Question

我试图找出在8u60中使用SSL时我们的应用程序中断的问题，但在以前的Java版本中没有。在8u60，尝试建立HTTPS连接时，我们得到javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)，并在适当的位置放置断点，我看到密码套件列表确实是空的，而它填充了值I期望在8u45或更早版本中运行相同的代码。

显示此行为的SSCCE（假设您在正确的相对路径中获得了证书密钥库...）我在SSCCE中使用Jetty 9.3.0，但我们的应用程序使用的是9.2 .x，fwiw：

public class HelloWorldSSL extends AbstractHandler {
    private static final int HTTP_PORT = 9999;
    private static final int SSL_PORT = 9998;

    public void handle(String s, Request request, HttpServletRequest httpServletRequest,
            HttpServletResponse httpServletResponse) throws IOException, ServletException {
        httpServletResponse.setContentType("text/html;charset=utf-8");
        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
        request.setHandled(true);
        httpServletResponse.getWriter().println("<h1>Hello World</h1>");
    }

    public static void main(String[] args) throws Exception
    {
        Server server = new Server();

        // HTTP Configuration
        HttpConfiguration httpConfig = new HttpConfiguration();
        httpConfig.setSecureScheme("https");
        httpConfig.setSecurePort(SSL_PORT);

        // HTTP Connector
        ServerConnector httpConnector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
        httpConnector.setPort(HTTP_PORT);
        server.addConnector(httpConnector);

        // SSL Configuration
        String keystorePath = "src/main/resources/keystore.jks";
        File keyStoreFile = new File(keystorePath);
        if (keyStoreFile.exists()) {
            SslContextFactory sslContextFactory = new SslContextFactory(keystorePath);
            sslContextFactory.setKeyStorePassword("123456");

            String[] defaultCiphers = new String[] { "TLS_RSA_WITH_RC4_128_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
                    "SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-AES256-SHA384",
                    "AES256-SHA-256", "SSL_RSA_WITH_RC4_128_SHA", "TLS_KRB5_WITH_RC4_128_SHA" };
            sslContextFactory.setIncludeCipherSuites(defaultCiphers);
            HttpConfiguration sslConfig = new HttpConfiguration(httpConfig);
            sslConfig.addCustomizer(new SecureRequestCustomizer());
            ServerConnector sslConnector = new ServerConnector(server, sslContextFactory,
                    new HttpConnectionFactory(sslConfig));
            sslConnector.setPort(SSL_PORT);
            sslConnector.setAcceptQueueSize(5);
            server.addConnector(sslConnector);

        }
        HandlerList handlers = new HandlerList();
        handlers.addHandler(new HelloWorldSSL());
        server.setHandler(handlers);

        server.start();
        server.join();
    }
}

我们有什么明显的错误可以解释为什么它在8u45而不是8u60工作？查看8u60更改日志并没有帮助。（并试图浏览Jetty的错误报告是一场噩梦。叹息）

[编辑] 阅读Java错误报告让我尝试取出sslContextFactory.setIncludeCipherSuites(defaultCiphers);行，现在代码工作在8u60。仍然希望有人能够了解为什么会这样......

Answer 1

通过实验和Jetty人员的帮助找到了答案。看起来Java的可接受密码列表已从8u45更改为8u60，并且上面数组中的所有密码都不在新的可接受列表中，从而导致可接受密码的空列表。

从添加默认密码列表到添加默认协议（TLSv1.2），一切都可以在8u60和之前的版本中运行，并且启动更安全。

Jetty在8u60中表现不同？

1 个答案: