JDK 有效证书上的 11 SSL 错误(适用于以前的版本)
JDK 11 SSL Error on valid certificate (working in previous versions)
以下代码在 JDK11 中抛出错误:
HttpURLConnection con = (HttpURLConnection) new URL("https://sis.redsys.es/sis/realizarPago").openConnection();
con.setRequestMethod("GET");
con.getResponseCode();
错误是:
javax.net.ssl.SSLHandshakeException: extension (10) should not be presented in server_hello
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
at java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:169)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:860)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:390)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:877)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:810)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:383)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
它在之前的任何 JDK 中都有效(我已经在 7、8、9 和 10 中测试过)。
该证书似乎有效,因为它被浏览器或我在互联网上找到的大多数 SSL 测试所识别。
我试过禁用主机名验证、禁用 cacerts、将 DigiCert 添加到 cacerts 文件,但都没有成功。
这似乎是 openJDK 中的一个错误。在版本 26、27 和 28(候选发布版)中测试。
该问题目前已在 JDK 12 https://bugs.openjdk.java.net/browse/JDK-8209965 中解决,并已包含在 ea-9 中。
向 JDK 11 的反向移植也已解决 https://bugs.openjdk.java.net/browse/JDK-8210005 并包含在
中
- 11.0.3(甲骨文JDK)
- 11.0.2(打开JDK)
可以在此处的评论中找到一些背景知识 https://github.com/openssl/openssl/pull/4463/files
TLS 1.3 adds a scheme for the server to indicate
to the client its list of supported groups in the
EncryptedExtensions message, but none of the relevant
specifications permit sending supported_groups in the ServerHello.
Nonetheless (possibly due to the close proximity to the
"ec_point_formats" extension, which is allowed in the ServerHello),
there are several servers that send this extension in the
ServerHello anyway.
Up to and including the 1.1.0 release,
we did not check for the presence of nonpermitted extensions,
so to avoid a regression, we must permit this extension in the
TLS 1.2 ServerHello as well.
2019 年 1 月 16 日发布的 JDK 11.0.2 已解决
以下代码在 JDK11 中抛出错误:
HttpURLConnection con = (HttpURLConnection) new URL("https://sis.redsys.es/sis/realizarPago").openConnection();
con.setRequestMethod("GET");
con.getResponseCode();
错误是:
javax.net.ssl.SSLHandshakeException: extension (10) should not be presented in server_hello
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
at java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:169)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:860)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:390)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:877)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:810)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:383)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
它在之前的任何 JDK 中都有效(我已经在 7、8、9 和 10 中测试过)。
该证书似乎有效,因为它被浏览器或我在互联网上找到的大多数 SSL 测试所识别。
我试过禁用主机名验证、禁用 cacerts、将 DigiCert 添加到 cacerts 文件,但都没有成功。
这似乎是 openJDK 中的一个错误。在版本 26、27 和 28(候选发布版)中测试。
该问题目前已在 JDK 12 https://bugs.openjdk.java.net/browse/JDK-8209965 中解决,并已包含在 ea-9 中。
向 JDK 11 的反向移植也已解决 https://bugs.openjdk.java.net/browse/JDK-8210005 并包含在
中- 11.0.3(甲骨文JDK)
- 11.0.2(打开JDK)
可以在此处的评论中找到一些背景知识 https://github.com/openssl/openssl/pull/4463/files
TLS 1.3 adds a scheme for the server to indicate to the client its list of supported groups in the EncryptedExtensions message, but none of the relevant specifications permit sending supported_groups in the ServerHello.
Nonetheless (possibly due to the close proximity to the "ec_point_formats" extension, which is allowed in the ServerHello), there are several servers that send this extension in the ServerHello anyway.
Up to and including the 1.1.0 release, we did not check for the presence of nonpermitted extensions, so to avoid a regression, we must permit this extension in the TLS 1.2 ServerHello as well.
2019 年 1 月 16 日发布的 JDK 11.0.2 已解决