредактировано пользователем 15 мая 2019 г. 14:22:53(UTC)
| Причина: Не указана
|
|
|
|
|
|
Статус: Сотрудник
Группы: Участники
Зарегистрирован: 06.12.2008(UTC) Сообщений: 4,006  Откуда: Крипто-Про Сказал(а) «Спасибо»: 21 раз
Поблагодарили: 715 раз в 675 постах
|
Здравствуйте. Нужен еще параметр для задания сайферсюит TLS_CIPHER_2012 и TLS_CIPHER_2001 (возможно, server.ssl.ciphers=TLS_CIPHER_2012,TLS_CIPHER_2001), т.к. в ru.CryptoPro.ssl.SSLEngineImpl.setEnabledCipherSuites(), полагаю, подается незнакомый набор. Отредактировано пользователем 15 мая 2019 г. 15:05:36(UTC)
| Причина: Не указана |
|
|
|
|
|
|
Статус: Активный участник
Группы: Участники
Зарегистрирован: 15.05.2019(UTC)
Сообщений: 33
|
добавил server.ssl.ciphers=TLS_CIPHER_2012,TLS_CIPHER_2001 Caused by: java.lang.IllegalArgumentException: None of the [ciphers] specified are supported by the SSL engine : [[]]
at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:143) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:117) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:114) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:109) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImplementation.java:50) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:88) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1103) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1189) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:568) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
... 14 common frames omitted
|
|
|
|
|
|
Статус: Сотрудник
Группы: Участники
Зарегистрирован: 06.12.2008(UTC) Сообщений: 4,006 Откуда: Крипто-Про Сказал(а) «Спасибо»: 21 раз
Поблагодарили: 715 раз в 675 постах
|
А тут уже не нравятся наши сюиты. Вероятно, производится какая-нибудь проверка на наличие их в некоем списке внутри tomcat. Для интеграции cpssl в tomcat выше 8.5 потребовалось добавить свой адаптер с jsse implementation с передачей его в коннектор томката. Возможно, и тут требуется что-то такое. Об адаптере и он сам есть в папке webserverintegration в дистрибутиве, в папке tomcat9. |
|
|
|
|
|
|
Статус: Активный участник
Группы: Участники
Зарегистрирован: 15.05.2019(UTC)
Сообщений: 33
|
Написал Код:@Bean
fun servletContainer(): ServletWebServerFactory {
val tomcat = TomcatServletWebServerFactory()
tomcat.addAdditionalTomcatConnectors(createSslConnector())
return tomcat
}
private fun createSslConnector(): Connector {
val keystore = FileSystemResource(keystorePath).file
val truststore = FileSystemResource(truststorePath).file
val connector = Connector("org.apache.coyote.http11.Http11NioProtocol")
connector.setEnableLookups(false)
connector.setScheme("https")
connector.setSecure(true)
connector.setPort(8002)
val protocol = connector.getProtocolHandler() as Http11NioProtocol
protocol.setAlgorithm("GostX509");
protocol.setTruststoreAlgorithm("GostX509");
protocol.setSSLEnabled(true);
protocol.setKeystoreType(keyStoreType);
protocol.setKeystoreFile(keystore.absolutePath)
protocol.setKeystorePass(keystorePass)
protocol.setKeyAlias(keysAlias)
protocol.setKeystoreProvider(KeyStoreProvider)
protocol.setTruststoreType(keyStoreType);
protocol.setTruststoreFile(truststore.absolutePath)
protocol.setTruststorePass(truststorePass)
protocol.setTruststoreProvider(KeyStoreProvider)
protocol.setSSLProtocol("GostTLS");
protocol.setCiphers("TLS_CIPHER_2001,TLS_CIPHER_2012");
protocol.setSslEnabledProtocols("GostTLS,GostTLSv1.1,GostTLSv1.2");
return connector
}
Ошибка Код:Caused by: java.lang.IllegalArgumentException: None of the [protocols] specified are supported by the SSL engine : [[GostTLS, GostTLSv1.2, GostTLSv1.1]]
at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:143) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:101) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:114) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:109) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImplementation.java:50) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:88) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1103) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1189) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:568) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
... 14 common frames omitted
|
|
|
|
|
|
Статус: Сотрудник
Группы: Участники
Зарегистрирован: 06.12.2008(UTC) Сообщений: 4,006 Откуда: Крипто-Про Сказал(а) «Спасибо»: 21 раз
Поблагодарили: 715 раз в 675 постах
|
Попробуйте указать в алгоритмах вместо
protocol.setSSLProtocol("GostTLS");
protocol.setSslEnabledProtocols("GostTLS,GostTLSv1.1,GostTLSv1.2");
так
protocol.setSSLProtocol("TLSv1");
protocol.setSslEnabledProtocols("TLSv1,TLSv1.1,TLSv1.2"); |
|
|
|
|
|
|
Статус: Активный участник
Группы: Участники
Зарегистрирован: 15.05.2019(UTC)
Сообщений: 33
|
смотрите если заккоментировать setCiphers то запускается Код:
protocol.setSSLProtocol("GostTLS")
// protocol.setCiphers("TLS_CIPHER_2001,TLS_CIPHER_2012")
protocol.setSslEnabledProtocols("all,GostTLS,GostTLSv1.1,GostTLSv1.2")
логи Код:2019-05-16 14:33:28.244 INFO 7272 --- [ main] ru.ksbsoft.server.ApplicationKt : Starting ApplicationKt on KSB-002 with PID 7272 (C:\dim4\kotlin\blz\server\target\classes started by ivanov-d in C:\dim4\kotlin\blz)
2019-05-16 14:33:28.246 INFO 7272 --- [ main] ru.ksbsoft.server.ApplicationKt : No active profile set, falling back to default profiles: default
2019-05-16 14:33:29.433 INFO 7272 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'soapServiceConfig' of type [ru.ksbsoft.server.SoapServiceConfig$$EnhancerBySpringCGLIB$$c252ee65] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-16 14:33:29.440 INFO 7272 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'tomcatConfig' of type [ru.ksbsoft.server.config.TomcatConfig$$EnhancerBySpringCGLIB$$c58b672b] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-16 14:33:29.443 INFO 7272 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.ws.config.annotation.DelegatingWsConfiguration' of type [org.springframework.ws.config.annotation.DelegatingWsConfiguration$$EnhancerBySpringCGLIB$$d8c12e9] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-16 14:33:29.491 INFO 7272 --- [ main] .w.s.a.s.AnnotationActionEndpointMapping : Supporting [WS-Addressing August 2004, WS-Addressing 1.0]
2019-05-16 14:33:29.664 WARN 7272 --- [ main] o.apache.tomcat.util.net.SSLHostConfig : The protocol [GostTLS] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
2019-05-16 14:33:29.664 WARN 7272 --- [ main] o.apache.tomcat.util.net.SSLHostConfig : The protocol [GostTLSv1.1] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
2019-05-16 14:33:29.664 WARN 7272 --- [ main] o.apache.tomcat.util.net.SSLHostConfig : The protocol [GostTLSv1.2] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
2019-05-16 14:33:30.332 INFO 7272 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8000 (http) 8002 (https)
2019-05-16 14:33:30.634 INFO 7272 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore is : No File Available, using empty keystore.
2019-05-16 14:33:30.634 INFO 7272 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore type is : HDImageStore
2019-05-16 14:33:30.634 INFO 7272 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore provider is :
2019-05-16 14:33:30.634 INFO 7272 --- [ main] ru.CryptoPro.ssl.SSLLogger : init truststore
2019-05-16 14:33:31.300 INFO 7272 --- [ main] ru.CryptoPro.JCP.tools.JCPLogger : Loading JCP 2.0.40035
2019-05-16 14:33:31.339 INFO 7272 --- [ main] ru.CryptoPro.JCP.tools.JCPLogger : JCP loaded.
2019-05-16 14:33:31.478 WARN 7272 --- [ main] o.apache.tomcat.util.net.jsse.JSSEUtil : Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[GostTLS, GostTLSv1.2, GostTLSv1.1]]
2019-05-16 14:33:31.588 INFO 7272 --- [ main] ru.CryptoPro.ssl.SSLLogger : %% adding as private keys %%
2019-05-16 14:33:31.658 INFO 7272 --- [ main] ru.CryptoPro.ssl.SSLLogger : %% adding as private keys %%
2019-05-16 14:33:31.721 INFO 7272 --- [ main] ru.CryptoPro.ssl.SSLLogger : %% adding as private keys %%
2019-05-16 14:33:31.824 INFO 7272 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2019-05-16 14:33:31.825 INFO 7272 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.17]
2019-05-16 14:33:31.986 INFO 7272 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2019-05-16 14:33:31.986 INFO 7272 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 3680 ms
2019-05-16 14:33:32.570 INFO 7272 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2019-05-16 14:33:32.799 INFO 7272 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8000 (http) 8002 (https) with context path ''
2019-05-16 14:33:32.802 INFO 7272 --- [ main] ru.ksbsoft.server.ApplicationKt : Started ApplicationKt in 5.076 seconds (JVM running for 5.598)
как видно o.apache.tomcat.util.net.SSLHostConfig пишет The protocol [GostTLS] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missingвот тут https://svn.apache.org/v...ion&revision=1681779 пишут что Openssl требует. Получается что у меня не работает GostTLS? если же я указываею в настройках Код:protocol.setSSLProtocol("GostTLS")
// protocol.setCiphers("TLS_CIPHER_2001,TLS_CIPHER_2012")
protocol.setSslEnabledProtocols("all,+GostTLS,+GostTLSv1.1,+GostTLSv1.2")
выводится Код:2019-05-16 14:39:05.649 INFO 9260 --- [ main] ru.ksbsoft.server.ApplicationKt : Starting ApplicationKt on KSB-002 with PID 9260 (C:\dim4\kotlin\blz\server\target\classes started by ivanov-d in C:\dim4\kotlin\blz)
2019-05-16 14:39:05.653 INFO 9260 --- [ main] ru.ksbsoft.server.ApplicationKt : No active profile set, falling back to default profiles: default
2019-05-16 14:39:06.810 INFO 9260 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'soapServiceConfig' of type [ru.ksbsoft.server.SoapServiceConfig$$EnhancerBySpringCGLIB$$585ceea1] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-16 14:39:06.816 INFO 9260 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'tomcatConfig' of type [ru.ksbsoft.server.config.TomcatConfig$$EnhancerBySpringCGLIB$$5b956767] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-16 14:39:06.819 INFO 9260 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.ws.config.annotation.DelegatingWsConfiguration' of type [org.springframework.ws.config.annotation.DelegatingWsConfiguration$$EnhancerBySpringCGLIB$$a3961325] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-16 14:39:06.907 INFO 9260 --- [ main] .w.s.a.s.AnnotationActionEndpointMapping : Supporting [WS-Addressing August 2004, WS-Addressing 1.0]
2019-05-16 14:39:07.722 INFO 9260 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8000 (http) 8002 (https)
2019-05-16 14:39:08.117 INFO 9260 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore is : No File Available, using empty keystore.
2019-05-16 14:39:08.118 INFO 9260 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore type is : HDImageStore
2019-05-16 14:39:08.118 INFO 9260 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore provider is :
2019-05-16 14:39:08.118 INFO 9260 --- [ main] ru.CryptoPro.ssl.SSLLogger : init truststore
2019-05-16 14:39:08.846 INFO 9260 --- [ main] ru.CryptoPro.JCP.tools.JCPLogger : Loading JCP 2.0.40035
2019-05-16 14:39:08.881 INFO 9260 --- [ main] ru.CryptoPro.JCP.tools.JCPLogger : JCP loaded.
2019-05-16 14:39:08.991 WARN 9260 --- [ main] o.apache.tomcat.util.net.jsse.JSSEUtil : Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[GostTLS, GostTLSv1.2, GostTLSv1.1]]
2019-05-16 14:39:09.104 INFO 9260 --- [ main] ru.CryptoPro.ssl.SSLLogger : %% adding as private keys %%
2019-05-16 14:39:09.183 INFO 9260 --- [ main] ru.CryptoPro.ssl.SSLLogger : %% adding as private keys %%
2019-05-16 14:39:09.258 INFO 9260 --- [ main] ru.CryptoPro.ssl.SSLLogger : %% adding as private keys %%
2019-05-16 14:39:09.355 INFO 9260 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2019-05-16 14:39:09.355 INFO 9260 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.17]
2019-05-16 14:39:09.534 INFO 9260 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2019-05-16 14:39:09.534 INFO 9260 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 3822 ms
2019-05-16 14:39:10.049 INFO 9260 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2019-05-16 14:39:10.308 INFO 9260 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8000 (http) 8002 (https) with context path ''
2019-05-16 14:39:10.311 INFO 9260 --- [ main] ru.ksbsoft.server.ApplicationKt : Started ApplicationKt in 5.111 seconds (JVM running for 5.651)
o.apache.tomcat.util.net.jsse.JSSEUtil : Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[GostTLS, GostTLSv1.2, GostTLSv1.1]]в java.security есть Код:ssl.SocketFactory.provider=ru.CryptoPro.ssl.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=ru.CryptoPro.ssl.SSLServerSocketFactoryImpl
после запуска сервера проверяем Код:c:\Program Files\Crypto Pro\CSP>csptest -tlsc -server 127.0.0.1 -port 8002 -nosave -exchange 3 -prot
o 6 -v
8 algorithms supported:
Aglid Class OID
[00] 0x661e 0x6000 1.2.643.2.2.21 (ГОСТ 28147-89)
[01] 0x801e 0x8000 1.2.643.2.2.3 (ГОСТ Р 34.11/34.10-2001)
[02] 0x8021 0x8000 1.2.643.7.1.1.2.2 (ГОСТ Р 34.11-2012 256 бит)
[03] 0x801f 0x8000
[04] 0x2e1e 0x2000 1.2.643.2.2.20 (ГОСТ Р 34.10-94)
[05] 0x2e23 0x2000 1.2.643.2.2.19 (ГОСТ Р 34.10-2001)
[06] 0x2e49 0x2000 1.2.643.7.1.1.1.1 (ГОСТ Р 34.10-2012 256 бит)
[07] 0x2e3d 0x2000 1.2.643.7.1.1.1.2 (ГОСТ Р 34.10-2012 512 бит)
Cipher strengths: 256..256
Supported protocols: 0xa80:
Transport Layer Security 1.0 client side
Transport Layer Security 1.1 client side
Transport Layer Security 1.2 client side
dwProtocolMask: 0x800a0aaa
Protocol version: 3.3
ClientHello: RecordLayer: TLS, Len: 88
Cipher Suites: (ff 85) (00 81)
93 bytes of handshake data sent
7 bytes of handshake data received
**** Error 0x80090304 returned by InitializeSecurityContext (2)
An error occurred in running the program.
WebClient.c:623:Error performing handshake.
Error number 0x80090304 (-2146893052).
Не удается установить связь с локальным администратором безопасности
Total: SYS: 0,016 sec USR: 0,000 sec UTC: 0,040 sec
[ErrorCode: 0x80090304]
c:\Program Files\Crypto Pro\CSP>
Отредактировано пользователем 16 мая 2019 г. 14:46:07(UTC)
| Причина: Не указана
|
|
|
|
|
|
Статус: Активный участник
Группы: Участники
Зарегистрирован: 15.05.2019(UTC)
Сообщений: 33
|
Автор: Евгений Афанасьев  Попробуйте указать в алгоритмах вместо
protocol.setSSLProtocol("GostTLS");
protocol.setSslEnabledProtocols("GostTLS,GostTLSv1.1,GostTLSv1.2");
так
protocol.setSSLProtocol("TLSv1");
protocol.setSslEnabledProtocols("TLSv1,TLSv1.1,TLSv1.2"); Код:protocol.setSSLProtocol("TLSv1")
protocol.setSslEnabledProtocols("TLSv1,TLSv1.1,TLSv1.2")
// protocol.ciphers = "TLS_CIPHER_2001,TLS_CIPHER_2012"
тестируем Код:c:\Program Files\Crypto Pro\CSP>csptest -tlsc -server 127.0.0.1 -port 8002 -nosave -exchange 3 -prot
o 6 -v
8 algorithms supported:
Aglid Class OID
[00] 0x661e 0x6000 1.2.643.2.2.21 (ГОСТ 28147-89)
[01] 0x801e 0x8000 1.2.643.2.2.3 (ГОСТ Р 34.11/34.10-2001)
[02] 0x8021 0x8000 1.2.643.7.1.1.2.2 (ГОСТ Р 34.11-2012 256 бит)
[03] 0x801f 0x8000
[04] 0x2e1e 0x2000 1.2.643.2.2.20 (ГОСТ Р 34.10-94)
[05] 0x2e23 0x2000 1.2.643.2.2.19 (ГОСТ Р 34.10-2001)
[06] 0x2e49 0x2000 1.2.643.7.1.1.1.1 (ГОСТ Р 34.10-2012 256 бит)
[07] 0x2e3d 0x2000 1.2.643.7.1.1.1.2 (ГОСТ Р 34.10-2012 512 бит)
Cipher strengths: 256..256
Supported protocols: 0xa80:
Transport Layer Security 1.0 client side
Transport Layer Security 1.1 client side
Transport Layer Security 1.2 client side
dwProtocolMask: 0x800a0aaa
Protocol version: 3.3
ClientHello: RecordLayer: TLS, Len: 88
Cipher Suites: (ff 85) (00 81)
93 bytes of handshake data sent
7 bytes of handshake data received
**** Error 0x80090304 returned by InitializeSecurityContext (2)
An error occurred in running the program.
WebClient.c:623:Error performing handshake.
Error number 0x80090304 (-2146893052).
Не удается установить связь с локальным администратором безопасности
Total: SYS: 0,000 sec USR: 0,000 sec UTC: 0,042 sec
[ErrorCode: 0x80090304]
|
|
|
|
|
|
Статус: Активный участник
Группы: Участники
Зарегистрирован: 15.05.2019(UTC)
Сообщений: 33
|
По документации от jcp для tomcat9 How_to_set_gost_tls_tomcat9.docx указано что необходимо добавить Код:sslImplementationName=ru.CryptoPro.ssl.tomcat.jsse.JCPJSSEImplementation
для этого я положил готовую библиотеку JCPTomcatAdapter рядом с tomcat в tomcat 9 некоторые атрибуты для конфигурации изменились см. https://tomcat.apache.or...9.0-doc/config/http.htmlтеперь код выглядит вот так Код: protocol.setSslImplementationName("ru.CryptoPro.ssl.tomcat.jsse.JCPJSSEImplementation")
protocol.setAlgorithm("GostX509")
protocol.setTruststoreAlgorithm("GostX509")
protocol.setSSLEnabled(true);
protocol.setUseServerCipherSuitesOrder(true)
protocol.setKeystoreType("HDImageStore")
protocol.setKeystoreFile(keystore.absolutePath)
protocol.setKeystorePass("pass123")
protocol.setKeyAlias("server")
protocol.setKeystoreProvider("JCP")
protocol.setTruststoreType("CertStore");
protocol.setTruststoreFile(truststore.absolutePath)
protocol.setTruststorePass("pass123")
protocol.setTruststoreProvider("JCP")
protocol.setSSLProtocol("GostTLS")
protocol.setSslEnabledProtocols("TLSv1")
protocol.ciphers = "TLS_CIPHER_2001,TLS_CIPHER_2012"
сервер стартует но при обращении к нему выходит ошибка Код:java.lang.IllegalStateException: SSLContextImpl is not initialized
at sun.security.ssl.SSLContextImpl.engineCreateSSLEngine(SSLContextImpl.java:196) ~[na:1.8.0_211]
at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:329) ~[na:1.8.0_211]
at ru.CryptoPro.ssl.tomcat.jsse.JCPSSLContext.createSSLEngine(JCPSSLContext.java:35) ~[JCPTomcatAdapter-1.0-SNAPSHOT.jar:na]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLEngine(AbstractJsseEndpoint.java:119) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:329) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:175) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1392) ~[tomcat-embed-core-9.0.17.jar:9.0.17]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.17.jar:9.0.17]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_211]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_211]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.17.jar:9.0.17]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_211]
хотя при старте пишет что ru.CryptoPro.ssl.SSLLogger : SSLContextImpl initialized.Код:2019-05-17 14:16:17.907 INFO 11364 --- [ main] ru.ksbsoft.server.ApplicationKt : Starting ApplicationKt on KSB-002 with PID 11364 (C:\dim4\kotlin\blz\server\target\classes started by ivanov-d in C:\dim4\kotlin\blz)
2019-05-17 14:16:17.910 INFO 11364 --- [ main] ru.ksbsoft.server.ApplicationKt : No active profile set, falling back to default profiles: default
2019-05-17 14:16:19.600 INFO 11364 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'soapServiceConfig' of type [ru.ksbsoft.server.SoapServiceConfig$$EnhancerBySpringCGLIB$$4c1363d8] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-17 14:16:19.609 INFO 11364 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'tomcatConfig' of type [ru.ksbsoft.server.config.TomcatConfig$$EnhancerBySpringCGLIB$$4f4bdc9e] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-17 14:16:19.613 INFO 11364 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'tomcatTConfig' of type [ru.ksbsoft.server.config.TomcatTConfig$$EnhancerBySpringCGLIB$$84a06b3e] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-17 14:16:19.617 INFO 11364 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.ws.config.annotation.DelegatingWsConfiguration' of type [org.springframework.ws.config.annotation.DelegatingWsConfiguration$$EnhancerBySpringCGLIB$$974c885c] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2019-05-17 14:16:19.658 INFO 11364 --- [ main] .w.s.a.s.AnnotationActionEndpointMapping : Supporting [WS-Addressing August 2004, WS-Addressing 1.0]
2019-05-17 14:16:20.181 INFO 11364 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8000 (http) 8002 (https)
2019-05-17 14:16:20.410 INFO 11364 --- [ main] ru.CryptoPro.ssl.SSLLogger : SSLContextImpl init.
2019-05-17 14:16:20.413 INFO 11364 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore is : No File Available, using empty keystore.
2019-05-17 14:16:20.414 INFO 11364 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore type is : HDImageStore
2019-05-17 14:16:20.414 INFO 11364 --- [ main] ru.CryptoPro.ssl.SSLLogger : trustStore provider is :
2019-05-17 14:16:20.414 INFO 11364 --- [ main] ru.CryptoPro.ssl.SSLLogger : init truststore
2019-05-17 14:16:20.971 INFO 11364 --- [ main] ru.CryptoPro.JCP.tools.JCPLogger : Loading JCP 2.0.40035
2019-05-17 14:16:21.004 INFO 11364 --- [ main] ru.CryptoPro.JCP.tools.JCPLogger : JCP loaded.
2019-05-17 14:16:21.061 INFO 11364 --- [ main] ru.CryptoPro.ssl.SSLLogger : trigger seeding of SecureRandom
2019-05-17 14:16:21.061 INFO 11364 --- [ main] ru.CryptoPro.ssl.SSLLogger : done seeding SecureRandom
2019-05-17 14:16:21.061 INFO 11364 --- [ main] ru.CryptoPro.ssl.SSLLogger : SSLContextImpl initialized.
2019-05-17 14:16:21.279 INFO 11364 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2019-05-17 14:16:21.279 INFO 11364 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.17]
2019-05-17 14:16:21.440 INFO 11364 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2019-05-17 14:16:21.440 INFO 11364 --- [ main] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 3453 ms
2019-05-17 14:16:21.909 INFO 11364 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2019-05-17 14:16:22.103 INFO 11364 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8000 (http) 8002 (https) with context path ''
2019-05-17 14:16:22.105 INFO 11364 --- [ main] ru.ksbsoft.server.ApplicationKt : Started ApplicationKt in 4.732 seconds (JVM running for 5.296)
2019-05-17 14:16:29.069 ERROR 11364 --- [nio-8002-exec-1] org.apache.tomcat.util.net.NioEndpoint : Error running socket processor
Отредактировано пользователем 17 мая 2019 г. 14:17:59(UTC)
| Причина: Не указана
|
|
|
|
|
|
Быстрый переход
Вы не можете создавать новые темы в этом форуме.
Вы не можете отвечать в этом форуме.
Вы не можете удалять Ваши сообщения в этом форуме.
Вы не можете редактировать Ваши сообщения в этом форуме.
Вы не можете создавать опросы в этом форуме.
Вы не можете голосовать в этом форуме.
Important Information:
The Форум КриптоПро uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close
