＆＃34;解密失败或记录错误＆＃34;在apache和Java之间

Question

我有一个Java程序（在tomcat容器中运行），它使用SSL的RSA SSL-J实现，以及使用mod_ssl / openssl为SSL配置的apache webserver

当Java程序试图向apache服务器打开HttpsUrlConnection时，错误javax.net.ssl.SSLException: Fatal Alert received: Bad Record Mac

（异常堆栈跟踪不是很有用，因为sslj.jar被混淆了）

问题不是断断续续的。它每次都会发生。

在我将LogLevel设置为debug：

之后，这是来自apache上的mod_ssl日志

[Mon Jul 30 22:00:25 2012] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSLv3 read certificate verify A
[Mon Jul 30 22:00:25 2012] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read certificate verify A`
[Mon Jul 30 22:00:25 2012] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read certificate verify A
[Mon Jul 30 22:00:25 2012] [info] [client 172.16.195.208] %%CryptoAuditEntry:: SSL library error 1 in handshake (server <HOSTNAME>:9005)
[Mon Jul 30 22:00:25 2012] [info] %%CryptoAuditEntry:: SSL Library Error: 336130329 error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
[Mon Jul 30 22:00:25 2012] [info] [client <IPADDRESS>] %%CryptoAuditEntry:: Connection closed to child 4 with abortive shutdown (server <HOSTNAME>:9005)

这是java端代码：

                SSLContext sc = SSLContext.getInstance("TLS");
                sc.init(null /*keyManagers*/, trustAllCerts,
                          new java.security.SecureRandom());
                HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
                HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();


                // Don't check the hostname against the certificate name
                conn.setHostnameVerifier(new HostnameVerifier() {
                        public boolean verify(String urlHostname,
                            SSLSession session) {
                            return true;
                        }
                    });
                conn.setDoInput(true);
                conn.setDoOutput(true);
                conn.setUseCaches(false);
                conn.setRequestProperty("METHOD", "POST");
                conn.setRequestProperty("Authorization", "Basic " +
                    credentials);
                conn.setRequestProperty("Content-Type", "application/pkcs10");
                conn.setReadTimeout(8000);
                conn.connect();

另一个有趣的事实是我可以使用openssl使用此命令连接到服务器，没有任何问题。

openssl s_client -connect HOST:PORT

任何指针？

Answer 1

我只是从某些Java客户端看到此错误。调整apache的虚拟主机配置中的SSLProtocol仅允许TLS允许客户端连接。