ClientHello之后SSL握手失败

时间:2020-05-17 07:13:38

标签: ssl tls1.2 sslhandshakeexception openjdk-11

我在客户端使用的是openJdk版本11.28。调用通过https部署的Web服务时,出现握手失败。 Web服务的Nmap命令提供以下结果:

enter image description here

我在我的java中启用了ssl,握手日志记录,该日志记录如下:

15:02:04,638 ERROR  javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: secp256r1
15:02:04,638 ERROR  javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: secp384r1
15:02:04,639 ERROR  javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: secp521r1
15:02:04,639 ERROR  javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: sect283k1
15:02:04,640 ERROR  javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: sect283r1
15:02:04,640 ERROR  javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: sect409k1
15:02:04,641 ERROR  javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: sect409r1
15:02:04,641 ERROR  javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: secp256k1
15:02:04,648 ERROR  javax.net.ssl|WARNING|D2|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers
15:02:04,648 ERROR  javax.net.ssl|WARNING|D2|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers
15:02:04,663 ERROR  javax.net.ssl|INFO|D2|AlpnExtension.java:161|No available application protocols
15:02:04,664 ERROR  javax.net.ssl|DEBUG|D2|SSLExtensions.java:235|Ignore, context unavailable extension: application_layer_protocol_negotiation
15:02:04,666 ERROR  javax.net.ssl|DEBUG|D2|SSLExtensions.java:235|Ignore, context unavailable extension: renegotiation_info
15:02:04,668 ERROR  javax.net.ssl|DEBUG|D2|ClientHello.java:633|Produced ClientHello handshake message (
15:02:04,668 ERROR  "ClientHello": {
15:02:04,668 ERROR    "client version"      : "TLSv1.2",
15:02:04,669 ERROR    "random"              : "EE F5 C2 80 02 39 44 E5 C4 0E 65 EC 49 FF D0 38 A1 C7 2F 80 EA 5A F5 43 DC A1 4E C3 CB 42 7E 81",
15:02:04,669 ERROR    "session id"          : "",
15:02:04,669 ERROR    "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
15:02:04,669 ERROR    "compression methods" : "00",
15:02:04,669 ERROR    "extensions"          : [
15:02:04,670 ERROR      "server_name (0)": {
15:02:04,670 ERROR        type=host_name (0), value=mydomain.com
15:02:04,670 ERROR      },
15:02:04,670 ERROR      "status_request (5)": {
15:02:04,670 ERROR        "certificate status type": ocsp
15:02:04,671 ERROR        "OCSP status request": {
15:02:04,671 ERROR          "responder_id": <empty>
15:02:04,671 ERROR          "request extensions": {
15:02:04,671 ERROR            <empty>
15:02:04,671 ERROR          }
15:02:04,672 ERROR        }
15:02:04,672 ERROR      },
15:02:04,672 ERROR      "supported_groups (10)": {
15:02:04,672 ERROR        "versions": [sect571k1, sect571r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
15:02:04,672 ERROR      },
15:02:04,673 ERROR      "ec_point_formats (11)": {
15:02:04,673 ERROR        "formats": [uncompressed]
15:02:04,673 ERROR      },
15:02:04,673 ERROR      "signature_algorithms (13)": {
15:02:04,673 ERROR        "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
15:02:04,674 ERROR      },
15:02:04,674 ERROR      "signature_algorithms_cert (50)": {
15:02:04,674 ERROR        "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
15:02:04,674 ERROR      },
15:02:04,674 ERROR      "status_request_v2 (17)": {
15:02:04,675 ERROR        "cert status request": {
15:02:04,675 ERROR          "certificate status type": ocsp_multi
15:02:04,675 ERROR          "OCSP status request": {
15:02:04,675 ERROR            "responder_id": <empty>
15:02:04,675 ERROR            "request extensions": {
15:02:04,676 ERROR              <empty>
15:02:04,676 ERROR            }
15:02:04,676 ERROR          }
15:02:04,676 ERROR        }
15:02:04,677 ERROR      },
15:02:04,677 ERROR      "extended_master_secret (23)": {
15:02:04,677 ERROR        <empty>
15:02:04,677 ERROR      },
15:02:04,677 ERROR      "supported_versions (43)": {
15:02:04,678 ERROR        "versions": [TLSv1.2]
15:02:04,678 ERROR      }
15:02:04,678 ERROR    ]
15:02:04,678 ERROR  }
15:02:04,678 ERROR  )
15:02:04,693 ERROR  javax.net.ssl|DEBUG|D2|2020-05-16 15:02:04.692|Alert.java:232|Received alert message (
15:02:04,693 ERROR  "Alert": {
15:02:04,693 ERROR    "level"      : "fatal",
15:02:04,693 ERROR    "description": "handshake_failure"
15:02:04,693 ERROR  }
15:02:04,694 ERROR  )
15:02:04,696 ERROR  javax.net.ssl|ERROR|D2|2020-05-16 15:02:04.695| : Received fatal alert: handshake_failure (
15:02:04,696 ERROR  "throwable" : {
15:02:04,696 ERROR    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
15:02:04,696 ERROR      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)

我无法找到握手失败的原因。请帮助确定握手过程中出了什么问题。谢谢。

2 个答案:

答案 0 :(得分:0)

这似乎是Web服务端的密码套件冲突。它不支持在客户端启用的星期二密码。请使用wireshark捕获数据包以获取清晰的图片。

答案 1 :(得分:0)

在我们的分析之后,我们发现问题是我们正在使用的openJdk版本。尽管存在匹配的密码套件,但客户端和服务器之间没有公用的安全组。

以下liink提供了有关同一事物的信息。 https://bugs.openjdk.java.net/browse/JDK-8208698

错误已在版本12中修复,并标记为“ jdk11u-critical-yes”。因此,我们仅更新了JDK即可解决问题。