Java SSLHandshakeException“没有共同的密码套件”

时间:2013-02-25 21:28:21

标签: java ssl sslhandshakeexception

我正在使用SSLServerSocket接受我的openSUSE服务器上的客户端连接,但它们都不能连接。我总是得到一个SSLHandshakeException,说no cipher suites in common。我已经激活了所有可能的套件,启用了多个协议,尝试使用最新的oracle JRE和openjdk。此外,我在论坛和其他内容上关注了几个其他帖子并“解锁”了oracle jre中的所有密码套件,并且我更改了openjdk jre的设置:

已停用:#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg 并启用:security.provider.9=sun.security.ec.SunEC

这是我初始化SSLServerSocket的方式:

    System.setProperty("javax.net.ssl.keyStore", "./keystore");
    System.setProperty("javax.net.ssl.keyStorePassword", "nopassword");
    java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");

// Create a trust manager that does not validate certificate chains
    TrustManager[] trustAllCerts = new TrustManager[] {
            new X509TrustManager() {
                public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                }

                public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                }

                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
            }
    };

    // Install the all-trusting trust manager
    SSLContext sc = SSLContext.getInstance("TLSv1.2");
    sc.init(null, trustAllCerts, new SecureRandom());
    SSLServerSocket ssl = (SSLServerSocket) sc.getServerSocketFactory().createServerSocket(
            DownloadFilelist.PORT);
    // Got rid of:
    //ssl.setEnabledCipherSuites(sc.getServerSocketFactory().getSupportedCipherSuites());
    ssl.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2", "SSLv3"});

    // System.out.println(Arrays.toString(ssl.getEnabledCipherSuites()));

    s = ssl;
    // s = new ServerSocket(DownloadFilelist.PORT);
    s.setSoTimeout(TIMEOUT);

问题在于我无法找出客户想要的密码套件,也无法影响它。我使用-Djavax.net.debug=ssl,handshake启动了该计划,结果是here。你们有人能弄明白问题是什么吗?

编辑密钥库是使用:keytool -genkey -keyalg RSA -keystore ./keystore

生成的

这是这个页面上的代码,如果这有帮助(似乎格式化没有搞砸):

trigger seeding of SecureRandom
trigger seeding of SecureRandom
done seeding SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
main, setSoTimeout(2000) called
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1361763651 bytes = { 159, 113, 250, 254, 103, 37, 66, 234, 127, 4, 36, 240, 60, 252, 55, 112, 6, 224, 192, 181, 146, 163, 63, 148, 152, 255, 77, 8 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 67
main, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie:  GMT: 1361763767 bytes = { 249, 20, 120, 68, 76, 110, 168, 235, 47, 91, 119, 64, 151, 242, 169, 191, 111, 105, 146, 90, 173, 223, 55, 127, 133, 12, 1, 247 }
Session ID:  {246, 66, 250, 209, 13, 188, 190, 246, 14, 49, 113, 183, 192, 202, 68, 246, 121, 162, 165, 71, 242, 220, 233, 223, 245, 47, 250, 215, 203, 94, 255, 148}
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
** TLS_RSA_WITH_AES_256_CBC_SHA
main, READ: TLSv1 Handshake, length = 933
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=dc.hadiko.de, O=hadiko dc, L=town, ST=land of the free, C=de
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 22613010171436639614880560956464961031555258188367451246658444583390999370970098210909007150132692078653881042731046316239498513359691936582885343174669796075601988313858262934995935649363223919652108615287224220030023261629874169998331654587246748976585212101810697310529416436829153514374554242128947092694064999520197281527578067183301918060451970607703466399571245107774569719996572643148013190800713656468629158991997127544540177983174906099325217344868710319256330960086862269228933938482311029685238274537823670267001618579382801319470736924423550865055775144486750164961588873175599114046362924859400297960451
  public exponent: 65537
  Validity: [From: Sat Jul 07 12:56:23 CEST 2012,
               To: Tue Jul 07 12:56:23 CEST 2015]
  Issuer: CN=dc.hadiko.de, O=hadiko dc, L=town, ST=land of the free, C=de
  SerialNumber: [    8682354f f94fbbb5]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 43 1D D9 A7 CF 21 2E 17   F3 4E EE F6 6C 6C 88 16  C....!...N..ll..
0010: 08 3C 67 8E                                        .<g.
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 43 1D D9 A7 CF 21 2E 17   F3 4E EE F6 6C 6C 88 16  C....!...N..ll..
0010: 08 3C 67 8E                                        .<g.
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 14 83 48 D3 EC 39 49 E3   9C BC 20 F5 BF E4 32 33  ..H..9I... ...23
0010: 5F 09 8F 2D F2 C3 82 80   79 93 9A C1 97 93 92 D9  _..-....y.......
0020: D0 DA 4D B2 FC A1 43 60   1F B9 EA 4C 29 D7 79 D0  ..M...C`...L).y.
0030: 66 8C 25 14 EB 9D 60 94   D7 F4 15 33 8B 17 24 24  f.%...`....3..$$
0040: 5C 65 26 3D C3 B0 8A 51   B6 27 01 D1 A6 A3 68 87  \e&=...Q.'....h.
0050: 2D 6F 0B E6 00 96 B6 CF   BC E9 D2 9C 7E 19 9E E1  -o..............
0060: 3A 96 42 2E B7 E8 C0 70   01 99 20 39 89 6D 94 2B  :.B....p.. 9.m.+
0070: 76 2F F1 0E 6D 2D 9B 52   77 D3 63 6A 11 DC A3 E6  v/..m-.Rw.cj....
0080: 4E 0E 64 6D FA 77 BC 1E   4F C3 91 AD 21 F7 5D 31  N.dm.w..O...!.]1
0090: F9 04 A5 FA 34 EF 43 61   F1 42 32 5A 9B D1 16 84  ....4.Ca.B2Z....
00A0: 07 2B CA 01 AF 84 54 D2   A9 C4 3A 7A EA D1 2A 95  .+....T...:z..*.
00B0: 47 30 03 BA 48 C4 57 1F   78 58 6C 7A 56 60 40 2C  G0..H.W.xXlzV`@,
00C0: 6A 17 15 3F 43 A5 FB 81   4D 9D 1B DC A7 CE 78 D1  j..?C...M.....x.
00D0: 5A 66 97 79 04 55 DA 34   3C B2 CD 9A 62 EE 32 22  Zf.y.U.4<...b.2"
00E0: 70 84 0E 3E 5D 7F 91 0D   A5 D4 84 6B F3 E9 40 E9  p..>]......k..@.
00F0: E8 69 D7 E5 FC B6 0A 4C   35 66 CC BA E5 38 12 A0  .i.....L5f...8..

]
***
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 262
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 59 D3 0F F9 95 E8   DC E2 C2 4A 2B 93 79 55  ..Y........J+.yU
0010: 0B 1A 43 5E F4 0A 73 F1   13 E1 00 DF 78 55 F6 52  ..C^..s.....xU.R
0020: 4E 6A D3 2C F8 08 A1 B3   03 DF C9 5E 8C 14 8D 4E  Nj.,.......^...N
CONNECTION KEYGEN:
Client Nonce:
0000: 51 2B DD 43 9F 71 FA FE   67 25 42 EA 7F 04 24 F0  Q+.C.q..g%B...$.
0010: 3C FC 37 70 06 E0 C0 B5   92 A3 3F 94 98 FF 4D 08  <.7p......?...M.
Server Nonce:
0000: 51 2B DE B7 F9 14 78 44   4C 6E A8 EB 2F 5B 77 40  Q+....xDLn../[w@
0010: 97 F2 A9 BF 6F 69 92 5A   AD DF 37 7F 85 0C 01 F7  ....oi.Z..7.....
Master Secret:
0000: 3E 9E 24 42 3D E4 82 AF   AD 97 76 EF 06 EF FB FD  >.$B=.....v.....
0010: C8 1A D5 7E 8E A2 74 4D   E8 E7 B9 1E 60 E9 E0 6F  ......tM....`..o
0020: 09 E3 56 81 FC 2D 20 D9   69 6B 26 C3 0B C5 53 5F  ..V..- .ik&...S_
Client MAC write Secret:
0000: 04 30 70 7E A9 4A 1F 88   55 F8 31 31 75 36 40 35  .0p..J..U.11u6@5
0010: 25 65 24 5D                                        %e$]
Server MAC write Secret:
0000: 8B C1 65 50 6D 11 21 32   CD 50 3A AB 0F 2E A5 FC  ..ePm.!2.P:.....
0010: C7 30 E6 EC                                        .0..
Client write key:
0000: 25 D7 96 B0 9A 1F 49 95   06 4D 05 36 2E D0 38 04  %.....I..M.6..8.
0010: 0F 32 15 2E 8F 0A 6C 79   F8 ED E8 9B FE 5C 2C D8  .2....ly.....\,.
Server write key:
0000: 4A 91 5D DF B2 FE 6F 35   3E 8A 21 DF 17 E0 35 F0  J.]...o5>.!...5.
0010: DB 97 4C 7E 18 07 7E 27   DD AD BC C4 C4 28 C5 E1  ..L....'.....(..
Client write IV:
0000: B6 C1 98 05 9B 37 F9 0F   4E 0C 0F 6E 08 8A 26 C9  .....7..N..n..&.
Server write IV:
0000: 0E 83 27 3E 3B 40 E8 BE   4C 58 C4 5F EF E4 D3 4C  ..'>;@..LX._...L
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 23, 181, 134, 191, 68, 30, 119, 81, 239, 135, 238, 80 }
***
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data:  { 254, 182, 228, 50, 121, 214, 35, 175, 100, 128, 102, 152 }
***
%% Cached client session: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
main, WRITE: TLSv1 Application Data, length = 48
HSent: HSUP ADBASE ADTIGR ADBLOM
main, READ: TLSv1 Application Data, length = 32
main, READ: TLSv1 Application Data, length = 48
main, READ: TLSv1 Application Data, length = 32
main, READ: TLSv1 Application Data, length = 32
main, WRITE: TLSv1 Application Data, length = 32
main, WRITE: TLSv1 Application Data, length = 288
ClientManager, READ: TLSv1 Application Data, length = 32
ClientManager, READ: TLSv1 Application Data, length = 96

[...] (Cut out becauseI exceeded body limit.)

ClientManager, READ: TLSv1 Application Data, length = 80
ClientManager, READ: TLSv1 Application Data, length = 32
ClientManager, READ: TLSv1 Application Data, length = 80
main, WRITE: TLSv1 Application Data, length = 32
main, WRITE: TLSv1 Application Data, length = 64
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
A client, READ: SSLv3 Handshake, length = 112
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1361763651 bytes = { 47, 7, 95, 146, 25, 28, 95, 191, 146, 159, 184, 47, 149, 220, 67, 169, 121, 123, 252, 98, 0, 253, 108, 88, 108, 188, 52, 76 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension signature_algorithms, signature_algorithms: Unknown (hash:0x4, signature:0x2), SHA256withRSA, SHA1withRSA, SHA1withDSA
***
%% Initialized:  [Session-2, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-2, SSL_NULL_WITH_NULL_NULL]
A client, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
A client, WRITE: TLSv1.2 Alert, length = 2
A client, called closeSocket()
A client, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common

输出包含一个连接到另一个工作的服务器,然后连接到我的服务器。我无法删除其他连接,因为我正在获取有关如何通过此连接进行连接的信息。我可以在第一次连接后启用调试,如果可能的话,但我不知道如何......

我删除了所有不相关的输出(我创建的输出)。

更新

我甚至无法连接到自己。当我在同一个应用程序中创建一个SSLServerSocket和一个SSLSocket来连接它时,我得到了同样的错误。但是当我比较启用的密码套件列表时,两个套接字都支持一堆套件。我已经使用最新的JDK在Windows 7 64bit上进行了测试。

更新

我刚从头开始使用教程启动了我的程序的服务器部分,并且神奇地工作了......我不知道为什么,但似乎我应该尽可能多地使用标准实现。我把声誉归功于布鲁诺,因为他把最大的努力放在了他的岗位上。

8 个答案:

答案 0 :(得分:60)

您正在使用SSLContext null数组初始化KeyManager

密钥管理器处理服务器证书(在服务器端),这是您在使用javax.net.ssl.keyStore时可能要设置的内容。

但是,正如JSSE Reference Guide中所述,使用null作为第一个参数并没有做你认为它做的事情:

  

如果KeyManager []参数为null,则空KeyManager将为   为此上下文定义。如果TrustManager []参数为null,   将搜索已安装的安全提供程序   TrustManagerFactory的最高优先级实现,从中   将获得适当的TrustManager。同样地,   SecureRandom参数可以为null,在这种情况下为默认值   将使用实施。

KeyManager不包含任何RSA或DSA证书。因此,将禁用依赖此类证书的所有默认密码套件。这就是为什么你得到所有这些&#34; 忽略不可用的密码套件&#34;消息,最终导致&#34; 没有共同的密码套件&#34;消息。

如果您希望将密钥库用作密钥库,则需要加载密钥库并使用它初始化KeyManagerFactory:

    KeyStore ks = KeyStore.getInstance("JKS");
    InputStream ksIs = new FileInputStream("...");
    try {
        ks.load(ksIs, "password".toCharArray());
    } finally {
        if (ksIs != null) {
            ksIs.close();
        }
    }

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
            .getDefaultAlgorithm());
    kmf.init(ks, "keypassword".toCharArray());

使用kmf.getKeyManagers()作为SSLContext.init()的第一个参数。

对于其他两个参数,由于您明显没有请求客户端证书身份验证,您应该将信任管理器保留为其默认值(null),而不是复制/粘贴信任管理器&# 39;是潜在的漏洞原因,您也可以使用默认的null SecureRandom

答案 1 :(得分:17)

我自己有这个例外,我深入研究了JRE源代码。很明显,这个信息很容易引起误解。 可以表示它所说的内容,但更普遍的意思是服务器没有以所请求的方式响应客户端所需的数据。例如,如果密钥库中缺少证书,或者没有使用适当的算法生成证书,则可能会发生这种情况。实际上,考虑到默认安装的密码套件,由于缺少通用的密码套件,人们不得不花一些时间来真正得到这个例外。在我的特定情况下,我使用默认的DSA算法生成证书,当我需要让服务器与Firefox一起使用RSA时。

答案 2 :(得分:12)

此问题可能是由于对客户端或服务器上启用的密码套件的过度操作造成的,但我怀疑最常见的原因是服务器根本没有私钥和证书。

NB:

ssl.setEnabledCipherSuites(sc.getServerSocketFactory().getSupportedCipherSuites());

摆脱这条线。你的服务器已经不安全了TrustManager。然后使用-Djavax.net.debug=SSL,handshake,运行您的服务器尝试一个连接,并在此处发布结果输出。

答案 3 :(得分:3)

当我启动java add时调试如下所示:

-Djavax.net.debug=ssl

然后你可以看到浏览器试图使用TLSv1和Jetty 9.1.3正在谈论TLSv1.2 所以他们没有沟通。这就是Firefox。 Chrome需要SSLv3,所以我也加了。

sslContextFactory.setIncludeProtocols( "TLSv1", "SSLv3" );  <-- Fix
sslContextFactory.setRenegotiationAllowed(true);   <-- added don't know if helps anything.

我没有做orig海报所做的大部分其他工作:

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] {

或者这个答案:

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
        .getDefaultAlgorithm());

.setEnabledCipherSuites

我创建了一个这样的自签名证书:(但我将.jks添加到文件名中) 并在我的jetty java代码中读取。 http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html

keytool -keystore keystore.jks -alias jetty -genkey -keyalg RSA     

第一&amp;姓氏* .mywebdomain.com

答案 4 :(得分:2)

在我的情况下,我收到此no cipher suites in common错误,因为我已将p12格式文件加载到服务器的密钥库,而不是jks文件。

答案 5 :(得分:1)

看起来您正在尝试使用TLSv1.2进行连接,而TLSv1.2并未在服务器上广泛实施。你的目的地是否支持tls1.2?

答案 6 :(得分:0)

我遇到了这个错误...不幸的是...我必须使用的软件包,但没有源文件。经过大量的挖掘(感谢Stack Overflow)并尝试了无止境的组合之后,我终于找到了运行的方法:

  1. 使用整个证书链创建JKS

  2. 确保JKS中的密钥具有计算机FQDN的别名。

  3. 为我的机器$ {FQDN} .cert

  4. 重命名证书的别名

对Java命令行选项进行了无休止的尝试:

-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager 
-Djava.security.debug=access:stack

我的密钥和CSR是在OpenSSL中生成的,因此我必须使用以下命令导入密钥:

openssl pkcs12 -export -in  cert.pem -inkey  cert.key -CAfile fullChain.pem -name ${FQDN} -out cert.p12
keytool -importkeystore -destkeystore cert.jks -srckeystore cert.p12 -srcstoretype PKCS12

keytool抱怨格式,所以我转换了格式,然后添加了证书链:

keytool -importkeystore -srckeystore cert.jks -destkeystore cert_p12.jks -deststoretype pkcs12
keytool -import -trustcacerts -alias 'DigiCert Global Root G2 IntermediateCA' -keystore cert_p12.jks -file cert2.pem -storepass "$STOREPASS" -keypass "$KEYPASS" 
keytool -import -trustcacerts -alias 'DigiCert Global Root G2'                -keystore cert_p12.jks -file cert3.pem -storepass "$STOREPASS" -keypass "$KEYPASS"

(其中cert2.pem和cert3.pem是从DigiCert网站下载的,并转换为PEM格式。) 当我使用生成的jks文件重新启动应用程序时,事情开始起作用。

我想出了别的东西。您可以使用以下方法检查证书链:

openssl x509 -in cert2.pem -noout -text

对于所有证书并研究输出,请注意X509v3 Authority Key Identifier:X509v3 Authority Key Identifier:行。一级的X509v3 Authority Key Identifier:与下一级的X509v3 Subject Key Identifier:相匹配。当Issuer:字符串与Subject:字符串匹配时,您发现了链的顶部。

我希望这可以节省一些花在我身上的时间。

答案 7 :(得分:-1)

服务器

import java.net.*;
import java.io.*;
import java.util.*;
import javax.net.ssl.*;
import javax.net.*;
class Test{
  public static void main(String[] args){
    try{
      SSLContext context = SSLContext.getInstance("TLSv1.2");
      context.init(null,null,null);
      SSLServerSocketFactory serverSocketFactory = context.getServerSocketFactory();
      SSLServerSocket server = (SSLServerSocket)serverSocketFactory.createServerSocket(1024);
      server.setEnabledCipherSuites(server.getSupportedCipherSuites());
      SSLSocket socket = (SSLSocket)server.accept();
      DataInputStream in = new DataInputStream(socket.getInputStream());
      DataOutputStream out = new DataOutputStream(socket.getOutputStream());
      System.out.println(in.readInt());
    }catch(Exception e){e.printStackTrace();}
  }
}

客户端

import java.net.*;
import java.io.*;
import java.util.*;
import javax.net.ssl.*;
import javax.net.*;
class Test2{
  public static void main(String[] args){
    try{
      SSLContext context = SSLContext.getInstance("TLSv1.2");
      context.init(null,null,null);
      SSLSocketFactory socketFactory = context.getSocketFactory();
      SSLSocket socket = (SSLSocket)socketFactory.createSocket("localhost", 1024);
      socket.setEnabledCipherSuites(socket.getSupportedCipherSuites());
      DataInputStream in = new DataInputStream(socket.getInputStream());
      DataOutputStream out = new DataOutputStream(socket.getOutputStream());
      out.writeInt(1337);     
    }catch(Exception e){e.printStackTrace();}
  }
}

server.setEnabledCipherSuites(server.getSupportedCipherSuites()); socket.setEnabledCipherSuites(socket.getSupportedCipherSuites());