是什么导致javax.net.ssl.SSLHandshakeException:握手期间远程主机关闭连接

时间:2018-04-21 02:51:56

标签: java ssl ssl-certificate sslhandshakeexception

我在尝试通过API与服务器通信时遇到 javax.net.ssl.SSLHandshakeException

这里的问题非常具体。只有特定的客户机才会发生这种情况。

我正在使用java8。在调用api时,我没有看到api在服务器端被命中,并且在调用api后17分钟看到此异常。为什么要花这么多时间抛出这个例外?有什么东西阻止它被召唤?

然后使用" CURL"通过命令行调用api ..可以看到响应,但不能通过代码看到。我在这里缺少什么?

还有许多其他客户成功使用此服务。为什么我只在特定的客户端计算机上看到此问题?我更新了http jars并检查了机器上的openssl是最新版本,因此它支持TLSv1.1和TLSv1.2。

openssl不是问题,因为在同一台机器上我通过命令行获取响应。所以这意味着没有证书问题,对吧?

我在这里缺少什么?有什么方法可以挖掘这个?

编辑: 使用以下ssl的值启用调试日志后,记录失败

 *** ClientHello, TLSv1.2
RandomCookie:  GMT: 1507603485 bytes = { 46, 25, 233, 155, 229, 192, 23, 113, 70, 0, 128, 243, 228, 234, 162, 74, 80, 65, 193, 20, 103, 234, 209, 36, 211, 97, 196, 245 }
Session ID:  {6, 123, 53, 216, 50, 219, 185, 178, 236, 232, 9, 154, 213, 12, 174, 171, 131, 30, 8, 105, 18, 70, 74, 35, 157, 100, 145, 53, 206, 33, 38, 9}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 225
main, READ: TLSv1.2 Handshake, length = 89
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1948502716 bytes = { 112, 134, 167, 149, 222, 252, 155, 36, 55, 155, 23, 201, 237, 66, 69, 180, 176, 185, 86, 45, 222, 254, 228, 92, 211, 113, 21, 198 }
Session ID:  {6, 123, 53, 216, 50, 219, 185, 178, 236, 232, 9, 154, 213, 12, 174, 171, 131, 30, 8, 105, 18, 70, 74, 35, 157, 100, 145, 53, 206, 33, 38, 9}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
CONNECTION KEYGEN:
Client Nonce:
0000: 5A DC 34 1D 2E 19 E9 9B   E5 C0 17 71 46 00 80 F3  Z.4........qF...
0010: E4 EA A2 4A 50 41 C1 14   67 EA D1 24 D3 61 C4 F5  ...JPA..g..$.a..
Server Nonce:
0000: 74 24 CB BC 70 86 A7 95   DE FC 9B 24 37 9B 17 C9  t$..p......$7...
0010: ED 42 45 B4 B0 B9 56 2D   DE FE E4 5C D3 71 15 C6  .BE...V-...\.q..
Master Secret:
0000: 9C 71 48 89 F3 C2 47 A4   08 99 E2 90 10 41 A7 B2  .qH...G......A..
0010: B9 AD E4 94 77 42 2A 03   1B 5A 85 43 48 6A E8 F6  ....wB*..Z.CHj..
0020: 19 AC 45 A7 A7 A1 10 31   AF 47 22 EA 06 08 02 D3  ..E....1.G".....
... no MAC keys used for this cipher
Client write key:
0000: 09 29 08 5C 46 74 F3 F4   25 E8 5E BB 58 F9 B2 87  .).\Ft..%.^.X...
Server write key:
0000: AA 0B 79 6C EE D1 5D 5B   95 24 85 38 66 04 36 BB  ..yl..][.$.8f.6.
Client write IV:
0000: DC FA A6 A3                                        ....
Server write IV:
0000: A5 E7 72 C9                                        ..r.
%% Server resumed [Session-5, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, READ: TLSv1.2 Handshake, length = 40
Keep-Alive-Timer, called close()
Keep-Alive-Timer, called closeInternal(true)
Keep-Alive-Timer, SEND TLSv1.2 ALERT:  warning, description = close_notify
Keep-Alive-Timer, WRITE: TLSv1.2 Alert, length = 26
Keep-Alive-Timer, called closeSocket(true)
main, received **EOFException**: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
%% Invalidated:  [Session-5, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

另一个发现是我的GET请求在17分钟后得到响应,但我后续的POST请求正在抛出此EOFException。有什么原因吗?

我经历了搜索EOFException的原因,我听到了安全协议的问题,建议添加System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");。在我的情况下,我没有看到安全协议的问题,因为ServerHello和ClientHello与TLSv1.2一起使用。

编辑2:按照@ dave_thompson_085

的建议,运行openssl s_client sess_out和sess_in命令
$ openssl s_client -connect 40.dataloader.IRXXX.XXX.com:443 -sess_out tempfile </dev/null
CONNECTED(00000003)
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Massachusetts/L=Waltham/O=XXX/OU=IRXXX/CN=IRXXX.XXX.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
Server certificate
-----BEGIN CERTIFICATE-----
...
XXX
XXX
...
-----END CERTIFICATE-----
subject=/C=US/ST=Massachusetts/L=Waltham/O=XXX/OU=IRXXX/CN=IRXXX.XXX.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 2318 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 850ECBF2236A86B1267114E6F547CA1B52F30EAB36015E1AFAD5FDE5AFCAEA7A
    Session-ID-ctx: 
    Master-Key: 382EB56038856142D140479A3A936B1112FC117268039093AFD938D3A710774DD0CE8544B15B6C1FAD13C1A7E5B2FB77
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1524422784
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE



$ openssl s_client -connect 40.dataloader.IRXXX.XXX.com:443 -sess_in tempfile
    CONNECTED(00000003)
    depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 C = US, ST = Massachusetts, L = Waltham, O = XXX, OU = IRXXX, CN = IRXXX.XXX.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=Massachusetts/L=Waltham/O=XXX/OU=IRXXX/CN=IRXXX.XXX.com
       i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ...
    XXX
    XXX
    ...
    -----END CERTIFICATE-----
    subject=/C=US/ST=Massachusetts/L=Waltham/O=XXX/OU=IRXXX/CN=IRXXX.XXX.com
    issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2318 bytes and written 453 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 5DD784DD1BA46EF3251638D4651DB412FC807ECA7CD257CB98C0F1A888859809
        Session-ID-ctx: 
        Master-Key: DC58588177FB5F7192C9972FC705BA070120DB4B1004CA594C1097EDA3DA376E7F8B153BFBFCC1BE557C516E21CCB43D
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1524423133
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---

0 个答案:

没有答案