2015-12-15 180 views
4

當我嘗試將Java 8應用程序連接到Web服務時,我得到SSLHandshakeException。Java 8,TSL v1和javax.net.ssl.SSLHandshakeException:收到致命警報:handshake_failure

www.ssllabs.com說我TLSv1.1和TSLv1.2不支持web服務。

所以我執行SSLPoke:

java -Djavax.net.debug=all -Djdk.tls.client.protocols="TLSv1" -Dhttps.protocol="TLSv1" SSLPoke ws.seur.com 443 

,我也得到:

*** ClientHello, TLSv1 
RandomCookie: GMT: 1450188882 bytes = { 215, 201, 145, 239, 52, 121, 175, 184, 120, 99, 193, 227, 113, 25, 222, 207, 145, 219, 37, 4, 82, 26, 128, 21, 217, 243, 4, 139 } 
Session ID: {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods: { 0 } 
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 
Extension ec_point_formats, formats: [uncompressed] 
Extension server_name, server_name: [type=host_name (0), value=ws.seur.com] 
*** 
[write] MD5 and SHA1 hashes: len = 171 
0000: 01 00 00 A7 03 01 56 70 20 52 D7 C9 91 EF 34 79 ......Vp R....4y 
0010: AF B8 78 63 C1 E3 71 19 DE CF 91 DB 25 04 52 1A ..xc..q.....%.R. 
0020: 80 15 D9 F3 04 8B 00 00 2C C0 0A C0 14 00 35 C0 ........,.....5. 
0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../... 
0040: 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 0D 00 ..3.2........... 
0050: 16 00 13 00 FF 01 00 00 52 00 0A 00 34 00 32 00 ........R...4.2. 
0060: 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09 00 ................ 
0070: 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 ................ 
0080: 10 00 11 00 02 00 12 00 04 00 05 00 14 00 08 00 ................ 
0090: 16 00 0B 00 02 01 00 00 00 00 10 00 0E 00 00 0B ................ 
00A0: 77 73 2E 73 65 75 72 2E 63 6F 6D     ws.seur.com 
main, WRITE: TLSv1 Handshake, length = 171 
[Raw write]: length = 176 
0000: 16 03 01 00 AB 01 00 00 A7 03 01 56 70 20 52 D7 ...........Vp R. 
0010: C9 91 EF 34 79 AF B8 78 63 C1 E3 71 19 DE CF 91 ...4y..xc..q.... 
0020: DB 25 04 52 1A 80 15 D9 F3 04 8B 00 00 2C C0 0A .%.R.........,.. 
0030: C0 14 00 35 C0 05 C0 0F 00 39 00 38 C0 09 C0 13 ...5.....9.8.... 
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A ./.....3.2...... 
0050: C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 52 00 0A .............R.. 
0060: 00 34 00 32 00 17 00 01 00 03 00 13 00 15 00 06 .4.2............ 
0070: 00 07 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D ................ 
0080: 00 0E 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 ................ 
0090: 00 14 00 08 00 16 00 0B 00 02 01 00 00 00 00 10 ................ 
00A0: 00 0E 00 00 0B 77 73 2E 73 65 75 72 2E 63 6F 6D .....ws.seur.com 
[Raw read]: length = 5 
0000: 15 03 01 00 02          ..... 
[Raw read]: length = 2 
0000: 02 28            .(
main, READ: TLSv1 Alert, length = 2 
main, RECV TLSv1.2 ALERT: fatal, handshake_failure 
main, called closeSocket() 
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) 
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) 
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) 
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) 
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) 
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) 
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138) 
at SSLPoke.main(SSLPoke.java:31) 

爲什麼我得到RECV TLSv1.2工作ALERT:致命的,如果handshake_failure我強迫的TLSv1?

在Java 7上它工作正常,但Java 8不起作用。

+0

確切地說,我不太確定,但我在java 8中遇到了同樣的錯誤。我把java的minor版本降低到25而不是51或60,並且它已經開始工作。 –

+0

[Java SSL SSLHandshakeException handshake \ _failure]可能的重複(http://stackoverflow.com/questions/29048231/java-ssl-sslhandshakeexception-handshake-failure) –

+0

對不起布萊克,但這個問題是不一樣的。它有Http客戶端,閱讀:TLSv1.2警報,長度= 2 Http客戶端,RECV TLSv1.2 ALERT:致命,handshake_failure 而我的問題是,TLS讀取是v1.0,但RECV是1.2 –

回答

3

如用戶1516873的answer所示,客戶端(Java 8u51或更高版本)和服務器(ws.seur.com)不支持通用的密碼套件。默認情況下,客戶端中的Java 8 Update 51 removed support for RC4 ciphers由於RC4被認爲是脆弱且受到威脅。

區:安全庫/ javax.net.ssl中的劇情簡介:禁止RC4加密套件

RC4現在被認爲是一個妥協的密碼。已從Oracle JSSE實施中的客戶端和服務器默認啓用加密套件 列表中刪除了RC4密碼套件 。這些密碼套件仍然可以通過SSLEngine.setEnabledCipherSuites()和 SSLSocket.setEnabledCipherSuites()方法啓用。

請參閱JDK-8077109(非公開)。

雖然最好的行動方式是聯繫WebService提供商並讓他們的TLS配置保持最新,但在發佈說明中介紹了在客戶端啓用RC4的解決方法。但請注意,由於某種原因,對RC4的支持已被刪除,並且通過重新啓用它,您可以將客戶的用戶暴露於較低的安全標準。

3

客戶密碼套件:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  • TLS_RSA_WITH_AES_256_CBC_SHA,
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  • TLS_RSA_WITH_AES_128_CBC_SHA,
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
  • TLS_ECDHE _ECDSA_WITH_3DES_EDE_CBC_SHA,
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA,
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV

服務器密碼套件:

  • SSL_CK_RC4_128_EXPORT40_WITH_MD5
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_CK_RC4_128_WITH_MD5
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA

不匹配。即使您手動將協議設置爲TLS 1.0,您也會收到ssl握手錯誤。沒有好的解決方案,服務器已過時並使用舊的不安全協議。如果你絕對需要用java 8連接到這個服務器,我想可以使用BouncyCastle。

+0

您是如何找到服務器支持哪些Cipher套件的?我可以看到客戶端支持Cipher套件,但不支持服務器套件 –

+0

@KevinF www.ssllabs.com – user1516873

相關問題