SSLHandshakeException:握手期间远程主机关闭连接
SSLHandshakeException : Remote host closed connection during handshake
论坛里满是这个问题,但我找不到解决办法。
我尝试连接 WS 但没有成功。
我尝试更新 cacerts 文件但没有效果。
日志是:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1507108654 bytes = { 133, 135, 81, 148, 186, 186, 146, 23, 28, 240, 158, 152, 139, 167, 209, 225, 54, 253, 112, 118, 61, 112, 140, 214, 149, 198, 197, 219 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 75
0000: 01 00 00 47 03 01 5A D5 A7 2E 85 87 51 94 BA BA ...G..Z.....Q...
0010: 92 17 1C F0 9E 98 8B A7 D1 E1 36 FD 70 76 3D 70 ..........6.pv=p
0020: 8C D6 95 C6 C5 DB 00 00 20 00 04 00 05 00 2F 00 ........ ...../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 00 FF 01 00 ...........
http-8080-1, WRITE: TLSv1 Handshake, length = 75
[Raw write]: length = 80
0000: 16 03 01 00 4B 01 00 00 47 03 01 5A D5 A7 2E 85 ....K...G..Z....
0010: 87 51 94 BA BA 92 17 1C F0 9E 98 8B A7 D1 E1 36 .Q.............6
0020: FD 70 76 3D 70 8C D6 95 C6 C5 DB 00 00 20 00 04 .pv=p........ ..
0030: 00 05 00 2F 00 33 00 32 00 0A 00 16 00 13 00 09 .../.3.2........
0040: 00 15 00 12 00 03 00 08 00 14 00 11 00 FF 01 00 ................
http-8080-1, received EOFException: error
http-8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
http-8080-1, SEND TLSv1 ALERT: fatal, description = handshake_failure
http-8080-1, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28 ......(
http-8080-1, called closeSocket()
http-8080-1, called close()
http-8080-1, called closeInternal(true)
谢谢你的帮助
很可能服务器已禁用 TLS 1.0(并且您正在谈论 TLS 1.0,如序列字节所示 47 03 01 5A), 或者它正在等待不存在的 SNI 扩展。
关于 Java6,只有 6u111 允许比 TLS 1.0 更好的 (TLS 1.1),而 6u121 将允许 TLS 1.2。看看 Reference. Because of the TLS version intolerance problem, it's still unsufficient, and only a system property will enable it for good, as explained in the Release Notes :
TLS v1.2 is now a TLS protocol option with this release. By default,
TLSv1.0 will remain the default enabled protocol on client sockets.
出于这个原因,尝试了几个系统属性:
-Djdk.tls.client.protocols="TLSv1.2"
(先决条件:6u121 / 7u95)
-Dhttps.protocols="TLSv1.2"
如果您的代码使用 HttpsURLConnection
您的 ClientHello 格式正确,但不包含任何扩展名(尤其是 SNI)。这就是它看起来这么短的原因 (bytes = 80)。默认情况下启用 SNI,从 6u121 开始(如果我是对的)。我看到的两个原因都应该用适当的 Java 版本来解决。
论坛里满是这个问题,但我找不到解决办法。 我尝试连接 WS 但没有成功。 我尝试更新 cacerts 文件但没有效果。
日志是:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1507108654 bytes = { 133, 135, 81, 148, 186, 186, 146, 23, 28, 240, 158, 152, 139, 167, 209, 225, 54, 253, 112, 118, 61, 112, 140, 214, 149, 198, 197, 219 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 75
0000: 01 00 00 47 03 01 5A D5 A7 2E 85 87 51 94 BA BA ...G..Z.....Q...
0010: 92 17 1C F0 9E 98 8B A7 D1 E1 36 FD 70 76 3D 70 ..........6.pv=p
0020: 8C D6 95 C6 C5 DB 00 00 20 00 04 00 05 00 2F 00 ........ ...../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 00 FF 01 00 ...........
http-8080-1, WRITE: TLSv1 Handshake, length = 75
[Raw write]: length = 80
0000: 16 03 01 00 4B 01 00 00 47 03 01 5A D5 A7 2E 85 ....K...G..Z....
0010: 87 51 94 BA BA 92 17 1C F0 9E 98 8B A7 D1 E1 36 .Q.............6
0020: FD 70 76 3D 70 8C D6 95 C6 C5 DB 00 00 20 00 04 .pv=p........ ..
0030: 00 05 00 2F 00 33 00 32 00 0A 00 16 00 13 00 09 .../.3.2........
0040: 00 15 00 12 00 03 00 08 00 14 00 11 00 FF 01 00 ................
http-8080-1, received EOFException: error
http-8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
http-8080-1, SEND TLSv1 ALERT: fatal, description = handshake_failure
http-8080-1, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28 ......(
http-8080-1, called closeSocket()
http-8080-1, called close()
http-8080-1, called closeInternal(true)
谢谢你的帮助
很可能服务器已禁用 TLS 1.0(并且您正在谈论 TLS 1.0,如序列字节所示 47 03 01 5A), 或者它正在等待不存在的 SNI 扩展。
关于 Java6,只有 6u111 允许比 TLS 1.0 更好的 (TLS 1.1),而 6u121 将允许 TLS 1.2。看看 Reference. Because of the TLS version intolerance problem, it's still unsufficient, and only a system property will enable it for good, as explained in the Release Notes :
TLS v1.2 is now a TLS protocol option with this release. By default, TLSv1.0 will remain the default enabled protocol on client sockets.
出于这个原因,尝试了几个系统属性:
-Djdk.tls.client.protocols="TLSv1.2"
(先决条件:6u121 / 7u95)-Dhttps.protocols="TLSv1.2"
如果您的代码使用 HttpsURLConnection
您的 ClientHello 格式正确,但不包含任何扩展名(尤其是 SNI)。这就是它看起来这么短的原因 (bytes = 80)。默认情况下启用 SNI,从 6u121 开始(如果我是对的)。我看到的两个原因都应该用适当的 Java 版本来解决。