在Java8及高版本以上的版本在调用ssl时会出现javax.net.ssl.SSLHandshakeException: No appropriate protocol的异常。
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at sun.security.ssl.HandshakeContext.(HandshakeContext.java:171) ~[na:1.8.0_292] at sun.security.ssl.ClientHandshakeContext. (ClientHandshakeContext.java:98) ~[na:1.8.0_292] at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220) ~[na:1.8.0_292] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428) ~[na:1.8.0_292] at com.mysql.cj.protocol.ExportControlled.performTlsHandshake(ExportControlled.java:316) ~[mysql-connector-java-8.0.17.jar:8.0.17] at com.mysql.cj.protocol.StandardSocketFactory.performTlsHandshake(StandardSocketFactory.java:188) ~[mysql-connector-java-8.0.17.jar:8.0.17] at com.mysql.cj.protocol.a.NativeSocketConnection.performTlsHandshake(NativeSocketConnection.java:99) ~[mysql-connector-java-8.0.17.jar:8.0.17] at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:331) ~[mysql-connector-java-8.0.17.jar:8.0.17] ... 68 common frames omitted
解决办法如下:
修改jre/lib/security/java.security中的disabledAlgorithms,删除SSLv3, TLSv1, TLSv1.1,然后重启应用即可。在vim下,可以使用/disabledAlgorithms快速查找。
jdk.tls.disabledAlgorithms=RC4, DES, MD5withRSA,
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL,
include jdk.disabled.namedCurves
如果修改了,保存了,重启了还是没有效果,就看下面这个方法:
修改jdk配置文件/etc/crypto-policies/back-ends/java.config,类似上面方法一样,删除`SSLv3, TLSv1, TLSv1.1``,保存重启应用。
jdk.tls.disabledAlgorithms=DH keySize < 2048, SSLv2, SSLv3, TLSv1.1, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5
另外jdk奇数版本可用,偶数版本有上面这个问题,可用通过yum --showduplicate list java* | grep 1.8.0查看可用的版本,选择奇数版本安装也能解决这个问题。
