Question

Ubuntu 14.04.4 LTS（GNU / Linux 3.13.0-91-generic x86_64）

java版＆＃34; 1.8.0_91＆＃34; Java（TM）SE运行时环境（版本1.8.0_91-b14） Java HotSpot（TM）64位服务器VM（版本25.91-b14，混合模式）

Jetty 9.3.8.v2016031连接器配置如下：

SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(sslKeystore);
sslContextFactory.setKeyStorePassword(SystemUtils.getEnvOrThrow("SERVER_SSL_PASSWORD"));
sslContextFactory.setKeyManagerPassword(SystemUtils.getEnvOrThrow("SERVER_SSL_KEY_PASSWORD"));

HttpConfiguration https_config = new HttpConfiguration();
https_config.setOutputBufferSize(32768);
https_config.addCustomizer(new SecureRequestCustomizer());

ServerConnector https = new ServerConnector(
    server,
    new SslConnectionFactory(sslContextFactory, "http/1.1"),
    new HttpConnectionFactory(https_config));

https.setPort(Integer.valueOf(SystemUtils.getEnvOrThrow("SERVER_SSL_PORT")));
https.setIdleTimeout(60000);

server.setConnectors(new Connector[] { https });

我可以建立TLSv1.2连接：

curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.2

* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

但是当我尝试TLSv1.0或TLSv1.1时，我得到了这个：

curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.0

* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* Server aborted the SSL handshake

启用和支持的协议列表如下：

Enabled protocol: SSLv2Hello
Enabled protocol: TLSv1
Enabled protocol: TLSv1.1
Enabled protocol: TLSv1.2

Supported protocol: SSLv2Hello
Supported protocol: SSLv3
Supported protocol: TLSv1
Supported protocol: TLSv1.1
Supported protocol: TLSv1.2

而且我不知道问题出在哪里。我有一些客户端不能使用除TLSv1.0以外的任何东西。

更新1 - 添加了sslscan输出

Failed    SSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ECDHE-RSA-AES256-SHA384
Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
Rejected  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
Failed    SSLv3  256 bits  SRP-DSS-AES-256-CBC-SHA
Failed    SSLv3  256 bits  SRP-RSA-AES-256-CBC-SHA
Failed    SSLv3  256 bits  SRP-AES-256-CBC-SHA
Failed    SSLv3  256 bits  DHE-DSS-AES256-GCM-SHA384
Failed    SSLv3  256 bits  DHE-RSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA256
Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA256
Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
Rejected  SSLv3  256 bits  DHE-DSS-CAMELLIA256-SHA
Rejected  SSLv3  256 bits  AECDH-AES256-SHA
Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ADH-AES256-SHA256
Rejected  SSLv3  256 bits  ADH-AES256-SHA
Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ECDH-RSA-AES256-SHA384
Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-SHA384
Rejected  SSLv3  256 bits  ECDH-RSA-AES256-SHA
Rejected  SSLv3  256 bits  ECDH-ECDSA-AES256-SHA
Failed    SSLv3  256 bits  AES256-GCM-SHA384
Failed    SSLv3  256 bits  AES256-SHA256
Rejected  SSLv3  256 bits  AES256-SHA
Rejected  SSLv3  256 bits  CAMELLIA256-SHA
Failed    SSLv3  256 bits  PSK-AES256-CBC-SHA
Rejected  SSLv3  168 bits  ECDHE-RSA-DES-CBC3-SHA
Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
Failed    SSLv3  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
Failed    SSLv3  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
Failed    SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA
Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA
Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
Rejected  SSLv3  168 bits  ECDH-RSA-DES-CBC3-SHA
Rejected  SSLv3  168 bits  ECDH-ECDSA-DES-CBC3-SHA
Rejected  SSLv3  168 bits  DES-CBC3-SHA
Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA
Failed    SSLv3  128 bits  ECDHE-RSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ECDHE-RSA-AES128-SHA256
Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
Rejected  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
Failed    SSLv3  128 bits  SRP-DSS-AES-128-CBC-SHA
Failed    SSLv3  128 bits  SRP-RSA-AES-128-CBC-SHA
Failed    SSLv3  128 bits  SRP-AES-128-CBC-SHA
Failed    SSLv3  128 bits  DHE-DSS-AES128-GCM-SHA256
Failed    SSLv3  128 bits  DHE-RSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA256
Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA256
Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA
Rejected  SSLv3  128 bits  DHE-DSS-SEED-SHA
Rejected  SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
Rejected  SSLv3  128 bits  DHE-DSS-CAMELLIA128-SHA
Rejected  SSLv3  128 bits  AECDH-AES128-SHA
Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ADH-AES128-SHA256
Rejected  SSLv3  128 bits  ADH-AES128-SHA
Rejected  SSLv3  128 bits  ADH-SEED-SHA
Rejected  SSLv3  128 bits  ADH-CAMELLIA128-SHA
Failed    SSLv3  128 bits  ECDH-RSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ECDH-RSA-AES128-SHA256
Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-SHA256
Rejected  SSLv3  128 bits  ECDH-RSA-AES128-SHA
Rejected  SSLv3  128 bits  ECDH-ECDSA-AES128-SHA
Failed    SSLv3  128 bits  AES128-GCM-SHA256
Failed    SSLv3  128 bits  AES128-SHA256
Rejected  SSLv3  128 bits  AES128-SHA
Rejected  SSLv3  128 bits  SEED-SHA
Rejected  SSLv3  128 bits  CAMELLIA128-SHA
Failed    SSLv3  128 bits  PSK-AES128-CBC-SHA
Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
Rejected  SSLv3  128 bits  AECDH-RC4-SHA
Rejected  SSLv3  128 bits  ADH-RC4-MD5
Rejected  SSLv3  128 bits  ECDH-RSA-RC4-SHA
Rejected  SSLv3  128 bits  ECDH-ECDSA-RC4-SHA
Rejected  SSLv3  128 bits  RC4-SHA
Rejected  SSLv3  128 bits  RC4-MD5
Failed    SSLv3  128 bits  PSK-RC4-SHA
Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
Rejected  SSLv3  56 bits   DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
Rejected  SSLv3  40 bits   EXP-RC4-MD5
Rejected  SSLv3  0 bits    ECDHE-RSA-NULL-SHA
Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
Rejected  SSLv3  0 bits    AECDH-NULL-SHA
Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA
Rejected  SSLv3  0 bits    ECDH-ECDSA-NULL-SHA
Failed    SSLv3  0 bits    NULL-SHA256
Rejected  SSLv3  0 bits    NULL-SHA
Rejected  SSLv3  0 bits    NULL-MD5
Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
Failed    TLSv1  256 bits  ECDHE-RSA-AES256-SHA384
Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
Rejected  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
Failed    TLSv1  256 bits  SRP-DSS-AES-256-CBC-SHA
Failed    TLSv1  256 bits  SRP-RSA-AES-256-CBC-SHA
Failed    TLSv1  256 bits  SRP-AES-256-CBC-SHA
Failed    TLSv1  256 bits  DHE-DSS-AES256-GCM-SHA384
Failed    TLSv1  256 bits  DHE-RSA-AES256-GCM-SHA384
Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA256
Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA256
Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
Rejected  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
Rejected  TLSv1  256 bits  DHE-DSS-CAMELLIA256-SHA
Rejected  TLSv1  256 bits  AECDH-AES256-SHA
Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384
Failed    TLSv1  256 bits  ADH-AES256-SHA256
Rejected  TLSv1  256 bits  ADH-AES256-SHA
Rejected  TLSv1  256 bits  ADH-CAMELLIA256-SHA
Failed    TLSv1  256 bits  ECDH-RSA-AES256-GCM-SHA384
Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
Failed    TLSv1  256 bits  ECDH-RSA-AES256-SHA384
Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-SHA384
Rejected  TLSv1  256 bits  ECDH-RSA-AES256-SHA
Rejected  TLSv1  256 bits  ECDH-ECDSA-AES256-SHA
Failed    TLSv1  256 bits  AES256-GCM-SHA384
Failed    TLSv1  256 bits  AES256-SHA256
Rejected  TLSv1  256 bits  AES256-SHA
Rejected  TLSv1  256 bits  CAMELLIA256-SHA
Failed    TLSv1  256 bits  PSK-AES256-CBC-SHA
Rejected  TLSv1  168 bits  ECDHE-RSA-DES-CBC3-SHA
Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
Failed    TLSv1  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
Failed    TLSv1  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
Failed    TLSv1  168 bits  SRP-3DES-EDE-CBC-SHA
Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
Rejected  TLSv1  168 bits  AECDH-DES-CBC3-SHA
Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
Rejected  TLSv1  168 bits  ECDH-RSA-DES-CBC3-SHA
Rejected  TLSv1  168 bits  ECDH-ECDSA-DES-CBC3-SHA
Rejected  TLSv1  168 bits  DES-CBC3-SHA
Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA
Failed    TLSv1  128 bits  ECDHE-RSA-AES128-GCM-SHA256
Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
Failed    TLSv1  128 bits  ECDHE-RSA-AES128-SHA256
Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
Rejected  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
Failed    TLSv1  128 bits  SRP-DSS-AES-128-CBC-SHA
Failed    TLSv1  128 bits  SRP-RSA-AES-128-CBC-SHA
Failed    TLSv1  128 bits  SRP-AES-128-CBC-SHA
Failed    TLSv1  128 bits  DHE-DSS-AES128-GCM-SHA256
Failed    TLSv1  128 bits  DHE-RSA-AES128-GCM-SHA256
Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA256
Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA256
Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA
Rejected  TLSv1  128 bits  DHE-DSS-SEED-SHA
Rejected  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
Rejected  TLSv1  128 bits  DHE-DSS-CAMELLIA128-SHA
Rejected  TLSv1  128 bits  AECDH-AES128-SHA
Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256
Failed    TLSv1  128 bits  ADH-AES128-SHA256
Rejected  TLSv1  128 bits  ADH-AES128-SHA
Rejected  TLSv1  128 bits  ADH-SEED-SHA
Rejected  TLSv1  128 bits  ADH-CAMELLIA128-SHA
Failed    TLSv1  128 bits  ECDH-RSA-AES128-GCM-SHA256
Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
Failed    TLSv1  128 bits  ECDH-RSA-AES128-SHA256
Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-SHA256
Rejected  TLSv1  128 bits  ECDH-RSA-AES128-SHA
Rejected  TLSv1  128 bits  ECDH-ECDSA-AES128-SHA
Failed    TLSv1  128 bits  AES128-GCM-SHA256
Failed    TLSv1  128 bits  AES128-SHA256
Rejected  TLSv1  128 bits  AES128-SHA
Rejected  TLSv1  128 bits  SEED-SHA
Rejected  TLSv1  128 bits  CAMELLIA128-SHA
Failed    TLSv1  128 bits  PSK-AES128-CBC-SHA
Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
Rejected  TLSv1  128 bits  AECDH-RC4-SHA
Rejected  TLSv1  128 bits  ADH-RC4-MD5
Rejected  TLSv1  128 bits  ECDH-RSA-RC4-SHA
Rejected  TLSv1  128 bits  ECDH-ECDSA-RC4-SHA
Rejected  TLSv1  128 bits  RC4-SHA
Rejected  TLSv1  128 bits  RC4-MD5
Failed    TLSv1  128 bits  PSK-RC4-SHA
Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
Rejected  TLSv1  56 bits   ADH-DES-CBC-SHA
Rejected  TLSv1  56 bits   DES-CBC-SHA
Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
Rejected  TLSv1  40 bits   EXP-RC4-MD5
Rejected  TLSv1  0 bits    ECDHE-RSA-NULL-SHA
Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA
Rejected  TLSv1  0 bits    AECDH-NULL-SHA
Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA
Rejected  TLSv1  0 bits    ECDH-ECDSA-NULL-SHA
Failed    TLSv1  0 bits    NULL-SHA256
Rejected  TLSv1  0 bits    NULL-SHA
Rejected  TLSv1  0 bits    NULL-MD5

更新2 - 更详细的卷曲输出

* Hostname was NOT found in DNS cache
*   Trying 123.45.67.890...
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
    CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to <hidden_hostname>:443
* Closing connection 0
  curl: (35) Unknown SSL protocol error in connection to <hidden_hostname>:443

Answer 1

TLSv1.0被认为是不安全和易受攻击的。

Jetty（以及某些版本的Java）上的默认配置具有禁用TLS 1.0所需的密码。

以下是您如何在短期内解决问题。

注意：一旦TLS 1.3成为现实，Java支持它，那么即使这个短期修复也是不可能的，因为TLS 1.3计划彻底禁止已知易受攻击的密码出现任何支持级别。

你真的需要尽快升级这些客户端，否则你将被困在旧的Java，旧的码头，甚至旧的操作系统安装上，没有有效的选项来升级其中任何一个。

首先，您的SslContextFactory有一个declared set of exclude ciphers，您需要调整这些排除项，以便尽可能地适应您的环境。

您可以通过重新声明已排除的密码来执行此操作。

SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setExcludeCipherSuites(
            "SSL_DHE_DSS_WITH_DES_CBC_SHA",
            "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");

如果这仍然对您没有帮助，那么您可能还有Java级禁用密码。

检查$JAVA_HOME/jre/lib/security/java.security文件中是否有任何禁用的配置＆＃34; ciphers＆＃34;或＆＃34;算法＆＃34; （名称可能因您选择的JVM而异）

Jetty 9.3.8.v20160314拒绝TLSv1和TLSv1.1但不拒绝TLSv1.2连接

1 个答案: