您的位置: 首页  >  技术问答  >  Java 8,TSL v1和javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

Java 8,TSL v1和javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

分类: 技术问答 2022-09-22 10:30:03
问题描述:

当我尝试将Java 8应用程序连接到Web服务时,我得到SSLHandshakeException。Java 8,TSL v1和javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

www.ssllabs.com说我TLSv1.1和TSLv1.2不支持web服务。

所以我执行SSLPoke:

java -Djavax.net.debug=all -Djdk.tls.client.protocols="TLSv1" -Dhttps.protocol="TLSv1" SSLPoke ws.seur.com 443

,我也得到:

*** ClientHello, TLSv1 
RandomCookie: GMT: 1450188882 bytes = { 215, 201, 145, 239, 52, 121, 175, 184, 120, 99, 193, 227, 113, 25, 222, 207, 145, 219, 37, 4, 82, 26, 128, 21, 217, 243, 4, 139 } 
Session ID: {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods: { 0 } 
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 
Extension ec_point_formats, formats: [uncompressed] 
Extension server_name, server_name: [type=host_name (0), value=ws.seur.com] 
*** 
[write] MD5 and SHA1 hashes: len = 171 
0000: 01 00 00 A7 03 01 56 70 20 52 D7 C9 91 EF 34 79 ......Vp R....4y 
0010: AF B8 78 63 C1 E3 71 19 DE CF 91 DB 25 04 52 1A ..xc..q.....%.R. 
0020: 80 15 D9 F3 04 8B 00 00 2C C0 0A C0 14 00 35 C0 ........,.....5. 
0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../... 
0040: 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 0D 00 ..3.2........... 
0050: 16 00 13 00 FF 01 00 00 52 00 0A 00 34 00 32 00 ........R...4.2. 
0060: 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09 00 ................ 
0070: 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 ................ 
0080: 10 00 11 00 02 00 12 00 04 00 05 00 14 00 08 00 ................ 
0090: 16 00 0B 00 02 01 00 00 00 00 10 00 0E 00 00 0B ................ 
00A0: 77 73 2E 73 65 75 72 2E 63 6F 6D     ws.seur.com 
main, WRITE: TLSv1 Handshake, length = 171 
[Raw write]: length = 176 
0000: 16 03 01 00 AB 01 00 00 A7 03 01 56 70 20 52 D7 ...........Vp R. 
0010: C9 91 EF 34 79 AF B8 78 63 C1 E3 71 19 DE CF 91 ...4y..xc..q.... 
0020: DB 25 04 52 1A 80 15 D9 F3 04 8B 00 00 2C C0 0A .%.R.........,.. 
0030: C0 14 00 35 C0 05 C0 0F 00 39 00 38 C0 09 C0 13 ...5.....9.8.... 
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A ./.....3.2...... 
0050: C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 52 00 0A .............R.. 
0060: 00 34 00 32 00 17 00 01 00 03 00 13 00 15 00 06 .4.2............ 
0070: 00 07 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D ................ 
0080: 00 0E 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 ................ 
0090: 00 14 00 08 00 16 00 0B 00 02 01 00 00 00 00 10 ................ 
00A0: 00 0E 00 00 0B 77 73 2E 73 65 75 72 2E 63 6F 6D .....ws.seur.com 
[Raw read]: length = 5 
0000: 15 03 01 00 02          ..... 
[Raw read]: length = 2 
0000: 02 28            .(
main, READ: TLSv1 Alert, length = 2 
main, RECV TLSv1.2 ALERT: fatal, handshake_failure 
main, called closeSocket() 
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) 
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) 
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) 
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) 
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) 
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) 
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138) 
at SSLPoke.main(SSLPoke.java:31)

为什么我得到RECV TLSv1.2工作ALERT:致命的,如果handshake_failure我强迫的TLSv1?

在Java 7上它工作正常,但Java 8不起作用。

+0

确切地说,我不太确定,但我在java 8中遇到了同样的错误。我把java的minor版本降低到25而不是51或60,并且它已经开始工作。 –

+0

[Java SSL SSLHandshakeException handshake \ _failure]可能的重复(http://stackoverflow.com/questions/29048231/java-ssl-sslhandshakeexception-handshake-failure) –

+0

对不起布莱克,但这个问题是不一样的。它有Http客户端,阅读:TLSv1.2警报,长度= 2 Http客户端,RECV TLSv1.2 ALERT:致命,handshake_failure 而我的问题是,TLS读取是v1.0,但RECV是1.2 –

如用户1516873的answer所示,客户端(Java 8u51或更高版本)和服务器(ws.seur.com)不支持通用的密码套件。默认情况下,客户端中的Java 8 Update 51 removed support for RC4 ciphers由于RC4被认为是脆弱且受到威胁。

区:安全库/ javax.net.ssl中的剧情简介:禁止RC4加密套件

RC4现在被认为是一个妥协的密码。已从Oracle JSSE实施中的客户端和服务器默认启用加密套件 列表中删除了RC4密码套件 。这些密码套件仍然可以通过SSLEngine.setEnabledCipherSuites()和 SSLSocket.setEnabledCipherSuites()方法启用。

请参阅JDK-8077109(非公开)。

虽然最好的行动方式是联系WebService提供商并让他们的TLS配置保持最新,但在发布说明中介绍了在客户端启用RC4的解决方法。但请注意,由于某种原因,对RC4的支持已被删除,并且通过重新启用它,您可以将客户的用户暴露于较低的安全标准。

客户密码套件:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  • TLS_RSA_WITH_AES_256_CBC_SHA,
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  • TLS_RSA_WITH_AES_128_CBC_SHA,
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
  • TLS_ECDHE _ECDSA_WITH_3DES_EDE_CBC_SHA,
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA,
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV

服务器密码套件:

  • SSL_CK_RC4_128_EXPORT40_WITH_MD5
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_CK_RC4_128_WITH_MD5
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA

不匹配。即使您手动将协议设置为TLS 1.0,您也会收到ssl握手错误。没有好的解决方案,服务器已过时并使用旧的不安全协议。如果你绝对需要用java 8连接到这个服务器,我想可以使用BouncyCastle。

+0

您是如何找到服务器支持哪些Cipher套件的?我可以看到客户端支持Cipher套件,但不支持服务器套件 –

+0

@KevinF www.ssllabs.com – user1516873

相关推荐