我试图找出在8u60中使用SSL时我们的应用程序中断的问题,但在以前的Java版本中没有。在8u60,尝试建立HTTPS连接时,我们得到javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
,并在适当的位置放置断点,我看到密码套件列表确实是空的,而它填充了值I期望在8u45或更早版本中运行相同的代码。
显示此行为的SSCCE(假设您在正确的相对路径中获得了证书密钥库...)我在SSCCE中使用Jetty 9.3.0,但我们的应用程序使用的是9.2 .x,fwiw:
public class HelloWorldSSL extends AbstractHandler {
private static final int HTTP_PORT = 9999;
private static final int SSL_PORT = 9998;
public void handle(String s, Request request, HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse) throws IOException, ServletException {
httpServletResponse.setContentType("text/html;charset=utf-8");
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
request.setHandled(true);
httpServletResponse.getWriter().println("<h1>Hello World</h1>");
}
public static void main(String[] args) throws Exception
{
Server server = new Server();
// HTTP Configuration
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.setSecureScheme("https");
httpConfig.setSecurePort(SSL_PORT);
// HTTP Connector
ServerConnector httpConnector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
httpConnector.setPort(HTTP_PORT);
server.addConnector(httpConnector);
// SSL Configuration
String keystorePath = "src/main/resources/keystore.jks";
File keyStoreFile = new File(keystorePath);
if (keyStoreFile.exists()) {
SslContextFactory sslContextFactory = new SslContextFactory(keystorePath);
sslContextFactory.setKeyStorePassword("123456");
String[] defaultCiphers = new String[] { "TLS_RSA_WITH_RC4_128_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-AES256-SHA384",
"AES256-SHA-256", "SSL_RSA_WITH_RC4_128_SHA", "TLS_KRB5_WITH_RC4_128_SHA" };
sslContextFactory.setIncludeCipherSuites(defaultCiphers);
HttpConfiguration sslConfig = new HttpConfiguration(httpConfig);
sslConfig.addCustomizer(new SecureRequestCustomizer());
ServerConnector sslConnector = new ServerConnector(server, sslContextFactory,
new HttpConnectionFactory(sslConfig));
sslConnector.setPort(SSL_PORT);
sslConnector.setAcceptQueueSize(5);
server.addConnector(sslConnector);
}
HandlerList handlers = new HandlerList();
handlers.addHandler(new HelloWorldSSL());
server.setHandler(handlers);
server.start();
server.join();
}
}
我们有什么明显的错误可以解释为什么它在8u45而不是8u60工作?查看8u60更改日志并没有帮助。 (并试图浏览Jetty的错误报告是一场噩梦。叹息)
[编辑]
阅读Java错误报告让我尝试取出sslContextFactory.setIncludeCipherSuites(defaultCiphers);
行,现在代码工作在8u60。仍然希望有人能够了解为什么会这样......
答案 0 :(得分:0)
通过实验和Jetty人员的帮助找到了答案。看起来Java的可接受密码列表已从8u45更改为8u60,并且上面数组中的所有密码都不在新的可接受列表中,从而导致可接受密码的空列表。
从添加默认密码列表到添加默认协议(TLSv1.2),一切都可以在8u60和之前的版本中运行,并且启动更安全。