一、报错及部署环境
Java程序访问测试域名https方法正常,访问生产域名https域名报错,报错如下
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
测试环境使用KubeSphere ingress
生产环境使用阿里云ACK服务的ingress配置
二、问题原因
客户端和服务端SSL协议版本不一致。
三、解决方案
配置两端使用支持的SSL协议版本
四、解决步骤
1.查看测试环境和生产环境ingress协议差异
生产环境(如果没有npm命令直接yum安装)
测试环境
可以看到实际上是两端的加密算法协商失败
2.修改阿里云ACK ingress,添加TLS协议及支持的算法
kubectl edit cm -n kube-system nginx-configuration #修改ingress配置
ssl-ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
3.更新ingress
kubectl scale --replicas=0 deployments.apps -n kube-system nginx-ingress-controller #慎用,可以
kubectl scale --replicas=10 deployments.apps -n kube-system nginx-ingress-controller
4.验证
- SSLHandshakeException protocol_version Received protocol ingresssslhandshakeexception protocol_version received protocol_version received protocol version protocol_version protocol sslhandshakeexception inappropriate sslhandshakeexception selected protocol version protocol sslhandshakeexception appropriate版本 sslhandshakeexception appropriate httputil protocol sslhandshakeexception received communications milliseconds successfully received