我嘗試使用https連接到傳統思科IPS服務器。問題是此服務器僅接受某些條件下的握手:是否可以在Java中刪除SSL握手的擴展部分?
版本必須爲TLSv1.0,密碼套件必須爲SSL_RSA_WITH_RC4_128_MD5或SSL_RSA_WITH_RC4_128_SHA,且不得有任何擴展名。
我實現了一個手工製作「的ClientHello」,它發送下面的信息作爲握手(Wireshark的輸出):
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 45
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 41
Version: TLS 1.0 (0x0301)
Random
Session ID Length: 0
Cipher Suites Length: 2
Cipher Suites (1 suite)
Compression Methods Length: 1
Compression Methods (1 method)
服務器發送回服務器問候消息。
現在我想用Java的SSL實現發送,確切地說和ClientHello一樣。下面的代碼:
System.setProperty("https.protocols", "TLSv1");
System.setProperty("javax.net.debug", "ssl:handshake");
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket("ips-server", 443);
socket.setEnabledProtocols(new String[] {"TLSv1"});
socket.setEnabledCipherSuites(new String[] {"SSL_RSA_WITH_RC4_128_MD5"});
socket.startHandshake();
產生以下握手:
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 52
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 48
Version: TLS 1.0 (0x0301)
Random
Session ID Length: 0
Cipher Suites Length: 2
Cipher Suites (1 suite)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 5
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
這會導致服務器發送回以下包:
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
是否有可能使Java 不發送數據包的「擴展」部分?
除非您使用'HttpsURLConnection',否則設置'https.protocols'不起作用。 – EJP