我有一个jboss版本6.3.0.GA,使用java版本1.7.0_71 我的远程服务器更改的同事允许TLS协议从1.1到1.2,现在我必须更新我的客户端(部署在jboss中)。 问题是,在这次改变之后,我收到了:
faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
在ssl调试中,我看到:
5:22:43,921 INFO [stdout] (http-/0.0.0.0:8080-1) *** ClientHello, TLSv1
15:22:43,923 INFO [stdout] (http-/0.0.0.0:8080-1) RandomCookie: GMT: 1467638563 bytes = { 250, 245, 94, 108, 232, 16, 43, 124, 53, 95, 38, 104, 249, 96, 71, 207, 230, 7, 84, 183, 41, 224, 63, 213, 186, 7, 179, 255 }
15:22:43,923 INFO [stdout] (http-/0.0.0.0:8080-1) Session ID: {}
15:22:43,923 INFO [stdout] (http-/0.0.0.0:8080-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
15:22:43,924 INFO [stdout] (http-/0.0.0.0:8080-1) Compression Methods: { 0 }
15:22:43,924 INFO [stdout] (http-/0.0.0.0:8080-1) Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
15:22:43,924 INFO [stdout] (http-/0.0.0.0:8080-1) Extension ec_point_formats, formats: [uncompressed]
15:22:43,925 INFO [stdout] (http-/0.0.0.0:8080-1) Extension server_name, server_name: [host_name: cxg7d.test.centurylink.com]
15:22:43,925 INFO [stdout] (http-/0.0.0.0:8080-1) ***
15:22:43,925 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, WRITE: TLSv1 Handshake, length = 184
15:22:43,958 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, READ: TLSv1.2 Alert, length = 2
15:22:43,959 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, RECV TLSv1 ALERT: fatal, handshake_failure
15:22:43,959 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, called closeSocket()
15:22:43,960 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
15:22:43,963 ERROR [stderr] (http-/0.0.0.0:8080-1) AxisFault
15:22:43,964 ERROR [stderr] (http-/0.0.0.0:8080-1) faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
15:22:43,964 ERROR [stderr] (http-/0.0.0.0:8080-1) faultSubcode:
15:22:43,964 ERROR [stderr] (http-/0.0.0.0:8080-1) faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
即使已经应用了以下更改
1 - 使用以下值更新“standalone.xml”
<system-properties>
<property name="https.protocols" value="TLSv1.2"/>
</system-properties>
2 - 在JAVA选项下面添加到服务器启动:
-Djavax.net.debug=all -Ddeployment.security.TLSv1.2=true -Ddeployment.security.TLSv1.2=true -Ddeployment.security.TLSv1=false -Dhttps.protocols=TLSv1.2
3 - 以图形方式更改了java控制台中的协议 JDK control panel
但没有握手仍然存在。 我想错误是在“Client Hello”上仍然使用TLSv1而不是1.2。 你有任何强迫这个价值的建议吗? S上。
答案 0 :(得分:0)
无法使用属性文件强制使用TLSv1.2 for Java 1.7.0_71。 唯一有效的方法是将以下java代码添加到程序中:
socket.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});