问题
I've setup gemfire.properties to make the web component require SSL using ssl-enabled-components=web and setting up a keystore. The locator and server are starting ok and GFSH connects to the JMX manager. However, when I try and start the Swagger UI then I am getting ERR_SSL_VERSION_OR_CIPHER_MISMATCH. It happens when the config is that ssl-ciphers= and ssl-protocols= or set to any...
So what's the required REST API cipher for Apache Geode? Thanks
回答1:
I tested this with a basic cert created with the following:
keytool -genkeypair -alias self -dname "CN=trusted" \
-validity 3650 -keypass password -keystore ./trusted.keystore \
-storepass password -storetype JKS
It failed in the way you describe. I recreated the cert and used a different key algorithm with -keyalg EC and then worked. I'll see if I can give a more detailed explanation at some point.
UPDATE:
I'm using Mac OS and my /Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/java.security file contains the following restriction for certificates:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, EC keySize < 224
With -keyalg EC, the generated certificate is signed with SHA256withECDSA, but without that option it is signed with SHA1withDSA, so not acceptable.
回答2:
For the signed SSL certificate I had to go through this process using openssl to generate a pfx file, and then this process to import that pfx into the java keystore, with the -keyalg EC flag. The Swagger then works fine using HTTPS.
来源:https://stackoverflow.com/questions/46349116/get-geode-rest-api-going-with-ssl