ecs-object-client-java icon indicating copy to clipboard operation
ecs-object-client-java copied to clipboard
verified publisher icon EMCECS

Support for Java 6 and TLSv1.2

Open mrjonze opened this issue 2 years ago • 3 comments

Hello,

I am trying to use the client with a critical project I have which is built on Java 6. It worked fine using HTTP, however when using HTTPS I always get a handshake_failure. The version I am using is 3.1.3, the last one compatible with Java 6.

Do you have any tips on how to make this version to work with TLSv1.2?

Thanks in advance.

mrjonze avatar Dec 12 '23 12:12 mrjonze

@mrjonze If you are not hitting "javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", please kindly clarify your issue here.

Assume you have the cert issue, could you check /etc/nginx/nginx.conf on ECS? It should have following entries. ssl on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256; ssl_certificate /opt/storageos/conf/storageos.crt; ssl_certificate_key /opt/storageos/conf/storageos.key; TODO: obtain the cert from the ECS server and then import it into your JVM's trust store. The issue is not usually related to your Java version, but you need to check ssl_protocols and ssl_ciphers are not disabled in JVM security conf. Note that extended support for v1.6 has been ended by Oracle, you should upgrade to 1.8 and later.

dunedodo avatar Dec 13 '23 08:12 dunedodo

Hello, @dunedodo, thank you for the quick answer.

I have an Oracle-supported version of Java 6, but it doesn't seem to have those ciphers available.

I already imported the certificate into my JVM and it always returns handshake_failure when I try to reach the ECS server through HTTPS.

I don't have the information regarding nginx.conf right away, but I'll check them and return to you as soon as possible. Does ECS only work with those ciphers you mentioned? I did some research online and I found the following ciphers as options to ECS:

imagem

But if I got it right, I must have in my JVM the ciphers used in nginx.conf, right?

mrjonze avatar Dec 13 '23 12:12 mrjonze

@mrjonze The solution would depend on your exception. Could you provide more information for your error stacktrace? For your question on the ciphers, the answer is simply yes. I'm not sure which ECS version you are using, but you should make sure JVM support the cipher.

dunedodo avatar Dec 18 '23 06:12 dunedodo

@mrjonze As it has been a long time since the last response, I'll close the ticket. Please feel free to reopen it if you hit the same issue.

dunedodo avatar Jul 09 '24 07:07 dunedodo