Question

长话短说;有没有理由为什么在Tomcat上运行的应用程序无法与Paypal服务器通信？一些背景：我们正在Liferay上开发一系列portlet，它们在某些时候与paypal服务器通信以启动和验证购买过程。这在没有任何特殊配置的情况下就像本地tomcat上的魅力一样，但在安装Liferay和portlet后它无法启动进程。堆栈看起来像这样：

[16/12/14 13:51:01:728 GMT+01:00] 0000015d SystemOut     O 13:51:01,727 ERROR [WebContainer : 2][render_portlet_jsp:132] null
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.ibm.jsse2.o.a(o.java:33)
    at com.ibm.jsse2.o.a(o.java:30)
    at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:168)
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:318)
    at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:403)
    at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:431)
    at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:315)
    at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:103)
    at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:42)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1184)
    at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:390)
    at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:82)
    at com.paypal.core.HttpConnection.execute(HttpConnection.java:93)
    at com.paypal.core.APIService.makeRequestUsing(APIService.java:176)
    at com.paypal.core.BaseService.call(BaseService.java:265)
    at urn.ebay.api.PayPalAPI.PayPalAPIInterfaceServiceService.setExpressCheckout(PayPalAPIInterfaceServiceService.java:2196)
    at urn.ebay.api.PayPalAPI.PayPalAPIInterfaceServiceService.setExpressCheckout(PayPalAPIInterfaceServiceService.java:2148)

我一直在“googleing”，无法弄清楚错误的位置。我们试图向签名者注册从paypal网站检索到的Verisign证书，但没有任何改变。

愿有人瞄准我们正确的方向吗？谢谢！

<小时/> UPDATE 升级网络日志记录级别后，我可以在日志中看到以下内容：

     O class com.ibm.websphere.ssl.protocol.SSLSocketFactory is loaded
     O instantiated an instance of class com.ibm.websphere.ssl.protocol.SSLSocketFactory
     O 
handshake: true
     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA
     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA
     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA
     O %% No cached client session
     O *** ClientHello, SSLv3
     O RandomCookie:  GMT: 1402031796 bytes = { 166, 100, 171, 183, 214, 31, 12, 68, 124, 68, 151, 195, 7, 4, 28, 112, 39, 90, 248, 143, 129, 106, 212, 33, 244, 40, 233, 94 }
     O Session ID:  {}
     O Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
     O Compression Methods:  { 0 }
     O ***
     O [write] MD5 and SHA1 hashes:  len = 75
     O 0000: 01 00 00 47 03 00 54 91  4f b4 a6 64 ab b7 d6 1f  ...G..T.O..d....
0010: 0c 44 7c 44 97 c3 07 04  1c 70 27 5a f8 8f 81 6a  .D.D.....p.Z...j
0020: d4 21 f4 28 e9 5e 00 00  20 00 04 00 05 00 0a fe  ................
0030: ff 00 16 00 13 00 66 00  09 fe fe 00 15 00 12 00  ......f.........
0040: 03 00 08 00 14 00 11 00  ff 01 00                 ...........

     O WebContainer : 10, WRITE: SSLv3 Handshake, length = 75
     O [Raw write]: length = 80
     O 0000: 16 03 00 00 4b 01 00 00  47 03 00 54 91 4f b4 a6  ....K...G..T.O..
0010: 64 ab b7 d6 1f 0c 44 7c  44 97 c3 07 04 1c 70 27  d.....D.D.....p.
0020: 5a f8 8f 81 6a d4 21 f4  28 e9 5e 00 00 20 00 04  Z...j...........
0030: 00 05 00 0a fe ff 00 16  00 13 00 66 00 09 fe fe  ...........f....
0040: 00 15 00 12 00 03 00 08  00 14 00 11 00 ff 01 00  ................

     O [Raw read]: length = 5
     O 0000: 15 03 00 00 02                                     .....

     O [Raw read]: length = 2
     O 0000: 02 28                                              ..

     O WebContainer : 10, READ: SSLv3 Alert, length = 2
     O WebContainer : 10, RECV TLSv1 ALERT:  fatal, handshake_failure
     O WebContainer : 10, called closeSocket()
     O WebContainer : 10, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
     O 
handshake: true
     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA
     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA
     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA
     O %% No cached client session
     O *** ClientHello, SSLv3
     O RandomCookie:  GMT: 1402031797 bytes = { 153, 95, 153, 155, 68, 36, 152, 92, 71, 172, 226, 104, 156, 107, 235, 73, 63, 239, 198, 202, 166, 216, 158, 26, 45, 59, 169, 169 }
     O Session ID:  {}
     O Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
     O Compression Methods:  { 0 }
     O ***
     O [write] MD5 and SHA1 hashes:  len = 75
     O 0000: 01 00 00 47 03 00 54 91  4f b5 99 5f 99 9b 44 24  ...G..T.O.....D.
0010: 98 5c 47 ac e2 68 9c 6b  eb 49 3f ef c6 ca a6 d8  ..G..h.k.I......
0020: 9e 1a 2d 3b a9 a9 00 00  20 00 04 00 05 00 0a fe  ................
0030: ff 00 16 00 13 00 66 00  09 fe fe 00 15 00 12 00  ......f.........
0040: 03 00 08 00 14 00 11 00  ff 01 00                 ...........

     O WebContainer : 10, WRITE: SSLv3 Handshake, length = 75
     O [Raw write]: length = 80
     O 0000: 16 03 00 00 4b 01 00 00  47 03 00 54 91 4f b5 99  ....K...G..T.O..
0010: 5f 99 9b 44 24 98 5c 47  ac e2 68 9c 6b eb 49 3f  ...D...G..h.k.I.
0020: ef c6 ca a6 d8 9e 1a 2d  3b a9 a9 00 00 20 00 04  ................
0030: 00 05 00 0a fe ff 00 16  00 13 00 66 00 09 fe fe  ...........f....
0040: 00 15 00 12 00 03 00 08  00 14 00 11 00 ff 01 00  ................

     O [Raw read]: length = 5
     O 0000: 15 03 00 00 02                                     .....

     O [Raw read]: length = 2
     O 0000: 02 28                                              ..

     O WebContainer : 10, READ: SSLv3 Alert, length = 2
     O WebContainer : 10, RECV TLSv1 ALERT:  fatal, handshake_failure
     O WebContainer : 10, called closeSocket()
     O WebContainer : 10, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
     O 10:41:09,593 ERROR [WebContainer : 10][PaypalUtils:145] Errores en setPaypalExpressCheckout
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.ibm.jsse2.o.a(o.java:33)
    at com.ibm.jsse2.o.a(o.java:30)

服务器控制台中配置的SSL协议是TLS。

Answer 1

收到致命警报：handshake_failure

这可以是任何东西，例如缺少客户端证书，没有共享密码，错误的协议版本等。但它通常与证书验证无关。

请与其他客户联系，查看SSLLabs等以减少可能的原因。另请参阅http://noxxi.de/howto/ssl-debugging.html#aid_external_debugging了解您可能在调试时尝试的步骤，以及在需要其他人帮助时应收集哪些信息。如果您在此处发布了更多信息，那么可以为您的问题找到解决方案。

根据问题中的新信息进行编辑：

 O *** ClientHello, SSLv3
 ...
 O 0000: 16 03 00

您正在使用SSL 3.0，可以从调试消息中看到。由于POODLE，SSL 3.0被大多数主要站点阻止。虽然根据这些调试信息，您声称使用TLS1.x已经不是这种情况了，所以您应该再次检查您的设置。

Answer 2

通常在Websphere中，您需要导入要与之通信的服务器的证书。如果您手动尝试，可能不会在链中导入适当的证书，而是使用管理控制台中的“从端口检索”。

另一个选择是由于Poodle问题，Paypal正在杀死SSL :)。在这种情况下，在管理控制台的安全性菜单中将安全级别提高到TLS

Answer 3

跟踪显示您从远程服务器收到握手失败。我可以看到你的服务器发送了一个客户端问候消息，所以你希望看到一个带有服务器问候消息的响应，而不是连接从另一端突然结束。在这些情况下，您需要来自远程端的人来查看并告诉您为什么此连接失败。否则，你真的在黑暗中工作，你可以尝试很多不同的东西。

然而，我注意到的一件事是你正在使用SSLv3协议而另一端似乎正在使用TLSv1协议。我认为像Paypal这样的实体可能符合FIPS标准，这意味着他们停止使用SSL协议，只使用TLS作为合规的一部分。

Websphere 8.5上的SSL handshake_failure（在Tomcat上工作）

3 个答案: