1. 首頁
  2. 問答
  3. 錯誤javax.net.ssl.SSLHandshakeException:收到致命警報:handshake_failure

錯誤javax.net.ssl.SSLHandshakeException:收到致命警報:handshake_failure

2016-06-07 104 views
2

我想打電話給使用Spring RestTemplate POST REST調用:錯誤javax.net.ssl.SSLHandshakeException:收到致命警報:handshake_failure

HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); 

RestTemplate restTemplate = new RestTemplate(requestFactory); 

HttpHeaders headers = new HttpHeaders(); 

headers.setContentType(MediaType.APPLICATION_XML); 

HttpEntity<GetBalanceHistoryRequest> request1 = new  HttpEntity<GetBalanceHistoryRequest>(request, headers); 
String result = restTemplate.postForObject("https://server.com/getBalance", request1, String.class);

https://server.com有一個證書:webapi.tartu-x86.p12 我將證書導入到C:\ Java_8 \ JRE \ lib \ security中\ cacerts中usinf密鑰工具

運行我的代碼後,我收到以下錯誤:

SLF4J: Actual binding is of type [ch.qos.logback.classic.util.ContextSelectorStaticBinder] 
trustStore is: C:\Java_8\jre\lib\security\cacerts 
trustStore type is : jks 
trustStore provider is : 
init truststore 
adding as trusted cert: 
    Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US 
    Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US 
    Algorithm: RSA; Serial number: 0xc3517 
    Valid from Mon Jun 21 07:00:00 IDT 1999 until Mon Jun 22 07:00:00 IDT 2020 

adding as trusted cert: 
    Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US 
    Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US 
.... 
.... 

** Finished 
verify_data: { 31, 64, 180, 145, 192, 1, 180, 119, 86, 70, 247, 140 } 
*** 
[write] MD5 and SHA1 hashes: len = 16 
0000: 14 00 00 0C 1F 40 B4 91 C0 01 B4 77 56 46 F7 8C [email protected] 
Padded plaintext before ENCRYPTION: len = 48 
0000: 14 00 00 0C 1F 40 B4 91 C0 01 B4 77 56 46 F7 8C [email protected] 
0010: 3F 56 B1 14 65 F3 18 C6 B3 98 D3 50 65 AC 74 1A ?V..e......Pe.t. 
0020: 48 11 50 C0 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B H.P............. 
main, WRITE: TLSv1 Handshake, length = 48 
[Raw write]: length = 53 
0000: 16 03 01 00 30 B6 A0 43 3D 91 3A C1 F6 34 F5 73 ....0..C=.:..4.s 
0010: 54 A7 1A 46 84 42 1A DC 0D 4D B9 4A C1 3F CB A6 T..F.B...M.J.?.. 
0020: 57 C6 5D DF C4 1D 62 22 92 FB 1F 3E F1 05 0C 5C W.]...b"...>...\ 
0030: 56 9E 9B 02 2D          V...- 
[Raw read]: length = 5 
0000: 15 03 01 00 02          ..... 
[Raw read]: length = 2 
0000: 02 28            .(
main, READ: TLSv1 Alert, length = 2 
main, RECV TLSv1 ALERT: fatal, handshake_failure 
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 
main, called closeSocket() 
main, handling exception: javax.net.ssl.SSLHandshakeException: Received     fatal alert: handshake_failure 
main, called close() 
main, called closeInternal(true)

我正在使用Java 1.8.0_91

任何人都可以在這裏幫忙嗎?

來源

2016-06-07 Yosefarr

回答

1

handshake_failure java的SSL問題的原因通常是這些:

  • 不兼容的密碼套件:客戶端必須使用服務器啓用了加密套件
  • SSL/TLS的不兼容的版本:客戶端必須確保它使用兼容版本。例如,服務器可能會強制在java7中默認未啓用的TLS1.2(您的情況不是這樣)
  • 服務器證書的信任路徑不完整:服務器證書可能不受客戶端信任。通常,修復方法是將服務器證書鏈導入到客戶端信任庫中。
  • 錯誤的服務器配置,如頒發給不同域或證書鏈的證書不完整。在這種情況下的解決方法是在服務器部分

在你的情況似乎已選定的TLSv1時默認使用java8 TLSv1.2工作,所以有可能是服務器沒有更新,最新版本。

我建議調試協議消息ClientHello和ServerHello以觀察套件中選定的協議和密碼。

-Djavax.net.debug=ssl

你也可以檢查SSLLabs

來源

2016-06-10 18:27:46 pedrofb

+0

感謝您的重播,我怎麼能告訴java使用TLSv1? – Yosefarr

+0

默認情況下,java8將使用TLSv1.2,但如果它不可用,它將使用TLSv1.1或TLSv1。如果連接選擇TLSv1,這是因爲服務器不支持TLSv1.2或者沒有共同的密碼 – pedrofb

0

您的服務器的狀態我有同樣的問題,我解決了這個辦法:

1 - 將您的P12文件到Java密鑰存儲文件(.jks擴展名),並在您的項目的資源文件夾:

keytool -importkeystore -srckeystore <pfxfilename.pfx> -srcstoretype pkcs12 -destkeystore <jks-filename.jks> -deststoretype JKS

2 - 實現一個要求在工廠中使用您JKS文件:

RestTemplate restTemplate = new RestTemplate(); 

ClientHttpRequestFactory requestFactory = null; 
try { 
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); 
    keyStore.load(
      this.getClass().getClassLoader().getResourceAsStream("jks-filename.jks"), //put your .jks file name here. 
      "password".toCharArray()); //the .jks file password. 

    SSLConnectionSocketFactory socketFactory = 
      new SSLConnectionSocketFactory(
        new SSLContextBuilder() 
        .loadTrustMaterial(null, new TrustSelfSignedStrategy()) 
        .loadKeyMaterial(keyStore, "password".toCharArray()).build()); //the .jks file password again... 

    HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build(); 
    requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient); 

} catch (Exception e) { 
    e.printStackTrace(); 
} 

restTemplate.setRequestFactory(requestFactory);

3 - 您可能需要將Apache Httpclient添加到您的項目中。在Gradle項目中,添加:

compile ("org.apache.httpcomponents:httpclient")

準備就緒!

另一種快速的解決方案是剛剛產生的JKS文件,並將文件和密碼作爲JVM參數:

-Djavax.net.ssl.keyStore=/absolute/file/location/java/application/keystore.jks 
-Djavax.net.ssl.keyStorePassword=jkspassword

或將在一個Java類的靜態塊:

System.setProperty("javax.net.ssl.keyStore", "/absolute/file/location/java/application/keystore.jks"); 
System.setProperty("javax.net.ssl.keyStorePassword", "jkspassword");

來源

2016-07-22 22:55:35 ntroccoli

相關問題

 相關問題