HTTPS 通信失败,jdk 1.6(32 位客户端)与 jdk 1.8(64 位)服务器:阅读:Unknown-3.3 警报,长度 = 2
HTTPS communication failed , jdk 1.6 (32 bit client) with jdk 1.8 (64 bit) server : READ: Unknown-3.3 Alert, length = 2
这是我对Whosebug的第一个问题。我正在尝试两个 tomcat 之间的 HTTPS 通信:
- 客户端Tomcat,使用JDK1.6 32位。
- 服务器 Tomcat,使用 JDK1.8 64 位。
HTTPs 请求的客户端代码:
HttpClient hc = new HttpClient();
hc.startSession(monitAppURL);
int code = hc.executeMethod(poster);
异常我得到:
Received fatal alert: handshake_failure
我通过使用 -Djavax.net.debug=ssl:handshake:verbose
:
启动 JVM 获得了更详细的异常
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: true
Monitoring service @dealy::nap 30::30, setSoTimeout(0) called
Monitoring service @dealy::nap 30::30, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1 RandomCookie: GMT: 1468994533 bytes = { 100, 134, 165, 203, 220, 40, 175, 72, 89, 189, 99, 104, 208, 177, 19, 59, 234, 210, 59, 1, 57, 254, 73, 155, 253, 82, 102, 221 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WIT _AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CB _SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_S A, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_W TH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
*** Monitoring service @dealy::nap 30::30, WRITE: TLSv1 Handshake, length = 75
Monitoring service @dealy::nap 30::30, WRITE: SSLv2 client hello message, length = 101
Monitoring service @dealy::nap 30::30, READ: Unknown-3.3 Alert, length = 2
Monitoring service @dealy::nap 30::30, RECV TLSv1 ALERT: fatal, Handshake_failure
Monitoring service @dealy::nap 30::30, called closeSocket() Monitoring service
@dealy::nap 30::30, handling exception: javax.net.ssl.SSLHan shakeException: Received fatal alert: handshake_failure
我已经用 set JAVA_OPTS="-Dhttps.protocols="TLSv1" -Djdk.tls.client.protocols="TLSv1" -Dcom.sun.net.ssl.checkRevocation=false -Ddeployment.security.TLSv1=true -Djavax.net.debug=ssl:handshake:verbose -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djdk.tls.enableRC4CipherSuites=true -Ddeployment.security.TLSv1=true -Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
启动了我的 JVM
但仍然无法解决错误。我已经花了很多时间。请帮我解决这个问题。
我找到了解决问题的方法,
1.What 发生了什么?
Java 6 默认使用 SSlv2Client Hello 消息进行握手,即使它使用的是 TLSv1 protocol.The 握手消息格式是 sslv2Client hello
@dealy::nap 30::30, WRITE: SSLv2 client hello message,length=101
我的服务器正在使用 java 8,出于安全原因禁用了 SSLv3,
jdk.tls.disabledAlgorithms=SSLv3
这导致我的握手消息失败,因为我的客户端正在发送 sslv2Client 问候消息,即使选择了 TLSv1 协议进行通信。它被报告为错误:
https://serverfault.com/questions/637880/disabling-sslv3-but-still-supporting-sslv2hello-in-apache
如果您在 jvm 中禁用 Sslv3,它也会禁用 sslv2Client Hello 消息支持
2.What 我做到了吗?
apache httpClient默认总是采用jvm原有的协议栈进行通信。这就是为什么我的 jvm 参数对 httpclient 不起作用。
因此,我通过添加以下代码覆盖了 httpclient SSL 通信。
SSLContext sslContext = SSLContexts.custom()
.useTLS()
.build();
SSLConnectionSocketFactory f = new SSLConnectionSocketFactory(
sslContext,
new String[]{"TLSv1"},
null,
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
HttpClient hc = HttpClients.custom()
.setSSLSocketFactory(f)
.build();
最后,Apache httpclient 启动了 TLSv1 格式的握手消息进行通信。
我希望这对面临同样问题的人有所帮助,
谢谢。
这是我对Whosebug的第一个问题。我正在尝试两个 tomcat 之间的 HTTPS 通信:
- 客户端Tomcat,使用JDK1.6 32位。
- 服务器 Tomcat,使用 JDK1.8 64 位。
HTTPs 请求的客户端代码:
HttpClient hc = new HttpClient();
hc.startSession(monitAppURL);
int code = hc.executeMethod(poster);
异常我得到:
Received fatal alert: handshake_failure
我通过使用 -Djavax.net.debug=ssl:handshake:verbose
:
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: true
Monitoring service @dealy::nap 30::30, setSoTimeout(0) called
Monitoring service @dealy::nap 30::30, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1 RandomCookie: GMT: 1468994533 bytes = { 100, 134, 165, 203, 220, 40, 175, 72, 89, 189, 99, 104, 208, 177, 19, 59, 234, 210, 59, 1, 57, 254, 73, 155, 253, 82, 102, 221 } Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WIT _AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CB _SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_S A, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_W TH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]Compression Methods: { 0 }
*** Monitoring service @dealy::nap 30::30, WRITE: TLSv1 Handshake, length = 75
Monitoring service @dealy::nap 30::30, WRITE: SSLv2 client hello message, length = 101
Monitoring service @dealy::nap 30::30, READ: Unknown-3.3 Alert, length = 2
Monitoring service @dealy::nap 30::30, RECV TLSv1 ALERT: fatal, Handshake_failure
Monitoring service @dealy::nap 30::30, called closeSocket() Monitoring service
@dealy::nap 30::30, handling exception: javax.net.ssl.SSLHan shakeException: Received fatal alert: handshake_failure
我已经用 set JAVA_OPTS="-Dhttps.protocols="TLSv1" -Djdk.tls.client.protocols="TLSv1" -Dcom.sun.net.ssl.checkRevocation=false -Ddeployment.security.TLSv1=true -Djavax.net.debug=ssl:handshake:verbose -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djdk.tls.enableRC4CipherSuites=true -Ddeployment.security.TLSv1=true -Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
但仍然无法解决错误。我已经花了很多时间。请帮我解决这个问题。
我找到了解决问题的方法, 1.What 发生了什么? Java 6 默认使用 SSlv2Client Hello 消息进行握手,即使它使用的是 TLSv1 protocol.The 握手消息格式是 sslv2Client hello
@dealy::nap 30::30, WRITE: SSLv2 client hello message,length=101
我的服务器正在使用 java 8,出于安全原因禁用了 SSLv3,
jdk.tls.disabledAlgorithms=SSLv3
这导致我的握手消息失败,因为我的客户端正在发送 sslv2Client 问候消息,即使选择了 TLSv1 协议进行通信。它被报告为错误:
https://serverfault.com/questions/637880/disabling-sslv3-but-still-supporting-sslv2hello-in-apache
如果您在 jvm 中禁用 Sslv3,它也会禁用 sslv2Client Hello 消息支持
2.What 我做到了吗? apache httpClient默认总是采用jvm原有的协议栈进行通信。这就是为什么我的 jvm 参数对 httpclient 不起作用。
因此,我通过添加以下代码覆盖了 httpclient SSL 通信。
SSLContext sslContext = SSLContexts.custom()
.useTLS()
.build();
SSLConnectionSocketFactory f = new SSLConnectionSocketFactory(
sslContext,
new String[]{"TLSv1"},
null,
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
HttpClient hc = HttpClients.custom()
.setSSLSocketFactory(f)
.build();
最后,Apache httpclient 启动了 TLSv1 格式的握手消息进行通信。
我希望这对面临同样问题的人有所帮助,
谢谢。