OpenJDK1.8.0Đ在centos 7和centos 8上的行为不同

wh6knrhe  于 2021-07-06  发布在  Java
关注(0)|答案(0)|浏览(326)

我们最近做了一些安全修复测试,最初的错误是日志中有异常:

java.rmi.ConnectIOException: I/O exception connecting to BasicObjectEndpoint[30b8d547-6daa-46f6-bcaf-586cc7fd06da,SslEndpoint[xxxxxxxxxxxx:10001]]; nested exception is: 
        net.jini.io.UnsupportedConstraintException: Client not authenticated
        at net.jini.jeri.BasicInvocationHandler.wrapSafeIOException(BasicInvocationHandler.java:893)
        at net.jini.jeri.BasicInvocationHandler.invokeRemoteMethodOnce(BasicInvocationHandler.java:711)
        at net.jini.jeri.BasicInvocationHandler.invokeRemoteMethod(BasicInvocationHandler.java:659)
        at net.jini.jeri.BasicInvocationHandler.invoke(BasicInvocationHandler.java:528)
        at com.sun.proxy.$Proxy7.getTicket(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at net.jini.activation.ActivatableInvocationHandler.invokeMethod0(ActivatableInvocationHandler.java:799)
        at net.jini.activation.ActivatableInvocationHandler.invokeMethod(ActivatableInvocationHandler.java:714)
        at net.jini.activation.ActivatableInvocationHandler.invokeRemoteMethod(ActivatableInvocationHandler.java:626)
        at net.jini.activation.ActivatableInvocationHandler.invoke(ActivatableInvocationHandler.java:462)
        at com.sun.proxy.$Proxy6.getTicket(Unknown Source)
        at xxxxxxxx.security.auth.manager.remote.TicketManagerRemoteProxy.getTicket(TicketManagerRemoteProxy.java:122)
        at xxxxxxxx.security.auth.manager.TicketUtils$1.run(TicketUtils.java:140)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at xxxxxxxx.security.auth.manager.TicketUtils.getTicket(TicketUtils.java:137)
        at xxxxxxxx.security.auth.login.TicketLoginModule.login(TicketLoginModule.java:322)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at xxxxxxxx.jini.utils.lookup.ClientSessionContext.login(ClientSessionContext.java:240)
        at xxxxxxxx.jini.utils.lookup.ClientSessionContext.getSubject(ClientSessionContext.java:337)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.getServerSubject(RemoteServerBase.java:469)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.init(RemoteServerBase.java:336)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.(RemoteServerBase.java:185)
        at xxxxxxxx.jini.utils.service.AbstractServerImpl.(AbstractServerImpl.java:146)
        at xxxxxxxx.preferences.PreferencesServiceRemoteImpl.(PreferencesServiceRemoteImpl.java:318)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.sun.jini.start.ActivateWrapper.(ActivateWrapper.java:491)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.sun.jini.phoenix.ActivationGroupImpl$2.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.jini.phoenix.ActivationGroupImpl.newInstance(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
        at sun.rmi.transport.Transport$1.run(Transport.java:200)
        at sun.rmi.transport.Transport$1.run(Transport.java:197)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
        at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: net.jini.io.UnsupportedConstraintException: Client not authenticated
        at net.jini.jeri.ssl.SslConnection.establishCallContext(SslConnection.java:177)
        at net.jini.jeri.ssl.SslEndpointImpl.connect(SslEndpointImpl.java:847)
        at net.jini.jeri.connection.ConnectionManager.connect(ConnectionManager.java:228)
        at net.jini.jeri.connection.ConnectionManager$ReqIterator.next(ConnectionManager.java:629)
        at net.jini.jeri.BasicObjectEndpoint$1.next(BasicObjectEndpoint.java:371)
        at net.jini.jeri.BasicInvocationHandler.invokeRemoteMethodOnce(BasicInvocationHandler.java:708)
        ... 65 more
    Caused by: java.security.GeneralSecurityException: Credentials not found
        at net.jini.jeri.ssl.ClientAuthManager.chooseClientAlias(ClientAuthManager.java:327)
        at sun.security.ssl.AbstractKeyManagerWrapper.chooseClientAlias(SSLContextImpl.java:1490)
        at sun.security.ssl.X509Authentication$X509PossessionGenerator.createClientPossession(X509Authentication.java:200)
        at sun.security.ssl.X509Authentication$X509PossessionGenerator.createPossession(X509Authentication.java:175)
        at sun.security.ssl.X509Authentication.createPossession(X509Authentication.java:88)
        at sun.security.ssl.CertificateRequest$T12CertificateRequestConsumer.choosePossession(CertificateRequest.java:761)
        at sun.security.ssl.CertificateRequest$T12CertificateRequestConsumer.consume(CertificateRequest.java:705)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
        at net.jini.jeri.ssl.SslConnection.establishSuites(SslConnection.java:251)
        at net.jini.jeri.ssl.SslConnection.establishNewSocket(SslConnection.java:240)
        at net.jini.jeri.ssl.SslConnection.establishCallContext(SslConnection.java:155)
        ... 70 more
    2020-11-20 15:11:27,313 ERROR RMI TCP Connection(1)-10.240.6.20 xxxxxxxx.jini.utils.lookup.ClientSessionContext - Login failed
    javax.security.auth.login.LoginException: Login Failure: all modules ignored
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:906)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at xxxxxxxx.jini.utils.lookup.ClientSessionContext.login(ClientSessionContext.java:240)
        at xxxxxxxx.jini.utils.lookup.ClientSessionContext.getSubject(ClientSessionContext.java:337)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.getServerSubject(RemoteServerBase.java:469)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.init(RemoteServerBase.java:336)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.(RemoteServerBase.java:185)
        at xxxxxxxx.jini.utils.service.AbstractServerImpl.(AbstractServerImpl.java:146)
        at xxxxxxxx.preferences.PreferencesServiceRemoteImpl.(PreferencesServiceRemoteImpl.java:318)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.sun.jini.start.ActivateWrapper.(ActivateWrapper.java:491)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.sun.jini.phoenix.ActivationGroupImpl$2.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.jini.phoenix.ActivationGroupImpl.newInstance(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
        at sun.rmi.transport.Transport$1.run(Transport.java:200)
        at sun.rmi.transport.Transport$1.run(Transport.java:197)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
        at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
    2020-11-20 15:11:27,314 ERROR RMI TCP Connection(1)-10.240.6.20 xxxxxxxx.jini.utils.service.RemoteServerBase - Login exception
    javax.security.auth.login.LoginException: Login Failure: all modules ignored
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:906)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at xxxxxxxx.jini.utils.lookup.ClientSessionContext.login(ClientSessionContext.java:240)
        at xxxxxxxx.jini.utils.lookup.ClientSessionContext.getSubject(ClientSessionContext.java:337)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.getServerSubject(RemoteServerBase.java:469)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.init(RemoteServerBase.java:336)
        at xxxxxxxx.jini.utils.service.RemoteServerBase.(RemoteServerBase.java:185)
        at xxxxxxxx.jini.utils.service.AbstractServerImpl.(AbstractServerImpl.java:146)
        at xxxxxxxx.preferences.PreferencesServiceRemoteImpl.(PreferencesServiceRemoteImpl.java:318)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.sun.jini.start.ActivateWrapper.(ActivateWrapper.java:491)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.sun.jini.phoenix.ActivationGroupImpl$2.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.jini.phoenix.ActivationGroupImpl.newInstance(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
        at sun.rmi.transport.Transport$1.run(Transport.java:200)
        at sun.rmi.transport.Transport$1.run(Transport.java:197)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
        at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

我们使用了一些非常古老的技术jini,它是基于rmi的。
我们发现问题是我们公司的信任库使用了一种加密算法——sha256withrsa,这与jdk的算法是不兼容的,在添加了一个新的jvm参数:jdk.tls.disabledalgorithms=ecdsa,rsassa pss,dsa之后,这个问题在本地测试中得到了解决。
但是,我们测试了其他一些场景。
1.

CentOS Linux release 7.8.2003 (Core)

        openjdk version "1.8.0_272"
        OpenJDK Runtime Environment (build 1.8.0_272-b10)
        OpenJDK 64-Bit Server VM (build 25.272-b10, mixed mode)

        jdk folder name is java-1.8.0-openjdk-1.8.0.272.b10-1.el7_9.x86_64, which is installed by yum.

在这种环境下修复看起来很好。
2.

CentOS Linux release 8.2.2004 (Core)

        openjdk version "1.8.0_272"
        OpenJDK Runtime Environment (build 1.8.0_272-b10)
        OpenJDK 64-Bit Server VM (build 25.272-b10, mixed mode)

        jdk folder name is java-1.8.0-openjdk-1.8.0.272.b10-1.el8_2.x86_64, which is installed by yum

部分名称el8\u 2与上面的el7\u 9不同
修复程序不适用于此环境,我们仍然会在上面的日志中看到相同的异常。
就java安全性而言,centos 7和centos 8上的OpenJDK版本1.8.0Đ似乎表现不同,centos 8似乎更受限制。
请就可能的原因提出一些意见和建议。
提前谢谢。

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题