如果服务器不支持 SSLv3,为什么 Java SSL 套接字连接会严重失败

Why does the Java SSL socket connection fail hard if server does not support SSLv3

在提供商禁用 SSLv3 后,我们使用 JDK 7 针对 www1.ecall.ch 的 CXF 调用开始失败,我不明白为什么。通过设置 -Dhttps.protocols=TLSv1 解决了这个问题,但我很惊讶这甚至是必要的。

JDK 7/8 支持所有 SSLv2Hello(2)、SSLv3、TLSv1、TLSv1.1 和 TLSv1.2,我希望

  1. JVM 在握手期间尝试自上而下,即首先从 TLSv1.2 开始,然后
  2. 即使服务器不支持 SSLv3 也能建立连接

这是设置 -Dhttps.protocols=TLSv1 之前 SSL 调试日志的相关部分,即使用 JVM 默认值(我在开头切断了所有证书的列表):

trigger seeding of SecureRandom
done seeding SecureRandom
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(180000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
%% No cached client session
*** ClientHello, SSLv3
RandomCookie:  GMT: 1403944475 bytes = { 12, 68, 193, 229, 85, 79, 86, 211, 209, 34, 251, 218, 184, 7, 51, 93, 180, 144, 114, 70, 105, 252, 31, 61, 151, 188, 165, 177 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: www1.ecall.ch]
***
[write] MD5 and SHA1 hashes:  len = 205
0000: 01 00 00 C9 03 00 54 AE   7E 1B 0C 44 C1 E5 55 4F  ......T....D..UO
0010: 56 D3 D1 22 FB DA B8 07   33 5D B4 90 72 46 69 FC  V.."....3]..rFi.
0020: 1F 3D 97 BC A5 B1 00 00   4C C0 09 C0 13 00 2F C0  .=......L...../.
0030: 04 C0 0E 00 33 00 32 C0   07 C0 11 00 05 C0 02 C0  ....3.2.........
0040: 0C C0 08 C0 12 00 0A C0   03 C0 0D 00 16 00 13 00  ................
0050: 04 00 FF 00 09 00 15 00   12 00 03 00 08 00 14 00  ................
0060: 11 00 20 00 24 00 1F 00   23 00 1E 00 22 00 28 00  .. .$...#...".(.
0070: 2B 00 26 00 29 01 00 00   54 00 0A 00 34 00 32 00  +.&.)...T...4.2.
0080: 17 00 01 00 03 00 13 00   15 00 06 00 07 00 09 00  ................
0090: 0A 00 18 00 0B 00 0C 00   19 00 0D 00 0E 00 0F 00  ................
00A0: 10 00 11 00 02 00 12 00   04 00 05 00 14 00 08 00  ................
00B0: 16 00 0B 00 02 01 00 00   00 00 12 00 10 00 00 0D  ................
00C0: 77 77 77 31 2E 65 63 61   6C 6C 2E 63 68           www1.ecall.ch
main, WRITE: SSLv3 Handshake, length = 205
[write] MD5 and SHA1 hashes:  len = 179
0000: 01 03 00 00 8A 00 00 00   20 00 C0 09 06 00 40 00  ........ .....@.
0010: C0 13 00 00 2F 00 C0 04   01 00 80 00 C0 0E 00 00  ..../...........
0020: 33 00 00 32 00 C0 07 05   00 80 00 C0 11 00 00 05  3..2............
0030: 00 C0 02 00 C0 0C 00 C0   08 00 C0 12 00 00 0A 07  ................
0040: 00 C0 00 C0 03 02 00 80   00 C0 0D 00 00 16 00 00  ................
0050: 13 00 00 04 01 00 80 00   00 FF 00 00 09 06 00 40  ...............@
0060: 00 00 15 00 00 12 00 00   03 02 00 80 00 00 08 00  ................
0070: 00 14 00 00 11 00 00 20   00 00 24 00 00 1F 00 00  ....... ..$.....
0080: 23 00 00 1E 00 00 22 00   00 28 00 00 2B 00 00 26  #....."..(..+..&
0090: 00 00 29 54 AE 7E 1B 0C   44 C1 E5 55 4F 56 D3 D1  ..)T....D..UOV..
00A0: 22 FB DA B8 07 33 5D B4   90 72 46 69 FC 1F 3D 97  "....3]..rFi..=.
00B0: BC A5 B1                                           ...
main, WRITE: SSLv2 client hello message, length = 179
[Raw write]: length = 181
0000: 80 B3 01 03 00 00 8A 00   00 00 20 00 C0 09 06 00  .......... .....
0010: 40 00 C0 13 00 00 2F 00   C0 04 01 00 80 00 C0 0E  @...../.........
0020: 00 00 33 00 00 32 00 C0   07 05 00 80 00 C0 11 00  ..3..2..........
0030: 00 05 00 C0 02 00 C0 0C   00 C0 08 00 C0 12 00 00  ................
0040: 0A 07 00 C0 00 C0 03 02   00 80 00 C0 0D 00 00 16  ................
0050: 00 00 13 00 00 04 01 00   80 00 00 FF 00 00 09 06  ................
0060: 00 40 00 00 15 00 00 12   00 00 03 02 00 80 00 00  .@..............
0070: 08 00 00 14 00 00 11 00   00 20 00 00 24 00 00 1F  ......... ..$...
0080: 00 00 23 00 00 1E 00 00   22 00 00 28 00 00 2B 00  ..#....."..(..+.
0090: 00 26 00 00 29 54 AE 7E   1B 0C 44 C1 E5 55 4F 56  .&..)T....D..UOV
00A0: D3 D1 22 FB DA B8 07 33   5D B4 90 72 46 69 FC 1F  .."....3]..rFi..
00B0: 3D 97 BC A5 B1                                     =....
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Broken pipe
main, called closeSocket()
main, called close()
main, called closeInternal(true)
[...upper part of stacktrace...]
Caused by: java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:196)
    at java.net.SocketInputStream.read(SocketInputStream.java:122)
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
    at sun.security.ssl.InputRecord.read(InputRecord.java:480)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
[...remaining part of stacktrace...]

如果我做对了,JVM 会先尝试 SSLv3 Handshake,然后再尝试 SSLv2 client hello message,然后再求助于 TLSv1。

但是,为什么它在尝试 TLSv1 后失败了,而当我启用 TLS 作为唯一支持的协议时它仍然有效?服务器 (IIS 8.5) 是否尝试进行一些非常规的握手,导致套接字连接中断?

JVM(更确切地说是 JSSE)不尝试自上而下。它遵循 RFCs(包括 SSLv2 ClientHello 的附录)并发送 one ClientHello 说明支持的最高版本,服务器可以使用小于或等于的任何版本回复那。如果服务器认为我们的最高值太低,它会直接拒绝握手。如果服务器(暂时)接受我们认为太低的版本(或者想跳过,但那很愚蠢),我们将中止握手。 浏览器 "falling back" 对较低协议的常见 行为导致了 POODLE(请参阅有关其的许多问题)。

在这种情况下,出现的 javax.net.debug 跟踪具有误导性。如果启用了 SSLv2Hello——默认情况下它位于 Java6 而不是 Java7,您是否在某处更改了它? -- JSSE 显然为 SSLv3+(新格式)hello 和 SSLv2(映射的旧格式)hello 显示并说 "WRITE",但它实际上只发送后者,(@Steffen)由 openssl s_server 确认.

因此很明显,如果没有 https.protocol 更改,您的客户端正在发送 SSLv2 格式的问候,而服务器拒绝它。这不是绝对必要的:使用 SSLv2 format 来协商 TLSv1.0 甚至更高版本在技术上是可行的,例如 OpenSSL 可以这样做,但这不是一个好主意; SSLv2 protocol 自大约 2001 年以来就被认为是不安全的,并在 2011 年被 RFC 6176 正式禁止,而 SSLv2 format hello can't支持扩展,包括 ECC 半必需的扩展、1.2 中的 sigalgs 和(如@Steffen 所指出的)SNI,当今许多网络服务器都需要或想要这些扩展。服务器禁止SSLv3的配置很有可能也有禁止SSLv2的效果format,我敢打赌,如果是这样最好。

此外: 您的代码(或可能是库)中的某些内容似乎启用了所有或几乎所有受支持的 密码 。这是一个坏主意。你好,提供多年来一直不安全的单 DES 套件,永远不安全的导出套件,以及在 Internet 上完全无用的 Kerberos 套件,包括无用的 Kerberos 导出套件 完全没有安全感。一个体面的服务器不会同意这些,但如果你碰巧连接到一个配置错误或不正当的服务器,你将获得一个明显成功的连接并且不会注意到它是不安全的,除非你非常密切地监视。