我在尝试通过API与服务器通信时遇到 javax.net.ssl.SSLHandshakeException 。
这里的问题非常具体。只有特定的客户机才会发生这种情况。
我正在使用java8。在调用api时,我没有看到api在服务器端被命中,并且在调用api后17分钟看到此异常。为什么要花这么多时间抛出这个例外?有什么东西阻止它被召唤?
然后使用" CURL"通过命令行调用api ..可以看到响应,但不能通过代码看到。我在这里缺少什么?
还有许多其他客户成功使用此服务。为什么我只在特定的客户端计算机上看到此问题?我更新了http jars并检查了机器上的openssl是最新版本,因此它支持TLSv1.1和TLSv1.2。
openssl不是问题,因为在同一台机器上我通过命令行获取响应。所以这意味着没有证书问题,对吧?
我在这里缺少什么?有什么方法可以挖掘这个?
编辑: 使用以下ssl的值启用调试日志后,记录失败
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1507603485 bytes = { 46, 25, 233, 155, 229, 192, 23, 113, 70, 0, 128, 243, 228, 234, 162, 74, 80, 65, 193, 20, 103, 234, 209, 36, 211, 97, 196, 245 }
Session ID: {6, 123, 53, 216, 50, 219, 185, 178, 236, 232, 9, 154, 213, 12, 174, 171, 131, 30, 8, 105, 18, 70, 74, 35, 157, 100, 145, 53, 206, 33, 38, 9}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 225
main, READ: TLSv1.2 Handshake, length = 89
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1948502716 bytes = { 112, 134, 167, 149, 222, 252, 155, 36, 55, 155, 23, 201, 237, 66, 69, 180, 176, 185, 86, 45, 222, 254, 228, 92, 211, 113, 21, 198 }
Session ID: {6, 123, 53, 216, 50, 219, 185, 178, 236, 232, 9, 154, 213, 12, 174, 171, 131, 30, 8, 105, 18, 70, 74, 35, 157, 100, 145, 53, 206, 33, 38, 9}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
CONNECTION KEYGEN:
Client Nonce:
0000: 5A DC 34 1D 2E 19 E9 9B E5 C0 17 71 46 00 80 F3 Z.4........qF...
0010: E4 EA A2 4A 50 41 C1 14 67 EA D1 24 D3 61 C4 F5 ...JPA..g..$.a..
Server Nonce:
0000: 74 24 CB BC 70 86 A7 95 DE FC 9B 24 37 9B 17 C9 t$..p......$7...
0010: ED 42 45 B4 B0 B9 56 2D DE FE E4 5C D3 71 15 C6 .BE...V-...\.q..
Master Secret:
0000: 9C 71 48 89 F3 C2 47 A4 08 99 E2 90 10 41 A7 B2 .qH...G......A..
0010: B9 AD E4 94 77 42 2A 03 1B 5A 85 43 48 6A E8 F6 ....wB*..Z.CHj..
0020: 19 AC 45 A7 A7 A1 10 31 AF 47 22 EA 06 08 02 D3 ..E....1.G".....
... no MAC keys used for this cipher
Client write key:
0000: 09 29 08 5C 46 74 F3 F4 25 E8 5E BB 58 F9 B2 87 .).\Ft..%.^.X...
Server write key:
0000: AA 0B 79 6C EE D1 5D 5B 95 24 85 38 66 04 36 BB ..yl..][.$.8f.6.
Client write IV:
0000: DC FA A6 A3 ....
Server write IV:
0000: A5 E7 72 C9 ..r.
%% Server resumed [Session-5, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, READ: TLSv1.2 Handshake, length = 40
Keep-Alive-Timer, called close()
Keep-Alive-Timer, called closeInternal(true)
Keep-Alive-Timer, SEND TLSv1.2 ALERT: warning, description = close_notify
Keep-Alive-Timer, WRITE: TLSv1.2 Alert, length = 26
Keep-Alive-Timer, called closeSocket(true)
main, received **EOFException**: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
%% Invalidated: [Session-5, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
另一个发现是我的GET请求在17分钟后得到响应,但我后续的POST请求正在抛出此EOFException。有什么原因吗?
我经历了搜索EOFException的原因,我听到了安全协议的问题,建议添加System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");。在我的情况下,我没有看到安全协议的问题,因为ServerHello和ClientHello与TLSv1.2一起使用。
编辑2:按照@ dave_thompson_085
的建议,运行openssl s_client sess_out和sess_in命令$ openssl s_client -connect 40.dataloader.IRXXX.XXX.com:443 -sess_out tempfile </dev/null
CONNECTED(00000003)
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Massachusetts/L=Waltham/O=XXX/OU=IRXXX/CN=IRXXX.XXX.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
Server certificate
-----BEGIN CERTIFICATE-----
...
XXX
XXX
...
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Waltham/O=XXX/OU=IRXXX/CN=IRXXX.XXX.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 2318 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 850ECBF2236A86B1267114E6F547CA1B52F30EAB36015E1AFAD5FDE5AFCAEA7A
Session-ID-ctx:
Master-Key: 382EB56038856142D140479A3A936B1112FC117268039093AFD938D3A710774DD0CE8544B15B6C1FAD13C1A7E5B2FB77
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1524422784
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
$ openssl s_client -connect 40.dataloader.IRXXX.XXX.com:443 -sess_in tempfile
CONNECTED(00000003)
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Massachusetts/L=Waltham/O=XXX/OU=IRXXX/CN=IRXXX.XXX.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
Server certificate
-----BEGIN CERTIFICATE-----
...
XXX
XXX
...
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Waltham/O=XXX/OU=IRXXX/CN=IRXXX.XXX.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 2318 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 5DD784DD1BA46EF3251638D4651DB412FC807ECA7CD257CB98C0F1A888859809
Session-ID-ctx:
Master-Key: DC58588177FB5F7192C9972FC705BA070120DB4B1004CA594C1097EDA3DA376E7F8B153BFBFCC1BE557C516E21CCB43D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1524423133
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---