从 java.security 文件中删除 3DES_EDE_CBC 如何允许使用 RC4-MD5 密码对服务器进行 HTTPS 调用?
How does removing 3DES_EDE_CBC from java.security file allow HTTPS calls to server with RC4-MD5 cipher?
当使用 Apache HttpClient 的 java 8 客户端代码调用 https 服务器时,我们看到了以下错误。
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1002)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:573)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:557)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:414)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at HttpClient.main(HttpClient.java:64)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
... 14 more
发现服务器有 RC4-MD5 密码,由于 Java8 不支持,所以出现了这个错误。
这是目标 https 服务器上 运行 "openssl s_client -tls1 -connect :443" 后的结果。
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
所以我在 JVM 中编辑了 jdk.tls.disabledAlgorithms 属性 文件中的 "java.secuity" 文件。我从此条目中删除了选项“3DES_EDE_CBC”。
旧属性值:
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC_40, 3DES_EDE_CBC
已编辑 属性 值:
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC_40
编辑 java.security 文件后,Java HTTPS 调用有效。
问题:如何从禁用的算法中删除“3DES_EDE_CBC”算法允许此 HTTPS 调用工作?我怎样才能更好地理解这一点?谢谢。
服务器通常支持多个密码套件。服务器很可能至少支持 RC4 和 3DES,因此在您的客户端中启用 3DES 足以找到通用密码。
当使用 Apache HttpClient 的 java 8 客户端代码调用 https 服务器时,我们看到了以下错误。
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1002)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:573)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:557)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:414)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at HttpClient.main(HttpClient.java:64)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
... 14 more
发现服务器有 RC4-MD5 密码,由于 Java8 不支持,所以出现了这个错误。 这是目标 https 服务器上 运行 "openssl s_client -tls1 -connect :443" 后的结果。
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
所以我在 JVM 中编辑了 jdk.tls.disabledAlgorithms 属性 文件中的 "java.secuity" 文件。我从此条目中删除了选项“3DES_EDE_CBC”。
旧属性值:
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC_40, 3DES_EDE_CBC
已编辑 属性 值:
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC_40
编辑 java.security 文件后,Java HTTPS 调用有效。
问题:如何从禁用的算法中删除“3DES_EDE_CBC”算法允许此 HTTPS 调用工作?我怎样才能更好地理解这一点?谢谢。
服务器通常支持多个密码套件。服务器很可能至少支持 RC4 和 3DES,因此在您的客户端中启用 3DES 足以找到通用密码。