SSL 握手失败：连接到 TIBCO ActiveMatrix BusinessWorks 5.7.2 时

Question

TIBCO 版本 - TIBCO ActiveMatrix BusinessWorks 5.7.2

问题：

我是 TIBCO 服务器的消费者，遇到 SSL 握手失败。我尝试了以下 openssl 命令来查看它是否可以接受连接。以下是我的结果：

openssl s_client -showcerts -connect tibco-server:port -verify 3 -tls1 -state

verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:unexpected_message
SSL_connect:failed in error
139827261306768:error:140943F2:SSL routines:ssl3_read_bytes:sslv3 alert unexpected message:s3_pkt.c:1493:SSL alert number 10
139827261306768:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1581402078
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

但是，当我点击 ssl3 选项时，同样的工作

openssl s_client -showcerts -connect tibco-server:port -verify 3 -ssl3 -state

verify depth is 3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 C = AU, ST = <state>, L = <location>, O = <org>, OU = <unit>, CN = <cn>
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = <state>, L = <location>, O = <org>, OU = <unit>, CN = <cn>
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain

-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----
---
Server certificate
subject=...
issuer=...
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1779 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: 8BCEAEADC85613876FFF0E2EAB590A92
    Session-ID-ctx:
    Master-Key: <master-key-here>
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1581402661
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

我已经屏蔽了一些输出数据。

关于为什么，openssl 可以通过 ssl3 而不是 tls1.0 连接 TIBCO 的任何帮助？

Answer 1

TIBCO 服务器中的安全配置更改后，此问题得到解决。现在客户端可以成功地与 TIBCO 服务器协商 TLS1.0 连接。

修复

将安全性更改为 j2se 而不是 entrust

java.property.TIBCO_SECURITY_VENDOR=j2se

参考文献

https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-38616 https://community.tibco.com/questions/tls-compatibility-tibco-bw