ElasticSearch7.10.0 增加了certificate安全认证后,ibmjdk1.8不支持Transport api
Elasticsearch | 作者 Hyj_simple1 | 发布于2022年08月19日 | 阅读数:1178
代码简列如下:
Settings settings = Settings.builder()
.put("xpack.security.user", "userName:password")
.put("cluster.name", "bangcle_es")
.put("client.transport.sniff", false)
.put("xpack.security.enabled", true)
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.keystore.path", filePath + "elastic-certificates.p12")//这里的文件要保证能访问到
.put("xpack.security.transport.ssl.keystore.password", "testpasswd")
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.build();
TransportClient client = new PreBuiltXPackTransportClient(settings)
.addTransportAddress(new TransportAddress(InetAddress.getByName("es01"), 9300));
异常堆栈:
Caused by: java.lang.IllegalArgumentException: none of the ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256……] are supported by this JVM
at org.elasticsearch.xpack.core.ssl.SSLService.supportedCiphers(SSLService.java:414)
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:459)
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439)
……
Settings settings = Settings.builder()
.put("xpack.security.user", "userName:password")
.put("cluster.name", "bangcle_es")
.put("client.transport.sniff", false)
.put("xpack.security.enabled", true)
.put("xpack.security.transport.ssl.enabled", true)
.put("xpack.security.transport.ssl.keystore.path", filePath + "elastic-certificates.p12")//这里的文件要保证能访问到
.put("xpack.security.transport.ssl.keystore.password", "testpasswd")
.put("xpack.security.transport.ssl.verification_mode", "certificate")
.build();
TransportClient client = new PreBuiltXPackTransportClient(settings)
.addTransportAddress(new TransportAddress(InetAddress.getByName("es01"), 9300));
异常堆栈:
Caused by: java.lang.IllegalArgumentException: none of the ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256……] are supported by this JVM
at org.elasticsearch.xpack.core.ssl.SSLService.supportedCiphers(SSLService.java:414)
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:459)
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439)
……
7 个回复
Charele - Cisco4321
赞同来自:
有点意思的问题,我的问题是:
你这个用openJDK,或者用ibmJDK,
是指ES服务端,还是你Java客户端?
Charele - Cisco4321
赞同来自:
for (String a : SSLContext.getDefault().getSupportedSSLParameters().getCipherSuites())
System.out.println(a);
Hyj_simple1
赞同来自:
Charele - Cisco4321
赞同来自:
如果ibm jdk是硬性规定,我感觉还是有方法的,
因为代码里这个集合可以设置的,你可以先研究下下。
Charele - Cisco4321
赞同来自:
试下这个看看(服务端和客户端都加上),
把那个ssl项加进来,
Hyj_simple1
赞同来自:
自己的理解下,ES xpack支持的ssl.supported_protocols有效协议有:SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
但默认支持cipher_suites的列表,依赖于jdk版本(第三张图),sunjdk默认并不支持SSLv3协议(第二张图)。
至于,sunjdk能不能支持SSLv3,不纠结了(太底层)。
不知道理解的对不对,晚点我去试试显示配置supported_protocols。
Hyj_simple1
赞同来自: