当我尝试将Java 8应用程序连接到web服务时,我收到SSLHandshakeException。
www.ssllabs.com我说网络服务不支持TLSv1.1和TSLv1.2。
所以我用:
执行SSLPokejava -Djavax.net.debug=all -Djdk.tls.client.protocols="TLSv1" -Dhttps.protocol="TLSv1" SSLPoke ws.seur.com 443
我得到:
*** ClientHello, TLSv1
RandomCookie: GMT: 1450188882 bytes = { 215, 201, 145, 239, 52, 121, 175, 184, 120, 99, 193, 227, 113, 25, 222, 207, 145, 219, 37, 4, 82, 26, 128, 21, 217, 243, 4, 139 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [type=host_name (0), value=ws.seur.com]
***
[write] MD5 and SHA1 hashes: len = 171
0000: 01 00 00 A7 03 01 56 70 20 52 D7 C9 91 EF 34 79 ......Vp R....4y
0010: AF B8 78 63 C1 E3 71 19 DE CF 91 DB 25 04 52 1A ..xc..q.....%.R.
0020: 80 15 D9 F3 04 8B 00 00 2C C0 0A C0 14 00 35 C0 ........,.....5.
0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../...
0040: 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 0D 00 ..3.2...........
0050: 16 00 13 00 FF 01 00 00 52 00 0A 00 34 00 32 00 ........R...4.2.
0060: 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09 00 ................
0070: 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 ................
0080: 10 00 11 00 02 00 12 00 04 00 05 00 14 00 08 00 ................
0090: 16 00 0B 00 02 01 00 00 00 00 10 00 0E 00 00 0B ................
00A0: 77 73 2E 73 65 75 72 2E 63 6F 6D ws.seur.com
main, WRITE: TLSv1 Handshake, length = 171
[Raw write]: length = 176
0000: 16 03 01 00 AB 01 00 00 A7 03 01 56 70 20 52 D7 ...........Vp R.
0010: C9 91 EF 34 79 AF B8 78 63 C1 E3 71 19 DE CF 91 ...4y..xc..q....
0020: DB 25 04 52 1A 80 15 D9 F3 04 8B 00 00 2C C0 0A .%.R.........,..
0030: C0 14 00 35 C0 05 C0 0F 00 39 00 38 C0 09 C0 13 ...5.....9.8....
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A ./.....3.2......
0050: C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 52 00 0A .............R..
0060: 00 34 00 32 00 17 00 01 00 03 00 13 00 15 00 06 .4.2............
0070: 00 07 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D ................
0080: 00 0E 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 ................
0090: 00 14 00 08 00 16 00 0B 00 02 01 00 00 00 00 10 ................
00A0: 00 0E 00 00 0B 77 73 2E 73 65 75 72 2E 63 6F 6D .....ws.seur.com
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
at SSLPoke.main(SSLPoke.java:31)
为什么我得到RECV TLSv1.2 ALERT:致命,握手_failure如果我强迫TLSv1?
在Java 7上它工作正常,但Java 8不起作用。
答案 0 :(得分:4)
如user1516873的answer所示,客户端(Java 8u51或更高版本)和服务器(ws.seur.com)不支持通用密码套件。默认情况下,作为RC4的客户端中的Java 8 Update 51 removed support for RC4 ciphers被认为是弱的并且受到损害。
区域:security-libs / javax.net.ssl概要:禁止RC4密码套件
RC4现在被视为受损密码。 RC4密码套件有 已从客户端和服务器默认启用的密码套件中删除 Oracle JSSE实现中的列表。这些密码套件仍然可以 由SSLEngine.setEnabledCipherSuites()和。启用 SSLSocket.setEnabledCipherSuites()方法。
请参阅JDK-8077109(非公开)。
虽然最好的做法是联系WebService提供商并让他们更新TLS配置,但在发行说明中描述了在客户端启用RC4的解决方法。但是请注意,出于某种原因删除了对RC4的支持,并且通过重新启用它,您将使客户端的用户暴露于较低的安全标准。
答案 1 :(得分:3)
客户端密码套件:
服务器密码套件:
不匹配。即使手动将协议设置为TLS 1.0,也会出现ssl握手错误。没有好的解决方案,服务器已过时并使用旧的不安全协议。如果您绝对需要使用java 8连接到此服务器,我认为您可以使用BouncyCastle。