我正在使用Java服务器通过validation server验证Apple付款收据。对于有效的收据,大约50%的请求因“SocketException:连接重置”而失败(稍后再次尝试成功)。
我没有遇到在Java 7上部署的另一台服务器的这种行为,但在部署到Java 8时开始遇到这种情况。
我看到Java 8中的默认TLS协议已从TLSv1更改为TLSv1.2,因此我尝试将默认协议更改为使用Java 7的默认协议,但没有看到任何改进。这是我使用的JVM属性:
-Djdk.tls.client.protocols="TLSv1,TLSv1.2,TLSv1.1"
任何想法为什么我会在大约一半的时间内收到错误“SocketException:connection reset”?
谢谢!
[UPDATE]
我设法为失败的请求获取调试和ssl日志:
DEBUG [2017-03-02 00:35:37,586] org.apache.http.impl.conn.PoolingClientConnectionManager: Connection request: [route: {s}->https://buy.itunes.apple.com:443][total kept alive: 1; route allocated: 1 of 50; total allocated: 1 of 2000]
DEBUG [2017-03-02 00:35:37,586] org.apache.http.impl.conn.PoolingClientConnectionManager: Connection leased: [id: 4][route: {s}->https://buy.itunes.apple.com:443][total kept alive: 0; route allocated: 1 of 50; total allocated: 1 of 2000]
DEBUG [2017-03-02 00:35:37,586] org.apache.http.impl.client.DefaultHttpClient: Stale connection check
dw-66 - POST /v1/reqrep, setSoTimeout(1) called
dw-66 - POST /v1/reqrep, handling exception: java.net.SocketTimeoutException: Read timed out
dw-66 - POST /v1/reqrep, setSoTimeout(15000) called
dw-66 - POST /v1/reqrep, setSoTimeout(15000) called
DEBUG [2017-03-02 00:35:37,590] org.apache.http.client.protocol.RequestAddCookies: CookieSpec selected: ignoreCookies
DEBUG [2017-03-02 00:35:37,590] org.apache.http.client.protocol.RequestAuthCache: Auth cache not set in the context
DEBUG [2017-03-02 00:35:37,590] org.apache.http.client.protocol.RequestTargetAuthentication: Target auth state: UNCHALLENGED
DEBUG [2017-03-02 00:35:37,590] org.apache.http.client.protocol.RequestProxyAuthentication: Proxy auth state: UNCHALLENGED
DEBUG [2017-03-02 00:35:37,590] org.apache.http.impl.client.DefaultHttpClient: Attempt 1 to execute request
DEBUG [2017-03-02 00:35:37,590] org.apache.http.impl.conn.DefaultClientConnection: Sending request: POST /verifyReceipt HTTP/1.1
DEBUG [2017-03-02 00:35:37,590] org.apache.http.wire: >> "POST /verifyReceipt HTTP/1.1[\r][\n]"
DEBUG [2017-03-02 00:35:37,590] org.apache.http.wire: >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
DEBUG [2017-03-02 00:35:37,590] org.apache.http.wire: >> "Content-Length: 6839[\r][\n]"
DEBUG [2017-03-02 00:35:37,590] org.apache.http.wire: >> "Host: buy.itunes.apple.com[\r][\n]"
DEBUG [2017-03-02 00:35:37,590] org.apache.http.wire: >> "Connection: Keep-Alive[\r][\n]"
DEBUG [2017-03-02 00:35:37,590] org.apache.http.wire: >> "[\r][\n]"
DEBUG [2017-03-02 00:35:37,590] org.apache.http.headers: >> POST /verifyReceipt HTTP/1.1
DEBUG [2017-03-02 00:35:37,590] org.apache.http.headers: >> Content-Type: application/x-www-form-urlencoded
DEBUG [2017-03-02 00:35:37,590] org.apache.http.headers: >> Content-Length: 6839
DEBUG [2017-03-02 00:35:37,591] org.apache.http.headers: >> Host: buy.itunes.apple.com
DEBUG [2017-03-02 00:35:37,591] org.apache.http.headers: >> Connection: Keep-Alive
dw-66 - POST /v1/reqrep, WRITE: TLSv1.2 Application Data, length = 179
dw-66 - POST /v1/reqrep, WRITE: TLSv1.2 Application Data, length = 6863
dw-66 - POST /v1/reqrep, handling exception: java.net.SocketException: Connection reset
%% Invalidated: [Session-505, TLS_RSA_WITH_AES_128_GCM_SHA256]
dw-66 - POST /v1/reqrep, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
dw-66 - POST /v1/reqrep, WRITE: TLSv1.2 Alert, length = 26
dw-66 - POST /v1/reqrep, Exception sending alert: java.net.SocketException: Broken pipe
dw-66 - POST /v1/reqrep, called closeSocket()
dw-66 - POST /v1/reqrep, called close()
dw-66 - POST /v1/reqrep, called closeInternal(true)
DEBUG [2017-03-02 00:35:37,595] org.apache.http.impl.conn.DefaultClientConnection: Connection 0.0.0.0:59028<->17.173.66.179:443 closed
DEBUG [2017-03-02 00:35:37,595] org.apache.http.impl.client.DefaultHttpClient: Closing the connection.
DEBUG [2017-03-02 00:35:37,595] org.apache.http.impl.conn.DefaultClientConnection: Connection 0.0.0.0:59028<->17.173.66.179:443 closed
ERROR [2017-03-02 00:35:37,600] com.spaceape.http.client.HttpClient$$anon$1: http retry for it. executionCount=1
! java.net.SocketException: Connection reset
<ommitted stack trace>
INFO [2017-03-02 00:35:37,601] org.apache.http.impl.client.DefaultHttpClient: I/O exception (java.net.SocketException) caught when processing request to {s}->https://buy.itunes.apple.com:443: Connection reset
DEBUG [2017-03-02 00:35:37,603] org.apache.http.impl.client.DefaultHttpClient: Connection reset
! java.net.SocketException: Connection reset
<ommitted stack trace>
INFO [2017-03-02 00:35:37,604] org.apache.http.impl.client.DefaultHttpClient: Retrying request to {s}->https://buy.itunes.apple.com:443
DEBUG [2017-03-02 00:35:37,604] org.apache.http.impl.client.DefaultHttpClient: Reopening the direct connection.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
DEBUG [2017-03-02 00:35:37,609] org.apache.http.impl.conn.DefaultClientConnectionOperator: Connecting to buy.itunes.apple.com:443
dw-66 - POST /v1/reqrep, setSoTimeout(15000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
...
之后,SSL连接成功重新打开并进行验证。 上面重置连接的日志的具体位是:
dw-66 - POST /v1/reqrep, WRITE: TLSv1.2 Application Data, length = 179
dw-66 - POST /v1/reqrep, WRITE: TLSv1.2 Application Data, length = 6863
dw-66 - POST /v1/reqrep, handling exception: java.net.SocketException: Connection reset
%% Invalidated: [Session-505, TLS_RSA_WITH_AES_128_GCM_SHA256]
dw-66 - POST /v1/reqrep, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
dw-66 - POST /v1/reqrep, WRITE: TLSv1.2 Alert, length = 26
dw-66 - POST /v1/reqrep, Exception sending alert: java.net.SocketException: Broken pipe
dw-66 - POST /v1/reqrep, called closeSocket()
dw-66 - POST /v1/reqrep, called close()
dw-66 - POST /v1/reqrep, called closeInternal(true)
DEBUG [2017-03-02 00:35:37,595] org.apache.http.impl.conn.DefaultClientConnection: Connection 0.0.0.0:59028<->17.173.66.179:443 closed
DEBUG [2017-03-02 00:35:37,595] org.apache.http.impl.client.DefaultHttpClient: Closing the connection.
DEBUG [2017-03-02 00:35:37,595] org.apache.http.impl.conn.DefaultClientConnection: Connection 0.0.0.0:59028<->17.173.66.179:443 closed
非常感谢任何帮助!
答案 0 :(得分:2)
我们目前遇到同样的问题。如果我们从服务器调用此命令约5-10次:
openssl s_client -connect buy.itunes.apple.com:443 -tls1_2
它最终会挂起而没有任何回应。并且可能是java SocketException (我们也在日志中看到)正在发生,因为它达到了超时。 Apple的验证服务器之一可能有问题吗?