我们的tokenserver升级为仅接受TLSv1 / TLSv1.1 / TLSv1.2连接。我使用SSL进行握手的代码失败了。如何升级我的代码以支持TLSv1握手?我的java版本是1.6。以下是我的SSL客户端代码。
public static void setTruststore(String truststorePath, String truststorePwd)
{
if( truststorePath != null && !truststorePath.trim().equalsIgnoreCase("null") && truststorePath.trim().length() != 0 ){
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
System.setProperty("javax.net.ssl.trustStore", truststorePath);
if( truststorePwd != null && !truststorePwd.trim().equalsIgnoreCase("null") && truststorePwd.trim().length() != 0 ){
System.setProperty("javax.net.ssl.trustStorePassword", truststorePwd.trim());
}
}
System.out.println(System.getProperty("java.protocol.handler.pkgs"));
System.out.println(System.getProperty("javax.net.ssl.trustStore"));
System.out.println(System.getProperty("javax.net.ssl.trustStorePassword"));
}
My token server already upgraded and we are failing to connect to it.
I edited my code to below to support TLSv1
package ml.token.utility;
import java.io.File;
import java.io.FileInputStream;
import java.net.Socket;
import java.security.KeyStore;
import javax.net.SocketFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;
import java.io.IOException;
import java.security.Security;
import org.bouncycastle.crypto.tls.CertificateRequest;
import org.bouncycastle.crypto.tls.DefaultTlsClient;
import org.bouncycastle.crypto.tls.TlsAuthentication;
import org.bouncycastle.crypto.tls.TlsClientProtocol;
import org.bouncycastle.crypto.tls.TlsCredentials;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
// To be used for Ezi SSL certificate //
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.io.FileNotFoundException;
import java.security.PrivilegedActionException;
public class TrustStore {
public static void setTruststore(String truststorePath, String truststorePwd)
{
KeyStore ks = null;
FileInputStream fis = null;
try{
char[] passwd = null;
if (truststorePwd.length() != 0)
passwd = truststorePwd.toCharArray();
java.security.SecureRandom secureRandom = new java.security.SecureRandom();
ks = KeyStore.getInstance("JKS");
fis = new java.io.FileInputStream(truststorePath);
ks.load(fis, passwd);
fis.close();
BouncyCastleProvider bcp = new BouncyCastleProvider();
if( truststorePath != null && !truststorePath.trim().equalsIgnoreCase("null") && truststorePath.trim().length() != 0 ){
try {
Security.addProvider(bcp);
} catch (Exception e) {
throw new RuntimeException("Cannot add BouncyCastle security provider");
}
System.setProperty("java.protocol.handler.pkgs", "org.bouncycastle.crypto.tls.TlsClientProtocol");
System.setProperty("https.protocols", "TLSv1");
System.setProperty("javax.net.ssl.trustStore", truststorePath);
if( truststorePwd != null && !truststorePwd.trim().equalsIgnoreCase("null") && truststorePwd.trim().length() != 0 ){
System.setProperty("javax.net.ssl.trustStorePassword", truststorePwd.trim());
System.setProperty("javax.net.debug", "ssl");
final SSLContext context = SSLContext.getInstance("TLS");
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
context.init(null, tmf.getTrustManagers(),secureRandom);
// get hold of the real underlying socket factory which is expected to do the real job
final SSLSocketFactory factory = context.getSocketFactory();
// "wrap" it around using our custom SSLSocketFactory so that we have control over the enabled protocols of newly created sockets
final SSLSocketFactory wrappedFactory = new ProtocolOverridingSSLSocketFactory(factory, new String[] {"TLSv1"});
byte[] ipAddr = new byte[] { 10, 2, 100, 79 };
SSLSocket socket = (SSLSocket) wrappedFactory.createSocket(java.net.InetAddress.getByAddress(ipAddr), 8443);
TlsClientProtocol protocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(),secureRandom);
DefaultTlsClient client = new DefaultTlsClient() {
public TlsAuthentication getAuthentication() throws IOException {
TlsAuthentication auth = new TlsAuthentication() {
// Capture the server certificate information!
public void notifyServerCertificate(org.bouncycastle.crypto.tls.Certificate serverCertificate) throws IOException {
}
public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
return null;
}
};
return auth;
}
};
protocol.connect(client);
try {
printSocketInfo(socket);
socket.startHandshake();
} catch(Exception e){
e.printStackTrace();
System.out.println(e.toString());
}
finally {
if (fis != null) {
fis.close();
}
}
System.out.println("https.protocols "+System.getProperty("https.protocols"));
System.out.println("Handler package >> "+System.getProperty("java.protocol.handler.pkgs"));
System.out.println("truststore>> "+System.getProperty("javax.net.ssl.trustStore"));
System.out.println("truststore password>> "+System.getProperty("javax.net.ssl.trustStorePassword"));
}
}
}catch(Exception e){
e.printStackTrace();
}
}
private static void printSocketInfo(SSLSocket s) {
System.out.println("Socket class: "+s.getClass());
System.out.println(" Remote address = " +s.getInetAddress().toString());
System.out.println(" Remote port = "+s.getPort());
System.out.println(" Local socket address = " +s.getLocalSocketAddress().toString());
System.out.println(" Local address = " +s.getLocalAddress().toString());
System.out.println(" Local port = "+s.getLocalPort()); System.out.println(" Need client authentication = " +s.getNeedClientAuth());
SSLSession ss = s.getSession();
System.out.println(" Cipher suite = "+ss.getCipherSuite());
System.out.println(" Protocol = "+ss.getProtocol());
}
/**
* Checks whether a file exists and can be opened.
* @param file file to be checked.
* @return FileInputStream to the file or <CODE>null</CODE> when it could
* not be opened or didn't exist.
*/
private static FileInputStream getFileInputStream(final File file) {
try {
return AccessController.doPrivileged(
new PrivilegedExceptionAction<FileInputStream>() {
public FileInputStream run() {
try {
if (file.exists()) {
return new FileInputStream(file);
} else {
return null;
}
} catch (FileNotFoundException e) {
return null;
}
}
});
} catch (PrivilegedActionException e) {
// Somehow we cannot run this, hence cannot read the file either...
return null;
}
}
}
它仍然让我为bouncycastle握手错误和套接字关闭连接..请帮忙..
[#|2016-05-10T17:05:59.270+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|%% Cached cl ient session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]|#]
[#|2016-05-10T17:05:59.270+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, WRITE: TLSv1 Application Data, length = 114|#]
[#|2016-05-10T17:06:59.270+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, READ: TLSv1 Alert, length = 18|#]
[#|2016-05-10T17:06:59.270+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4|#]
[#|2016-05-10T17:06:59.270+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|, RECV TLSv1 ALERT: |#]
[#|2016-05-10T17:06:59.270+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|warning, |#]
[#|2016-05-10T17:06:59.270+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|close_notify |#]
[#|2016-05-10T17:06:59.271+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called closeInternal(false)|#]
[#|2016-05-10T17:06:59.271+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4|#]
[#|2016-05-10T17:06:59.271+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|, SEND TLSv1 ALERT: |#]
[#|2016-05-10T17:06:59.271+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|warning, |#]
[#|2016-05-10T17:06:59.271+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|description = close_notify|#]
[#|2016-05-10T17:06:59.271+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, WRITE: TLSv1 Alert, length = 18|#]
[#|2016-05-10T17:06:59.271+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called closeSocket(selfInitiated)|#]
[#|2016-05-10T17:06:59.275+0800|WARNING|sun-appserver2.1.1|javax.enterprise.system.stream.err|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;_RequestID =c90ab4e4-5d4d-4ccb-802c-ca2050ba0ec8;|java.net.SocketException: Connection closed by remote host
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1372)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:44)
at java.io.OutputStream.write(OutputStream.java:58)
at org.bouncycastle.crypto.tls.RecordStream.writeRecord(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.safeWriteRecord(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.raiseAlert(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.failWithError(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.completeHandshake(Unknown Source)
at org.bouncycastle.crypto.tls.TlsClientProtocol.connect(Unknown Source)
at ml.token.utility.TrustStore.setTruststore(TrustStore.java:107)
at ml.token.utility.Challenge.getChallenge2(Challenge.java:233)
at org.apache.jsp.jsp.process2_jsp._jspService(process2_jsp.java from :1312)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:109)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:389)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:486)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:380)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:427)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:333)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at com.mibs.XSSfilter.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:41)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at com.mibs.servlet.AccessPathCheckFilter.doFilter(AccessPathCheckFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:313)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1093)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:291)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:670)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:601)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:875)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:365)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:285)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:221)
at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:393)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:269)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:111)
and
[#|2016-05-10T17:06:59.691+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, WRITE: TLSv1 Handshake, length = 75|#]
[#|2016-05-10T17:06:59.691+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, WRITE: SSLv2 client hello message, length = 101|#]
[#|2016-05-10T17:06:59.692+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, READ: TLSv1 Alert, length = 2|#]
[#|2016-05-10T17:06:59.692+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4|#]
[#|2016-05-10T17:06:59.692+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|, RECV TLSv1 ALERT: |#]
[#|2016-05-10T17:06:59.692+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|fatal, |#]
[#|2016-05-10T17:06:59.693+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|handshake_fa ilure|#]
[#|2016-05-10T17:06:59.693+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called closeSocket()|#]
[#|2016-05-10T17:06:59.693+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure|#]
[#|2016-05-10T17:06:59.694+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called close()|#]
[#|2016-05-10T17:06:59.694+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called closeInternal(true)|#]
[#|2016-05-10T17:06:59.694+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called close()|#]
[#|2016-05-10T17:06:59.694+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called closeInternal(true)|#]
[#|2016-05-10T17:06:59.694+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called close()|#]
[#|2016-05-10T17:06:59.694+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|httpSSLWorke rThread-8080-4, called closeInternal(true)|#]
[#|2016-05-10T17:06:59.698+0800|INFO|sun-appserver2.1.1|javax.enterprise.system.stream.out|_ThreadID=22;_ThreadName=httpSSLWorkerThread-8080-4;|process2.jsp : challengeKey: [ERROR]com.ctc.wstx.exc.WstxIOException: Received fatal alert: handshake_failure|#]