Tag Archives: ssl

[Solved] Springboot Project Connect MYSQL Error: Establishing SSL connection without server’s identity verification is not recommended.

Error message

Establishing SSL connection without server's identity verification is not recommended.

According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set.

For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'.

You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

 

Solution:

#Modify database connection Add useSSL=true
jdbc:mysql://localhost:3306/aa?useUnicode=true&characterEncoding=utf-8&useSSL=true

Where usessl = true means that when the JDBC version is inconsistent with the MySQL version, when using JDBC to connect to your database, your JDBC version is incompatible with the MySQL version. The MySQL version is higher. Add “usessl =” true “after the connection statement to connect to the database.

How to Solve the inaccessibility of Website After the SSL certificate is added

Error Message:
An exception has been raised that is likely due to a transient failure. Consider enabling transient error resiliency by adding ‘EnableRetryOnFailure()’ to the ‘UseMySql’ call.

Solution:
Connection string Add;sslMode=None on it, the code is as follows.
“Default”:’Server=127.0.0.1;port=3306;Database=database;Uid=account;Pwd=password;CharSet=utf8;Allow User Variables=True;sslMode=None;’;

Java call ssl exception (javax.net.ssl.SSLHandshakeException: No appropriate protocol)

Today, I used jdk1.8 for the upgrade and found that when Java called SSL, an exception was suddenly thrown.

After a while, I finally found out that there was a problem with the SSL calling authority because of the jdk1.8 version.

Solution: Find the jdk 1.8 installation directory and find a java.security under lib\security in C:\Program Files\Java\jre. Find the corresponding SSLv3, delete it, and restart the project. (Deleting SSLv3 means allowing SSL calls)

 

 

SSL connection error: javax.net.ssl.sslhandshakeexception

Open source software supply chain lighting plan, waiting for you>>>

When using socket SSL two-way connection, the client can connect to the server

However, an error occurred when transferring data: javax.net.ssl.sslhandshakeexception: null cert chain

The reason is that the keystore file used is incorrect

First, create server-side private key and public key
1, keytool – genkey – alias serverkey – keystore kserver. KS
2, keytool – export – alias serverkey – keystore kserver. KS – file server. CRT
3, keytool – Import – alias serverkey – file server. CRT – keystore tclient. KS

create client-side private key and public key
1, keytool -genkey -alias clientkey -keystore kclient.ks
2, keytool -export -alias clientkey -keystore kclient.ks -file client.crt
3, keytool -import -alias clientkey -file client.crt -keystore tserver.ks

Kserver.ks and tserver.ks should be used in server and kclient.ks and tclient.ks should be used in client

Tomcat configuration SSL access chrome prompt err_ SSL_ VERSION_ OR_ CIPHER_ MISMATCH

After configuring Tomcat SSL today, we found that the page could not be accessed. Chrome prompts the following:

Access error.png

The problem is that the same configuration on other servers is OK
Baidu hasn’t found a solution after a circle, and doesn’t know much about the principle of Tomcat configuring SSL. Later, Google found a solution to configure the specified encryption protocol set in the SSL connector

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,     
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
           TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
           TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,
           SSL_RSA_WITH_RC4_128_SHA"

The specific connector configuration is as follows:

 <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true" URIEncoding="UTF-8" 
               keystoreFile="conf/chinanetcenter.tomcat"  keystorePass="2013111"
               clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" 
                ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,     
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
           TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
           TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,
           SSL_RSA_WITH_RC4_128_SHA"
               compression="on" compressionMinSize="50" noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain"/>

After configuration, you can access the page

The specific reasons are not enough. Later, we will have an opportunity to further understand the principle of Tomcat mechanism

Here are some of the information we saw in the search for questions:

Tomcat’s SSL can be implemented in two ways, one is to use APR, the other is JSSE. Tomcat automatically selects which implementation to use. If the server is installed with APR, it seems that it will automatically choose to use APR ( I guess the above error may have something to do with APR, because only that server is installed with APR, it won’t work ). You can make Tomcat choose JSSE implementation by specifying protocol

Tomcat can implement SSL in two ways, JSSE and APR
(1) JDK has implemented JSSE since version 1.4, APR uses OpenSSL engine, so if you want to use APR, you must configure OpenSSL engine
(2) JSSE is divided into bio implementation and NiO implementation. The protocol value of bio implementation is org.apache.coyote.http11.http11protocol, and that of NiO implementation is org.apache.coyote.http11.http11nioprotocol if you want to use APR mode, you must install Tomcat local library
(3) the default connector in most Tomcat is bio connector
according to the test, Tomcat6 is bio connector and does not support NiO, so the protocol value of connect connector should be written as org.apache.coyote.http11.http11protocol