javax.net.ssl.SSLHandshakeException：收到致命警報：handshake_failure

Question

我在帶有Java 1.7.0_67的Linux服務器上使用Tomcat 7.065和APR 1.1.33。

我的應用程序一直很樂意通過SSL連接到第三方網站多年。第三方頒發了新證書。第三部分網站是： https://its.changehealthcare.com/

我下載的.cer文件，做了密鑰工具導入：

$JAVA_HOME/bin/keytool -import -trustcacerts -keystore cacerts -noprompt -file path\to\certificate.cer 

當我做了密鑰工具列表中，我得到：

Owner: CN=its.changehealthcare.com, OU=COMODO EV SSL, OU=Web Operations, O=Change Healthcare Inc, STREET=3055 Lebanon Pike, L=Nashville, ST=TN, OID.2.5.4.17=37221, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4237148 
    DNSName: its.changehealthcare.com 
    DNSName: www.its.changehealthcare.com 

但我繼續得到一個ssl握手錯誤。

我的tomcat的SSL配置看起來像這樣：

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" 
      port="8443" minSpareThreads="5" maxSpareThreads="75" 
      enableLookups="true" disableUploadTimeout="true" 
      acceptCount="100" maxThreads="200" 
      scheme="https" secure="true" SSLEnabled="true" 
      clientAuth="false" 
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" 
     SSLCertificateFile="mycert.crt" 
     SSLCertificateKeyFile="mykey.key" 
     SSLCertificateChainFile="gd_bundle-g2-g1.crt" 
     keyAlias="tomcat" 
     SSLCipherSuite="ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT:!DHE:!EDH:!ECDH" 
      compression="on" compressableMimeType="text/xml" 
SSLHonorCipherOrder="true" 
/> 

我茫然不知所措。任何洞察讚賞。 下面是調試誤差對-Djavax.net.debug =全部讀出所有：

INFO: Server startup in 26519 ms 
keyStore is : 
keyStore type is : jks 
keyStore provider is : 
init keystore 
init keymanager of type SunX509 
trustStore is: /usr/lib/java/jdk1.7.0_67/jre/lib/security/cacerts 
trustStore type is : jks 
trustStore provider is : 
init truststore 


adding as trusted cert: 
    Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH 
    Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH 
    Algorithm: RSA; Serial number: 0x4eb200670c035d4f 
    Valid from Wed Oct 25 03:36:00 CDT 2006 until Sat Oct 25 03:36:00 CDT 2036 

******THERE ARE LIKE 20 of these but I could fit it inside the character limit so just the first and last are shown 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
adding as trusted cert: 
****THERE ARE LIKE 30 of these but I could fit it inside the character limit so just the first and last are shown** 

adding as trusted cert: 
    Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE 
    Issuer: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE 
    Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b 
    Valid from Thu Jan 12 08:38:43 CST 2006 until Wed Dec 31 16:59:59 CST 2025 

trigger seeding of SecureRandom 
done seeding SecureRandom 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
http-apr-8443-exec-1, setSoTimeout(25000) called 
%% No cached client session 
*** ClientHello, TLSv1 
RandomCookie: GMT: 1458500800 bytes = { 168, 201, 205, 79, 149, 19, 79, 199, 46, 252, 11, 245, 12, 118, 202, 82, 232, 228, 105, 152, 123, 244, 31, 152, 229, 163, 180, 208 } 
Session ID: {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods: { 0 } 
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 
Extension ec_point_formats, formats: [uncompressed] 
Extension server_name, server_name: [host_name: its.changehealthcare.com] 
*** 
[write] MD5 and SHA1 hashes: len = 196 
0000: 01 00 00 C0 03 01 57 EF F5 C0 A8 C9 CD 4F 95 13 ......W......O.. 
0010: 4F C7 2E FC 0B F5 0C 76 CA 52 E8 E4 69 98 7B F4 O......v.R..i... 
0020: 1F 98 E5 A3 B4 D0 00 00 38 C0 0A C0 14 00 35 C0 ........8.....5. 
0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../... 
0040: 0E 00 33 00 32 C0 07 C0 11 00 05 C0 02 C0 0C C0 ..3.2........... 
0050: 08 C0 12 00 0A C0 03 C0 0D 00 16 00 13 00 04 00 ................ 
0060: FF 01 00 00 5F 00 0A 00 34 00 32 00 17 00 01 00 ...._...4.2..... 
0070: 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 18 00 ................ 
0080: 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 11 00 ................ 
0090: 02 00 12 00 04 00 05 00 14 00 08 00 16 00 0B 00 ................ 
00A0: 02 01 00 00 00 00 1D 00 1B 00 00 18 69 74 73 2E ............its. 
00B0: 63 68 61 6E 67 65 68 65 61 6C 74 68 63 61 72 65 changehealthcare 
00C0: 2E 63 6F 6D          .com 
http-apr-8443-exec-1, WRITE: TLSv1 Handshake, length = 196 
[Raw write]: length = 201 
0000: 16 03 01 00 C4 01 00 00 C0 03 01 57 EF F5 C0 A8 ...........W.... 
0010: C9 CD 4F 95 13 4F C7 2E FC 0B F5 0C 76 CA 52 E8 ..O..O......v.R. 
0020: E4 69 98 7B F4 1F 98 E5 A3 B4 D0 00 00 38 C0 0A .i...........8.. 
0030: C0 14 00 35 C0 05 C0 0F 00 39 00 38 C0 09 C0 13 ...5.....9.8.... 
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 07 C0 11 00 05 ./.....3.2...... 
0050: C0 02 C0 0C C0 08 C0 12 00 0A C0 03 C0 0D 00 16 ................ 
0060: 00 13 00 04 00 FF 01 00 00 5F 00 0A 00 34 00 32 ........._...4.2 
0070: 00 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09 ................ 
0080: 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F ................ 
0090: 00 10 00 11 00 02 00 12 00 04 00 05 00 14 00 08 ................ 
00A0: 00 16 00 0B 00 02 01 00 00 00 00 1D 00 1B 00 00 ................ 
00B0: 18 69 74 73 2E 63 68 61 6E 67 65 68 65 61 6C 74 .its.changehealt 
00C0: 68 63 61 72 65 2E 63 6F 6D      hcare.com 
[Raw read]: length = 5 
0000: 15 03 01 00 02          ..... 
[Raw read]: length = 2 
0000: 02 28            .(
http-apr-8443-exec-1, READ: TLSv1 Alert, length = 2 
http-apr-8443-exec-1, RECV TLSv1 ALERT: fatal, handshake_failure 
http-apr-8443-exec-1, called closeSocket() 
http-apr-8443-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
http-apr-8443-exec-1, called close() 
http-apr-8443-exec-1, called closeInternal(true) 

Answer 1

我下載的.cer文件，做了密鑰工具導入...但我繼續得到ssl握手錯誤。

來自服務器的握手錯誤與客戶端對服務器證書的驗證無關。因此，信任新證書對此錯誤沒有幫助。

***的ClientHello，使用TLSv1

你的客戶機只發送TLS 1.0請求雖然服務器可以根據SSLLabs做僅TLS 1.2。

它不會在這種情況下，你已經配置了TLS 1.2爲Tomcat服務器重要，因爲這個問題是，你的TLS 客戶無法連接到第三方服務器。有關如何配置Java 7以在客戶端使用TLS 1.2的示例，請參閱Enabled TLS 1.2 and TLS 1.1 on Java 7。