跳转至

Connection security(连接安全性)

Data Connection establishes outbound TLS connections to external data sources. Not all cipher suites used in TLS connections are supported throughout the platform.

Supported suites

Data Connection supports the following cipher suites for outbound connections, provided they are supported by the underlying Java version. Additional cipher suites may be available depending on your environment's configuration and connection origination point.

:::callout{theme="neutral"} Contact Palantir Support with questions about additional cipher suites that may be available based on your environment's configuration and connection origin point. :::

TLS 1.3

IANA name OpenSSL name
TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256

TLS 1.2

IANA name OpenSSL name
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-CHACHA20-POLY1305
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE-RSA-CHACHA20-POLY1305
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA

Verify your external system accepts a supported cipher suite

To verify that your external system accepts a supported cipher suite, run openssl s_client -connect your-system.example.com:<port> -tls1_3 </dev/null (or -tls1_2 for TLS 1.2). The negotiated suite appears on the cipher line of the SSL-Session block in the output. To test a specific suite from the supported list, add -ciphersuites '<cipher_iana_name>' for TLS 1.3 or -cipher '<cipher_openssl_name>' for TLS 1.2. An SSLHandshakeException containing handshake_failure, no cipher match, or protocol is disabled or cipher suites are inappropriate indicates a cipher mismatch, so you should update the cipher configuration on your external system to enable one of the supported suites. You can also run openssl against the same network path your source uses from the source terminal.


中文翻译

连接安全性

数据连接(Data Connection)会建立到外部数据源(External Data Sources)的出站TLS连接。并非所有TLS连接中使用的密码套件(Cipher Suite)都在整个平台上得到支持。

支持的套件

数据连接(Data Connection)支持以下密码套件用于出站连接,前提是这些套件得到底层Java版本的支持。根据您的环境配置和连接发起点的不同,可能还可以使用其他密码套件。

:::callout{theme="neutral"} 如需了解根据您的环境配置和连接起点可能可用的其他密码套件,请联系Palantir支持团队。 :::

TLS 1.3

IANA 名称 OpenSSL 名称
TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256

TLS 1.2

IANA 名称 OpenSSL 名称
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-CHACHA20-POLY1305
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE-RSA-CHACHA20-POLY1305
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE-RSA-CHACHA20-POLY1305
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA

验证外部系统是否接受支持的密码套件

要验证您的外部系统是否接受支持的密码套件,请运行 openssl s_client -connect your-system.example.com:<port> -tls1_3 </dev/null(对于TLS 1.2,使用 -tls1_2)。协商成功的套件将显示在输出中SSL-Session块的cipher行上。要测试支持列表中的特定套件,对于TLS 1.3请添加 -ciphersuites '<cipher_iana_name>',对于TLS 1.2请添加 -cipher '<cipher_openssl_name>'。如果出现包含 handshake_failureno cipher matchprotocol is disabled or cipher suites are inappropriateSSLHandshakeException,则表示密码套件不匹配,您应更新外部系统上的密码配置以启用支持的套件之一。您还可以从源终端(Source Terminal)针对您的源所使用的相同网络路径运行 openssl