当我尝试POST时,用Java握手失败

时间:2014-08-18 08:09:20

标签: java post ssl jersey-client

我尝试联系***并使用POST发送一些数据。

我使用已导入Eclipse项目的jersey-bundle-1.18.jar。这是我的代码:

    Client client = Client.create();
    WebResource webResource = client.resource("https://somesite.com");
    MultivaluedMap<String, String> map = new MultivaluedMapImpl();
    map.putSingle("key_name", API_KEY_NAME);
    map.putSingle("key_value", API_KEY_VALUE);
    map.putSingle("message", "Test");
    map.putSingle("extension", "+0012345678");
    ClientResponse response = webResource.type("application/x-www-form-urlencoded")
                 .post(ClientResponse.class, map); // throws exception here
    return response.toString();

当我运行我的代码时,我得到javax.net.ssl.SSLHandshakeException。该站点使用的证书来自StartCom,根据this poster

,我认为这个CA不在Java的默认信任库中,至少在Java 6中是这样。

我使用JVM标志-Djavax.net.debug = all运行我的程序,这就是我得到的:

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1391505439 bytes = { 186, 52, 225, 5, 67, 137, 170, 128, 220, 41, 178, 86, 199, 17, 150, 190, 23, 47, 217, 126, 162, 34, 68, 40, 216, 221, 193, 108 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: ***]
***
[write] MD5 and SHA1 hashes:  len = 176
0000: 01 00 00 AC 03 01 53 F1   B0 1F BA 34 E1 05 43 89  ......S....4..C.
0010: AA 80 DC 29 B2 56 C7 11   96 BE 17 2F D9 7E A2 22  ...).V...../..."
0020: 44 28 D8 DD C1 6C 00 00   2A C0 09 C0 13 00 2F C0  D(...l..*...../.
0030: 04 C0 0E 00 33 00 32 C0   07 C0 11 00 05 C0 02 C0  ....3.2.........
0040: 0C C0 08 C0 12 00 0A C0   03 C0 0D 00 16 00 13 00  ................
0050: 04 00 FF 01 00 00 59 00   0A 00 34 00 32 00 17 00  ......Y...4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................
0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................
main, WRITE: TLSv1 Handshake, length = 176
[Raw write]: length = 181
0000: 16 03 01 00 B0 01 00 00   AC 03 01 53 F1 B0 1F BA  ...........S....
0010: 34 E1 05 43 89 AA 80 DC   29 B2 56 C7 11 96 BE 17  4..C....).V.....
0020: 2F D9 7E A2 22 44 28 D8   DD C1 6C 00 00 2A C0 09  /..."D(...l..*..
0030: C0 13 00 2F C0 04 C0 0E   00 33 00 32 C0 07 C0 11  .../.....3.2....
0040: 00 05 C0 02 C0 0C C0 08   C0 12 00 0A C0 03 C0 0D  ................
0050: 00 16 00 13 00 04 00 FF   01 00 00 59 00 0A 00 34  ...........Y...4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................
0090: 00 08 00 16 00 0B 00 02   01 00 00 00 00 17 00 15  ................
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
Exception in thread "main" com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

出了什么问题,我怎样才能让它发挥作用?

编辑:如下所述,我下载了Java Cryptography Extension(JCE)Unlimited Strength Jurisdiction Policy Files,但是对于Java 7,因为这是我正在使用的Java版本并将jar文件复制到/ lib / security as按照说明。

我再次运行该程序,并在另一个例外情况下陷入困境。我从Eclipse控制台复制了几行:

  

%%无效:[Session-1,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] main,   发送TLSv1警告:致命,描述= certificate_unknown main,   WRITE:TLSv1警报,长度= 2 [原始写入]:长度= 7 0000:15 03 01   00 02 02 2E .......主要叫做   closeSocket()main,处理异常:   javax.net.ssl.SSLHandshakeException:   sun.security.validator.ValidatorException:PKIX路径构建失败:   sun.security.provider.certpath.SunCertPathBuilderException:无法   找到所请求目标的有效证书路径

这一次,Java的信任库中的StartCom证书似乎终于丢失了。我确信可以克服这个问题,但是因为我考虑将我的代码部署到一个可供其他人使用的jar文件中,我认为让人们按顺序替换他们的JCE策略文件是不可行的解决方案。使用我的图书馆。

当我第一次遇到这个错误时,我有点不知所措,因为我在成功结果之前实际执行了相同的代码,但是当我考虑它时,我使用OpenJDK而不是Oracle专有的JDK。当我使用OpenJDK时,我也没有加密问题。所以,我觉得这里有两个糟糕的选择:

1)。强制用户将他们的Java Development Kit切换到OpenJDK,否则我的服务/库将无效。

2)。强制用户替换其JRE的JCE策略文件并将StartCom证书导入Java的密钥库,例如使用keytool,或者我可以在运行时加载证书?

这有点正确吗?

EDIT2:

以下是我使用http://www.startssl.com/certs/ca-bundle.crt

中提供的证书创建自己的信任库的方法 
try {
    // Read the certificate bundle from disk
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate ca = cf.generateCertificate(getClass().getResourceAsStream("ca-bundle.crt")); // the file ca-bundle.crt should be in the same folder as your .java files
    // Create a KeyStore containing our trusted CAs
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    keyStore.load(null, null);
    keyStore.setCertificateEntry("ca", ca);
    // Create a TrustStore that trusts the CAs in our KeyStore
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(keyStore);
    // Create an SSLContext that uses our TrustManager
    sslContext = SSLContext.getInstance("TLS");
    sslContext.init(null, tmf.getTrustManagers(), null);
} catch (CertificateException | KeyStoreException | NoSuchAlgorithmException | KeyManagementException | IOException e) {
        e.printStackTrace();
}

现在可以安全地与服务器通信。您可以使用自定义SSLContext创建HttpClient,如下所示:

CloseableHttpClient client = HttpClients.custom().setSslcontext(sslContext).build();

1 个答案:

答案 0 :(得分:4)

更新Java Cryptography Extension:

Java 6 http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

Java 7 http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

由于美国法律,默认JRE仅具有有限的加密强度。

编辑: 看来StartCom的ROOT CA证书不在java可信CA中。 使用openssl自己添加到JRE中的cacerts(参见Digital Certificate: How to import .cer file in to .truststore file)。

您正在构建一个库,只需在txt文件(README,HOWTO,FAQ,...)中的某个地方发出通知,以便有此问题的人对根AC证书执行相同的操作。

相关问题
最新问题