1
我在Windows 7系統上使用Oracle Java 8(8u112)和「用於JDK/JRE 8的Java加密擴展(JCE)無限強度管轄策略文件」。爲了提高我對安全套接字的理解,我試圖編寫一個簡單的程序,它在線程上打開服務器套接字,然後連接到此套接字。ECDHE cipher suitess在環回連接上握手失敗?
我想使用TLSv1.2和使用Java keytool生成的證書。我正在使用的代碼(SSLSocketFactoryEx)來自這個問題:Which Cipher Suites to enable for SSL Socket?,但只說明我想使用的密碼(這些都是this Oracle support page也提到了):
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
不幸的是,當我運行我的程序(握手失敗請參閱下面的javax.debug.net = ssl輸出)。如果我添加密碼
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
一切正常。似乎只有DHE_DSS(而不是ECDHE_ *)的密碼才能工作?任何人都知道爲什麼以及如何解決它? JCE已安裝!
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1469871576 bytes = { 114, 27, 128, 235, 21, 129, 252, 118, 108, 93, 245, 56, 159, 145, 94, 197, 161, 8, 37, 124, 4, 8, 58, 189, 102, 164, 83, 249 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 139
server, READ: TLSv1.2 Handshake, length = 139
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1469871576 bytes = { 114, 27, 128, 235, 21, 129, 252, 118, 108, 93, 245, 56, 159, 145, 94, 197, 161, 8, 37, 124, 4, 8, 58, 189, 102, 164, 83, 249 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
server, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
...
相關,請參閱[?哪個密碼套件啓用SSL套接字(https://stackoverflow.com/q/1037590/ 608639) – jww