鉴于这个Jersey init代码:
boolean clientMode = false,
needClientAuth = true,
wantClientAuth = true;
SSLContext sslcconf = SSLContext.getDefault();
SSLEngineConfigurator ssleconf = new SSLEngineConfigurator(sslcconf, clientMode, needClientAuth, wantClientAuth);
boolean secure = true,
start = true;
ResourceConfig resconf = new ResourceConfig(classes);
HttpServer server = GrizzlyHttpServerFactory.createHttpServer(
new URI("https://localhost:8080"),
resconf, secure, ssleconf, start);
尝试连接到此服务器的所有客户端都会抛出通用SSL握手错误。特别是:
$ openssl s_client -debug -msg -connect localhost:8080
CONNECTED(00000003)
write to 0xa024118 [0xa024b48] (118 bytes => 118 (0x76))
0000 - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00 .t....K... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @...............
0050 - 00 00 03 02 00 80 bf 3e-48 68 ef c9 6f aa 65 88 .......>Hh..o.e.
0060 - 86 e7 eb 77 e9 be 3c 69-67 0b 3c ae 3a dc 69 5f ...w..<ig.<.:.i_
0070 - ad c0 c4 93 61 ce ....a.
>>> SSL 2.0 [length 0074], CLIENT-HELLO
01 03 01 00 4b 00 00 00 20 00 00 39 00 00 38 00
00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
33 00 00 32 00 00 2f 03 00 80 00 00 05 00 00 04
01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00
00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00
03 02 00 80 bf 3e 48 68 ef c9 6f aa 65 88 86 e7
eb 77 e9 be 3c 69 67 0b 3c ae 3a dc 69 5f ad c0
c4 93 61 ce
read from 0xa024118 [0xa02a0a8] (7 bytes => 0 (0x0))
21856:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
将此与对不同服务器的良好请求进行比较:
CONNECTED(00000003)
write to 0xa024138 [0xa024b48] (118 bytes => 118 (0x76))
0000 - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00 .t....K... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @...............
0050 - 00 00 03 02 00 80 b1 33-32 65 f0 53 60 2d aa 85 .......32e.S`-..
0060 - b1 5c 19 1f f2 5b 8b 1a-2d 8a ed 8f c0 79 f7 72 .\...[..-....y.r
0070 - 9c 31 b3 ec 39 b5 .1..9.
>>> SSL 2.0 [length 0074], CLIENT-HELLO
01 03 01 00 4b 00 00 00 20 00 00 39 00 00 38 00
00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
33 00 00 32 00 00 2f 03 00 80 00 00 05 00 00 04
01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00
00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00
03 02 00 80 b1 33 32 65 f0 53 60 2d aa 85 b1 5c
19 1f f2 5b 8b 1a 2d 8a ed 8f c0 79 f7 72 9c 31
b3 ec 39 b5
read from 0xa024138 [0xa02a0a8] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 4a 02 ....J.
0007 - <SPACES/NULS>
...
编辑:尽管有明确的密码,但以下内容会产生类似的结果:
boolean clientMode = false,
needClientAuth = true,
wantClientAuth = true;
SSLContextConfigurator sslcconf = new SSLContextConfigurator();
sslcconf.setSecurityProtocol("TLSv1.2");
SSLEngineConfigurator ssleconf = new SSLEngineConfigurator(sslcconf, clientMode, needClientAuth, wantClientAuth);
ssleconf.setEnabledProtocols(new String[] { "TLSv1.2" });
ssleconf.setEnabledCipherSuites(new String[] {
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
});
// SSLContext sslcconf = SSLContext.getDefault();
boolean secure = true,
start = true;
ResourceConfig resconf = new ResourceConfig(classes);
HttpServer server = GrizzlyHttpServerFactory.createHttpServer(
new URI("https://localhost:8080"),
resconf, secure, ssleconf, start);
答案 0 :(得分:0)
这实际上看起来像是一个OpenSSL问题。您要连接的服务器是否禁用了SSLv3? 您需要检查在该客户端上运行的OpenSSL的版本。如果安装了0.9.x分支,则默认上下文不包括TLS,即使该库可以支持TLS。在上面发布的代码中,它默认为默认上下文,而不是您指定自己的代码,因此在这种情况下,如果在远程上禁用SSLv3,您将无法连接。
如果这是真的,你有几个选择:
答案 1 :(得分:0)
很抱歉这个奇怪的问题,但您是否为SSLContextConfigurator配置了密钥库(使用正确的密码等)?
如果您忘记执行此操作或无法从密钥库获取密钥(由于配置错误或错误),“SSL_NULL_WITH_NULL_NULL”将用作密码,然后您将获得“没有共同的密码套件”并且握手失败。