在Linux上运行的Java应用程序在某些网站上收到SSL握手错误

时间:2016-08-27 18:33:14

标签: java linux amazon-web-services ssl

我有一个Java应用程序尝试通过HTTPS连接到Web应用程序。当我在我的Windows机器上运行它时,一切都很好,但在AWS Linux机器上,我得到握手错误。这是我正在使用的软件版本:

Windows Java

  • java版本" 1.8.0_101"
  • Java(TM)SE运行时环境(版本1.8.0_101-b13)
  • Java HotSpot(TM)客户端VM(版本25.101-b13,混合模式,共享)

AWS Linux Java

  • openjdk version" 1.8.0_91"
  • OpenJDK运行时环境(版本1.8.0_91-b14)
  • OpenJDK 64位服务器VM(版本25.91-b14,混合模式)

我最初的猜测是问题是由于SNI,因为我已经建立了我连接的网络应用程序。但是,当我查看调试日志时,我看到它在Linux上说:

Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]

这让我觉得SNI正在得到妥善处理。

我开始认为问题的根源在于我的客户端和服务器无法就使得握手失败的密码套件达成一致。我在Windows上看到正在使用TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256。我也看到Linux上似乎没有这个密码套件。

我真的不确定我是否完全理解调试转储中发生的所有事情,所以希望有人能够证实我的怀疑,并建议如何完全解决这个问题。

这是Linux上因握手异常而失败的原因

2016/08/26 22:52:35:882 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:52:35:891 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:52:35:893 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:52:35:907 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.abus      eipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:52:35:937 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:52:36:038 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455489140 bytes = { 189, 42, 2, 83, 215, 159, 170, 114, 166, 145, 86, 76, 205, 19, 222, 103, 15, 89, 159, 24      , 126, 130, 219, 181, 48, 109, 132, 79 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RS      A_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_      DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_      SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES      _256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_R      SA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV      ]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withE      CDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 143
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016/08/26 22:52:36:199 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Shutdown connection
2016/08/26 22:52:36:200 EDT [DEBUG] MainClientExec - -Connection discarded
2016/08/26 22:52:36:200 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Close connection
2016/08/26 22:52:36:200 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection released: [id: 0][route: {s}->https://www.ab      useipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
Error: Received fatal alert: handshake_failure
Elapsed Time: 356 ms
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager is shutting down
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager shut down

以下是有效的Windows上发生的事情:

2016/08/26 22:59:27:224 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:59:27:228 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:59:27:228 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipd
b.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:59:27:258 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.ab
useipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:59:27:286 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:59:27:362 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455489551 bytes = { 69, 36, 118, 201, 252, 93, 212, 32, 99, 181, 94, 8, 249, 138, 165, 81, 11, 108, 104, 8
7, 246, 104, 115, 107, 240, 195, 111, 25 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256
, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DS
S_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_S
HA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_
AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA25
6, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_D
SS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_C
BC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DS
S_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1
, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp
192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256wit
hECDSA, SHA256withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 215
pool-1-thread-1, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -1114532124 bytes = { 84, 54, 245, 62, 187, 242, 188, 165, 192, 49, 29, 203, 96, 228, 212, 99, 190, 50, 149
, 219, 193, 146, 98, 47, 55, 155, 153, 148 }
Session ID:  {215, 1, 126, 144, 1, 117, 237, 244, 231, 139, 61, 205, 198, 118, 31, 104, 79, 113, 148, 163, 72, 102, 159, 154, 7
9, 160, 201, 174, 102, 35, 3, 107}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

1 个答案:

答案 0 :(得分:3)

根据SSLLabs report网站需要ECDHE密码。您的Linux客户端不支持这些密码,而您的Windows客户端则支持这些密码。

ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine表示这可能是OpenJDK与Oracle JDK的问题。

相关问题
最新问题