HttpClientBuilder使用TLSv1.2而不是TLSv1

时间:2015-05-15 20:14:27

标签: java ssl apache-httpclient-4.x

以下是创建Httpclient的代码。

        client =
            HttpClients.custom().setConnectionManager(connManager).setDefaultCredentialsProvider(provider)
                .setDefaultRequestConfig(config).setSslcontext(SSLContexts.custom().useProtocol("TLSv1").build()).build();

但是,每当基于此客户端的resttemplate启动SSL握手时,它都会发生在TLSv1.2中。以下是客户端的SSL调试日志。

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1431720225 bytes = { 14, 133, 24, 60, 189, 198, 176, 35, 186, 71, 229, 4, 43, 213, 142, 236, 141, 14, 104, 83, 202, 72, 243, 74, 244, 170, 247, 15 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: dev.*****.com]
***
main, WRITE: TLSv1.2 Handshake, length = 216
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT:  fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()

服务器在JDK5上运行,无法使用TLSv1.2。

任何人都可以了解为什么useProtocol(" TLSv1")被抄袭?

https://stackoverflow.com/questions/28619942/how-to-force-httpclient-4-3-to-use-the-tlsv1-and-not-the-tlsv1-2已经提出了类似的问题,但没有回答。

感谢。

1 个答案:

答案 0 :(得分:1)

不是Java专家,但这是我从文档中得到的:

编辑:Java 似乎不支持SSLv23除此之外尝试使用SSLv23而不是TLSv1进行握手。如果服务器不支持这种最兼容的握手,则只是错误。