使用java -version: 1.8.0_171,我正在尝试连接到API网关,但是使用Java 8却遇到SSL握手_失败。已经运行的命令:
keytool -import -alias yan3 -file NBCO_YM_Root.cer -keystore /usr/jdk/jre/lib/security/cacerts
这是我的请求代码。
OkHttpClient client=new OkHttpClient.Builder()
.connectTimeout(90,TimeUnit.SECONDS)
.readTimeout(90,TimeUnit.SECONDS)
.writeTimeout(90,TimeUnit.SECONDS)
.build();
log.info("SupportedCipherSuites is {} and DefaultCipherSuites is {}",
client.sslSocketFactory().getSupportedCipherSuites(),
client.sslSocketFactory().getDefaultCipherSuites()
);
RequestBody requestBody=new RequestBody() {
@Override
public MediaType contentType() {
return MediaType.parse(contentType);
}
@Override
public void writeTo(BufferedSink sink) throws IOException {
sink.writeString(data,Charset.forName("utf-8"));
}
};
Request request=new Request.Builder()
.url(url)
.post(requestBody).build();
Response okResponse=client.newCall(request).execute();
response=okResponse.body().string();
return response;
日志打印[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_C S_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_DH_anon_WITH_AES_256_GCM_SHA384,TLS_DH_anon_WITH_AES_128_GCM_SHA256,TLS_DH_anon_WITH_AES_256_CBC_SHA256,TLS_ECDH_anon_WITH_AES_256_CBC_SHA,TLS_DH_anon_WITH_AES_256_CBC_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA256,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA, TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA,SSL_RSA_WITH_NULL_SHA,TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_RSA_WITH_NULL_SHA,TLS_ECDH_anon_WITH_NULL_SHA,SSL_RSA_WITH_NULL_MD5,TLS_KRB5_WITH_DES_CBC_SHA,TLS_KRB5_WITH_DES_CBC_MD5] 和DefaultCipherSuites是[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_1 28_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
启用-Djavax.net.debug=all后
我得到以下信息:
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value: { 4, 102, 174, 65, 31, 164, 120, 177, 145, 20, 194, 229, 169, 146, 135, 72, 51, 133, 74, 46, 248, 110, 104, 154, 217, 12, 21, 84, 186, 80, 122, 237, 224, 3, 46, 164, 118, 211, 60, 131, 74, 182, 7, 186, 14, 42, 161, 155, 115, 99, 130, 76, 45, 122, 220, 150, 246, 56, 145, 226, 217, 216, 75, 124, 120 }
[write] MD5 and SHA1 hashes: len = 77
0000: 0B 00 00 03 00 00 00 10 00 00 42 41 04 66 AE 41 ..........BA.f.A
0010: 1F A4 78 B1 91 14 C2 E5 A9 92 87 48 33 85 4A 2E ..x........H3.J.
0020: F8 6E 68 9A D9 0C 15 54 BA 50 7A ED E0 03 2E A4 .nh....T.Pz.....
0030: 76 D3 3C 83 4A B6 07 BA 0E 2A A1 9B 73 63 82 4C v.<.J....*..sc.L
0040: 2D 7A DC 96 F6 38 91 E2 D9 D8 4B 7C 78 -z...8....K.x
main, WRITE: TLSv1.2 Handshake, length = 77
[Raw write]: length = 82
0000: 16 03 03 00 4D 0B 00 00 03 00 00 00 10 00 00 42 ....M..........B
0010: 41 04 66 AE 41 1F A4 78 B1 91 14 C2 E5 A9 92 87 A.f.A..x........
0020: 48 33 85 4A 2E F8 6E 68 9A D9 0C 15 54 BA 50 7A H3.J..nh....T.Pz
0030: ED E0 03 2E A4 76 D3 3C 83 4A B6 07 BA 0E 2A A1 .....v.<.J....*.
0040: 9B 73 63 82 4C 2D 7A DC 96 F6 38 91 E2 D9 D8 4B .sc.L-z...8....K
0050: 7C 78 .x
SESSION KEYGEN:
PreMaster Secret:
0000: E7 91 B7 33 39 96 BC A7 64 CA 57 72 F0 F3 3D 55 ...39...d.Wr..=U
0010: 8D 92 46 09 14 EC FE 03 4C D4 5D 78 13 D9 71 F8 ..F.....L.]x..q.
CONNECTION KEYGEN:
Client Nonce:
0000: 5C 24 3A 99 79 97 E9 41 09 92 A2 B7 28 BC CF 49 \$:.y..A....(..I
0010: 51 DE 24 08 91 A0 AE 81 85 1C FC 1C 50 6E A6 D9 Q.$.........Pn..
Server Nonce:
0000: D2 E0 11 21 B8 1A 1A 53 9F 29 F3 FE 5F CD D4 9C ...!...S.).._...
0010: 2D 81 F7 A7 99 9A BB E4 CA B4 21 1A F8 F1 26 66 -.........!...&f
Master Secret:
0000: 25 58 06 E2 09 FA BD 3F 5B 95 A0 DA 71 43 E2 37 %X.....?[...qC.7
0010: C5 49 02 7B 8D 34 08 72 61 5B 09 21 D2 65 56 88 .I...4.ra[.!.eV.
0020: A1 CD 53 AB 70 E0 FA 04 CD 9C A3 97 75 BC 77 92 ..S.p.......u.w.
... no MAC keys used for this cipher
Client write key:
0000: 04 D4 E6 FB DF F9 B5 E3 FC CA AD 34 7E 2D EB D0 ...........4.-..
Server write key:
0000: 92 8C CB AA EA 53 9D 5C D7 30 E4 C5 EC 04 0A C5 .....S.\.0......
Client write IV:
0000: ED BC 50 EC ..P.
Server write IV:
0000: 95 3C 80 3C .<.<
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 03 00 01 01 ......
*** Finished
verify_data: { 28, 130, 230, 116, 237, 69, 86, 36, 23, 9, 45, 129 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 1C 82 E6 74 ED 45 56 24 17 09 2D 81 .......t.EV$..-.
Padded plaintext before ENCRYPTION: len = 16
0000: 14 00 00 0C 1C 82 E6 74 ED 45 56 24 17 09 2D 81 .......t.EV$..-.
main, WRITE: TLSv1.2 Handshake, length = 40
[Raw write]: length = 45
0000: 16 03 03 00 28 00 00 00 00 00 00 00 00 01 41 1B ....(.........A.
0010: 44 6C C3 A5 E1 A8 62 11 C6 85 9F 91 BA 8E 96 1D Dl....b.........
0020: D9 30 07 0D 3B 3E B7 C2 84 5B AD E2 A5 .0..;>...[...
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
更新
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Yandex Money Root CA, O=PS Yandex.Money, C=RU>
<CN=Yandex Money Issuing CA, O=PS Yandex.Money, C=RU>
<CN=NBCO YM Root, O=Yandex.Money, L=Moscow, C=RU>
<CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE>
<CN=GlobalSign Domain Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE>
<CN=thawte DV SSL CA - G2, OU=Domain Validated SSL, O="thawte, Inc.", C=US>
<CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US>
<CN=NBCO YM Int, DC=yamoney, DC=ru>
答案 0 :(得分:0)
从调试输出中可以看出,服务器成功地从客户端提供的密码中选择了一个密码,并且客户端似乎接受了服务器证书。还可以看到握手失败,因为服务器发送了TLS警报。这表明问题是由服务器不喜欢的东西引起的,而不是由客户端不喜欢的东西引起的。
从更新的输出中还可以看出,服务器正在请求客户端证书(CertificateRequest)。但是提供的信息中没有任何内容表明您的密钥库中有客户端证书-仅显示已导入新的根CA。由于服务器的反应(向客户端发送致命警报)恰好是在客户端不提供客户端证书(尽管服务器需要证书)时所期望的响应,因此丢失的客户端证书很可能是造成问题的原因。 / p>