Connection security(连接安全性)¶
Data Connection establishes outbound TLS connections to external data sources. Not all cipher suites used in TLS connections are supported throughout the platform.
Supported suites¶
Data Connection supports the following cipher suites for outbound connections, provided they are supported by the underlying Java version. Additional cipher suites may be available depending on your environment's configuration and connection origination point.
:::callout{theme="neutral"} Contact Palantir Support with questions about additional cipher suites that may be available based on your environment's configuration and connection origin point. :::
TLS 1.3¶
| IANA name | OpenSSL name |
|---|---|
TLS_AES_256_GCM_SHA384 |
TLS_AES_256_GCM_SHA384 |
TLS_AES_128_GCM_SHA256 |
TLS_AES_128_GCM_SHA256 |
TLS_CHACHA20_POLY1305_SHA256 |
TLS_CHACHA20_POLY1305_SHA256 |
TLS 1.2¶
| IANA name | OpenSSL name |
|---|---|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-AES256-GCM-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-GCM-SHA256 |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-ECDSA-CHACHA20-POLY1305 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-AES256-GCM-SHA384 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-RSA-CHACHA20-POLY1305 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-GCM-SHA256 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
DHE-RSA-CHACHA20-POLY1305 |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
DHE-DSS-AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
DHE-RSA-AES128-GCM-SHA256 |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
DHE-DSS-AES128-GCM-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE-ECDSA-AES256-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDHE-RSA-AES256-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES128-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE-RSA-AES128-SHA256 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
DHE-RSA-AES256-SHA256 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
DHE-DSS-AES256-SHA256 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
DHE-RSA-AES128-SHA256 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
DHE-DSS-AES128-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
ECDHE-ECDSA-AES256-SHA |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
ECDHE-RSA-AES256-SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
ECDHE-ECDSA-AES128-SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
ECDHE-RSA-AES128-SHA |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
DHE-RSA-AES256-SHA |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
DHE-DSS-AES256-SHA |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
DHE-RSA-AES128-SHA |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
DHE-DSS-AES128-SHA |
Verify your external system accepts a supported cipher suite¶
To verify that your external system accepts a supported cipher suite, run openssl s_client -connect your-system.example.com:<port> -tls1_3 </dev/null (or -tls1_2 for TLS 1.2). The negotiated suite appears on the cipher line of the SSL-Session block in the output. To test a specific suite from the supported list, add -ciphersuites '<cipher_iana_name>' for TLS 1.3 or -cipher '<cipher_openssl_name>' for TLS 1.2. An SSLHandshakeException containing handshake_failure, no cipher match, or protocol is disabled or cipher suites are inappropriate indicates a cipher mismatch, so you should update the cipher configuration on your external system to enable one of the supported suites. You can also run openssl against the same network path your source uses from the source terminal.
中文翻译¶
连接安全性¶
数据连接(Data Connection)会建立到外部数据源(External Data Sources)的出站TLS连接。并非所有TLS连接中使用的密码套件(Cipher Suite)都在整个平台上得到支持。
支持的套件¶
数据连接(Data Connection)支持以下密码套件用于出站连接,前提是这些套件得到底层Java版本的支持。根据您的环境配置和连接发起点的不同,可能还可以使用其他密码套件。
:::callout{theme="neutral"} 如需了解根据您的环境配置和连接起点可能可用的其他密码套件,请联系Palantir支持团队。 :::
TLS 1.3¶
| IANA 名称 | OpenSSL 名称 |
|---|---|
TLS_AES_256_GCM_SHA384 |
TLS_AES_256_GCM_SHA384 |
TLS_AES_128_GCM_SHA256 |
TLS_AES_128_GCM_SHA256 |
TLS_CHACHA20_POLY1305_SHA256 |
TLS_CHACHA20_POLY1305_SHA256 |
TLS 1.2¶
| IANA 名称 | OpenSSL 名称 |
|---|---|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-AES256-GCM-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-GCM-SHA256 |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-ECDSA-CHACHA20-POLY1305 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-AES256-GCM-SHA384 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-RSA-CHACHA20-POLY1305 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-GCM-SHA256 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
DHE-RSA-CHACHA20-POLY1305 |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
DHE-DSS-AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
DHE-RSA-AES128-GCM-SHA256 |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
DHE-DSS-AES128-GCM-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE-ECDSA-AES256-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDHE-RSA-AES256-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES128-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE-RSA-AES128-SHA256 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
DHE-RSA-AES256-SHA256 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
DHE-DSS-AES256-SHA256 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
DHE-RSA-AES128-SHA256 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
DHE-DSS-AES128-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
ECDHE-ECDSA-AES256-SHA |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
ECDHE-RSA-AES256-SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
ECDHE-ECDSA-AES128-SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
ECDHE-RSA-AES128-SHA |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
DHE-RSA-AES256-SHA |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
DHE-DSS-AES256-SHA |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
DHE-RSA-AES128-SHA |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
DHE-DSS-AES128-SHA |
验证外部系统是否接受支持的密码套件¶
要验证您的外部系统是否接受支持的密码套件,请运行 openssl s_client -connect your-system.example.com:<port> -tls1_3 </dev/null(对于TLS 1.2,使用 -tls1_2)。协商成功的套件将显示在输出中SSL-Session块的cipher行上。要测试支持列表中的特定套件,对于TLS 1.3请添加 -ciphersuites '<cipher_iana_name>',对于TLS 1.2请添加 -cipher '<cipher_openssl_name>'。如果出现包含 handshake_failure、no cipher match 或 protocol is disabled or cipher suites are inappropriate 的 SSLHandshakeException,则表示密码套件不匹配,您应更新外部系统上的密码配置以启用支持的套件之一。您还可以从源终端(Source Terminal)针对您的源所使用的相同网络路径运行 openssl。