无法使用 Java 12 连接到 google 云 API
Unable to connect to google cloud apis with Java 12
尝试更新到 JDK12 后,由于使用 google 云客户端库时出现 SSL 握手错误,我无法连接到 Google 云 API。对于 Java 11,这对我来说效果很好,在 JDK 11 运行时换回可以解决问题。
这是当我尝试使用设置了 -Djavax.net.debug=ssl:handshake:verbose
的 gcloud 进行身份验证时我的应用程序的输出。
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.438 UTC|Utilities.java:73|the previous server name in SNI (type=host_name (0), value=oauth2.googleapis.com) was replaced with (type=host_name (0), value=oauth2.googleapis.com)
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.445 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.450 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.450 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|ALL|1A|Gax-1|2019-05-15 16:27:19.466 UTC|SignatureScheme.java:358|Ignore disabled signature scheme: rsa_md5
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|INFO|1A|Gax-1|2019-05-15 16:27:19.466 UTC|AlpnExtension.java:161|No available application protocols
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.466 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.467 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: cookie
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.483 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.484 UTC|PreSharedKeyExtension.java:633|No session to resume.
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.485 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.494 UTC|ClientHello.java:653|Produced ClientHello handshake message (
[native-api-5bc89d67bc-dfsvq] "ClientHello": {
[native-api-5bc89d67bc-dfsvq] "client version" : "TLSv1.2",
[native-api-5bc89d67bc-dfsvq] "random" : "53 EF 41 BD B0 D5 8A 6F F6 1C 59 19 80 20 A0 A3 29 37 AD 10 C0 3E 7C 4E AD E7 AF 4F F5 C5 35 1E",
[native-api-5bc89d67bc-dfsvq] "session id" : "76 C9 9B 84 D6 9E BB 06 A3 B0 5A C1 08 05 29 9E 80 A7 43 10 9E B1 87 88 5F F1 9B 97 84 12 F6 AE",
[native-api-5bc89d67bc-dfsvq] "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
[native-api-5bc89d67bc-dfsvq] "compression methods" : "00",
[native-api-5bc89d67bc-dfsvq] "extensions" : [
[native-api-5bc89d67bc-dfsvq] "server_name (0)": {
[native-api-5bc89d67bc-dfsvq] type=host_name (0), value=oauth2.googleapis.com
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "status_request (5)": {
[native-api-5bc89d67bc-dfsvq] "certificate status type": ocsp
[native-api-5bc89d67bc-dfsvq] "OCSP status request": {
[native-api-5bc89d67bc-dfsvq] "responder_id": <empty>
[native-api-5bc89d67bc-dfsvq] "request extensions": {
[native-api-5bc89d67bc-dfsvq] <empty>
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "supported_groups (10)": {
[native-api-5bc89d67bc-dfsvq] "versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "ec_point_formats (11)": {
[native-api-5bc89d67bc-dfsvq] "formats": [uncompressed]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "signature_algorithms (13)": {
[native-api-5bc89d67bc-dfsvq] "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "signature_algorithms_cert (50)": {
[native-api-5bc89d67bc-dfsvq] "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "status_request_v2 (17)": {
[native-api-5bc89d67bc-dfsvq] "cert status request": {
[native-api-5bc89d67bc-dfsvq] "certificate status type": ocsp_multi
[native-api-5bc89d67bc-dfsvq] "OCSP status request": {
[native-api-5bc89d67bc-dfsvq] "responder_id": <empty>
[native-api-5bc89d67bc-dfsvq] "request extensions": {
[native-api-5bc89d67bc-dfsvq] <empty>
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "extended_master_secret (23)": {
[native-api-5bc89d67bc-dfsvq] <empty>
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "supported_versions (43)": {
[native-api-5bc89d67bc-dfsvq] "versions": [TLSv1.3, TLSv1.2]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "psk_key_exchange_modes (45)": {
[native-api-5bc89d67bc-dfsvq] "ke_modes": [psk_dhe_ke]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "key_share (51)": {
[native-api-5bc89d67bc-dfsvq] "client_shares": [
[native-api-5bc89d67bc-dfsvq] {
[native-api-5bc89d67bc-dfsvq] "named group": ffdhe2048
[native-api-5bc89d67bc-dfsvq] "key_exchange": {
[native-api-5bc89d67bc-dfsvq] .....
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] ]
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] ]
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.496 UTC|Alert.java:238|Received alert message (
[native-api-5bc89d67bc-dfsvq] "Alert": {
[native-api-5bc89d67bc-dfsvq] "level" : "fatal",
[native-api-5bc89d67bc-dfsvq] "description": "handshake_failure"
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|ERROR|1A|Gax-1|2019-05-15 16:27:19.500 UTC|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
[native-api-5bc89d67bc-dfsvq] "throwable" : {
[native-api-5bc89d67bc-dfsvq] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1356)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1331)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:242)
[native-api-5bc89d67bc-dfsvq] at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:113)
[native-api-5bc89d67bc-dfsvq] at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84)
[native-api-5bc89d67bc-dfsvq] at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1040)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:399)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:181)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:167)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.Credentials.blockingGetToCallback(Credentials.java:113)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.Credentials.run(Credentials.java:99)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[native-api-5bc89d67bc-dfsvq] at java.base/java.lang.Thread.run(Thread.java:835)}
[native-api-5bc89d67bc-dfsvq]
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.500 UTC|SSLSocketImpl.java:1389|close the underlying socket
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.500 UTC|SSLSocketImpl.java:1408|close the SSL connection (initiative)
关于我的环境的一些细节
$ java Ciphers # see https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html
Default Cipher
* TLS_AES_128_GCM_SHA256
* TLS_AES_256_GCM_SHA384
* TLS_CHACHA20_POLY1305_SHA256
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA256
* TLS_RSA_WITH_AES_256_GCM_SHA384
$ java --version
openjdk 12.0.1 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12)
OpenJDK 64-Bit Server VM (build 12.0.1+12, mixed mode)
$ java --list-modules
java.base@12.0.1
java.datatransfer@12.0.1
java.desktop@12.0.1
java.instrument@12.0.1
java.logging@12.0.1
java.management@12.0.1
java.naming@12.0.1
java.net.http@12.0.1
java.prefs@12.0.1
java.security.jgss@12.0.1
java.security.sasl@12.0.1
java.sql@12.0.1
java.transaction.xa@12.0.1
java.xml@12.0.1
jdk.management@12.0.1
jdk.unsupported@12.0.1
这就是 nmap 告诉我的关于 google 云 api
$ nmap -sV --script ssl-enum-ciphers -p 443 oauth2.googleapis.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 17:02 BST
Nmap scan report for oauth2.googleapis.com (216.58.198.170)
Host is up (0.0036s latency).
Other addresses for oauth2.googleapis.com (not scanned): 172.217.169.42 172.217.169.74 216.58.210.202 216.58.206.74 216.58.213.106 216.58.206.138 216.58.212.74 216.58.204.42 216.58.211.170 216.58.204.74
rDNS record for 216.58.198.170: lhr25s10-in-f10.1e100.net
PORT STATE SERVICE VERSION
443/tcp open ssl/https gws
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Date: Wed, 15 May 2019 16:03:08 GMT
| Expires: -1
| Cache-Control: private, max-age=0
| Content-Type: text/html; charset=ISO-8859-1
| P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
| Server: gws
| X-XSS-Protection: 0
| X-Frame-Options: SAMEORIGIN
| Set-Cookie: 1P_JAR=2019-05-15-16; expires=Fri, 14-Jun-2019 16:03:08 GMT; path=/; domain=.google.com
| Set-Cookie: NID=183=YYh48j3880NJp7Imev2IuA6fbZh2XB92x0D3woXT1l1aOhSgvVdNElia3mL7IBtyYDp7cShGyWcN0qcDkXNqKuA2S0cEpm122vmlrifWE0oeur1eeLovYqpvS4typQhxJMKagpV93VHW6avhd4F_5mGJSjaPgCNzhVFlJEdCGfA; expires=Thu, 14-Nov-2019 16:03:08 GMT; path=/; domain=.google.com; HttpOnly
| Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
| Accept-Ranges: none
| Vary: Accept-Encoding
| <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Ty
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: GET, HEAD
| Date: Wed, 15 May 2019 16:03:08 GMT
| Content-Type: text/html; charset=UTF-8
| Server: gws
| Content-Length: 1592
| X-XSS-Protection: 0
| X-Frame-Options: SAMEORIGIN
| Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
| <!DOCTYPE html>
| <html lang=en>
| <meta charset=utf-8>
| <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
| <title>Error 405 (Method Not Allowed)!!1</title>
| <style>
|_ *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:n
| http-server-header:
| ESF
|_ gws
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.70%T=SSL%I=7%D=5/15%Time=5CDC383C%P=x86_64-apple-darwin
SF:17.3.0%r(GetRequest,4BF6,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2015
SF:\x20May\x202019\x2016:03:08\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\
SF:x20private,\x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-
SF:8859-1\r\nP3P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20policy!\x20See\
SF:x20g\.co/p3phelp\x20for\x20more\x20info\.\"\r\nServer:\x20gws\r\nX-XSS-
SF:Protection:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSet-Cookie:\x201P
SF:_JAR=2019-05-15-16;\x20expires=Fri,\x2014-Jun-2019\x2016:03:08\x20GMT;\
SF:x20path=/;\x20domain=\.google\.com\r\nSet-Cookie:\x20NID=183=YYh48j3880
SF:NJp7Imev2IuA6fbZh2XB92x0D3woXT1l1aOhSgvVdNElia3mL7IBtyYDp7cShGyWcN0qcDk
SF:XNqKuA2S0cEpm122vmlrifWE0oeur1eeLovYqpvS4typQhxJMKagpV93VHW6avhd4F_5mGJ
SF:SjaPgCNzhVFlJEdCGfA;\x20expires=Thu,\x2014-Nov-2019\x2016:03:08\x20GMT;
SF:\x20path=/;\x20domain=\.google\.com;\x20HttpOnly\r\nAlt-Svc:\x20quic=\"
SF::443\";\x20ma=2592000;\x20v=\"46,44,43,39\"\r\nAccept-Ranges:\x20none\r
SF:\nVary:\x20Accept-Encoding\r\n\r\n<!doctype\x20html><html\x20itemscope=
SF:\"\"\x20itemtype=\"http://schema\.org/WebPage\"\x20lang=\"en-GB\"><head
SF:><meta\x20content=\"text/html;\x20charset=UTF-8\"\x20http-equiv=\"Conte
SF:nt-Ty")%r(HTTPOptions,742,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed
SF:\r\nAllow:\x20GET,\x20HEAD\r\nDate:\x20Wed,\x2015\x20May\x202019\x2016:
SF:03:08\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nServer:
SF:\x20gws\r\nContent-Length:\x201592\r\nX-XSS-Protection:\x200\r\nX-Frame
SF:-Options:\x20SAMEORIGIN\r\nAlt-Svc:\x20quic=\":443\";\x20ma=2592000;\x2
SF:0v=\"46,44,43,39\"\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=en>\n\x20\x
SF:20<meta\x20charset=utf-8>\n\x20\x20<meta\x20name=viewport\x20content=\"
SF:initial-scale=1,\x20minimum-scale=1,\x20width=device-width\">\n\x20\x20
SF:<title>Error\x20405\x20\(Method\x20Not\x20Allowed\)!!1</title>\n\x20\x2
SF:0<style>\n\x20\x20\x20\x20\*{margin:0;padding:0}html,code{font:15px/22p
SF:x\x20arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
SF:{margin:7%\x20auto\x200;max-width:390px;min-height:180px;padding:30px\x
SF:200\x2015px}\*\x20>\x20body{background:url\(//www\.google\.com/images/e
SF:rrors/robot\.png\)\x20100%\x205px\x20no-repeat;padding-right:205px}p{ma
SF:rgin:11px\x200\x2022px;overflow:hidden}ins{color:#777;text-decoration:n
SF:one}a\x20img{border:0}@media\x20screen\x20and\x20\(max-width:772px\){bo
SF:dy{background:n");
原因是缺少模块jdk.crypto.cryptoki
我使用的运行时是这样生成的:
jlink \
--add-modules java.base,java.logging,java.xml,jdk.unsupported,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument,jdk.management,java.net.http \
--module-path $(find $JAVA_HOME -name lib -type d) \
--output ~/jre
Fix 只是在运行时 JRE 中包含 jdk.crypto.cryptoki
模块。我不清楚为什么这对 JDK12 是必需的而不是 JDK11(我对两者都做同样的事情)
jlink \
--add-modules java.base,java.logging,java.xml,jdk.unsupported,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument,jdk.management,java.net.http,jdk.crypto.cryptoki \
--module-path $(find $JAVA_HOME -name lib -type d) \
--output ~/jre
尝试更新到 JDK12 后,由于使用 google 云客户端库时出现 SSL 握手错误,我无法连接到 Google 云 API。对于 Java 11,这对我来说效果很好,在 JDK 11 运行时换回可以解决问题。
这是当我尝试使用设置了 -Djavax.net.debug=ssl:handshake:verbose
的 gcloud 进行身份验证时我的应用程序的输出。
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.438 UTC|Utilities.java:73|the previous server name in SNI (type=host_name (0), value=oauth2.googleapis.com) was replaced with (type=host_name (0), value=oauth2.googleapis.com)
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.445 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.450 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.450 UTC|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLS12
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|ALL|1A|Gax-1|2019-05-15 16:27:19.466 UTC|SignatureScheme.java:358|Ignore disabled signature scheme: rsa_md5
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|INFO|1A|Gax-1|2019-05-15 16:27:19.466 UTC|AlpnExtension.java:161|No available application protocols
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.466 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.467 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: cookie
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.483 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.484 UTC|PreSharedKeyExtension.java:633|No session to resume.
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.485 UTC|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.494 UTC|ClientHello.java:653|Produced ClientHello handshake message (
[native-api-5bc89d67bc-dfsvq] "ClientHello": {
[native-api-5bc89d67bc-dfsvq] "client version" : "TLSv1.2",
[native-api-5bc89d67bc-dfsvq] "random" : "53 EF 41 BD B0 D5 8A 6F F6 1C 59 19 80 20 A0 A3 29 37 AD 10 C0 3E 7C 4E AD E7 AF 4F F5 C5 35 1E",
[native-api-5bc89d67bc-dfsvq] "session id" : "76 C9 9B 84 D6 9E BB 06 A3 B0 5A C1 08 05 29 9E 80 A7 43 10 9E B1 87 88 5F F1 9B 97 84 12 F6 AE",
[native-api-5bc89d67bc-dfsvq] "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
[native-api-5bc89d67bc-dfsvq] "compression methods" : "00",
[native-api-5bc89d67bc-dfsvq] "extensions" : [
[native-api-5bc89d67bc-dfsvq] "server_name (0)": {
[native-api-5bc89d67bc-dfsvq] type=host_name (0), value=oauth2.googleapis.com
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "status_request (5)": {
[native-api-5bc89d67bc-dfsvq] "certificate status type": ocsp
[native-api-5bc89d67bc-dfsvq] "OCSP status request": {
[native-api-5bc89d67bc-dfsvq] "responder_id": <empty>
[native-api-5bc89d67bc-dfsvq] "request extensions": {
[native-api-5bc89d67bc-dfsvq] <empty>
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "supported_groups (10)": {
[native-api-5bc89d67bc-dfsvq] "versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "ec_point_formats (11)": {
[native-api-5bc89d67bc-dfsvq] "formats": [uncompressed]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "signature_algorithms (13)": {
[native-api-5bc89d67bc-dfsvq] "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "signature_algorithms_cert (50)": {
[native-api-5bc89d67bc-dfsvq] "signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "status_request_v2 (17)": {
[native-api-5bc89d67bc-dfsvq] "cert status request": {
[native-api-5bc89d67bc-dfsvq] "certificate status type": ocsp_multi
[native-api-5bc89d67bc-dfsvq] "OCSP status request": {
[native-api-5bc89d67bc-dfsvq] "responder_id": <empty>
[native-api-5bc89d67bc-dfsvq] "request extensions": {
[native-api-5bc89d67bc-dfsvq] <empty>
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "extended_master_secret (23)": {
[native-api-5bc89d67bc-dfsvq] <empty>
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "supported_versions (43)": {
[native-api-5bc89d67bc-dfsvq] "versions": [TLSv1.3, TLSv1.2]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "psk_key_exchange_modes (45)": {
[native-api-5bc89d67bc-dfsvq] "ke_modes": [psk_dhe_ke]
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] "key_share (51)": {
[native-api-5bc89d67bc-dfsvq] "client_shares": [
[native-api-5bc89d67bc-dfsvq] {
[native-api-5bc89d67bc-dfsvq] "named group": ffdhe2048
[native-api-5bc89d67bc-dfsvq] "key_exchange": {
[native-api-5bc89d67bc-dfsvq] .....
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] },
[native-api-5bc89d67bc-dfsvq] ]
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] ]
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.496 UTC|Alert.java:238|Received alert message (
[native-api-5bc89d67bc-dfsvq] "Alert": {
[native-api-5bc89d67bc-dfsvq] "level" : "fatal",
[native-api-5bc89d67bc-dfsvq] "description": "handshake_failure"
[native-api-5bc89d67bc-dfsvq] }
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|ERROR|1A|Gax-1|2019-05-15 16:27:19.500 UTC|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
[native-api-5bc89d67bc-dfsvq] "throwable" : {
[native-api-5bc89d67bc-dfsvq] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1356)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1331)
[native-api-5bc89d67bc-dfsvq] at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:242)
[native-api-5bc89d67bc-dfsvq] at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:113)
[native-api-5bc89d67bc-dfsvq] at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84)
[native-api-5bc89d67bc-dfsvq] at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1040)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.oauth2.ServiceAccountCredentials.refreshAccessToken(ServiceAccountCredentials.java:399)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.oauth2.OAuth2Credentials.refresh(OAuth2Credentials.java:181)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.oauth2.OAuth2Credentials.getRequestMetadata(OAuth2Credentials.java:167)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.Credentials.blockingGetToCallback(Credentials.java:113)
[native-api-5bc89d67bc-dfsvq] at com.google.auth.Credentials.run(Credentials.java:99)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[native-api-5bc89d67bc-dfsvq] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[native-api-5bc89d67bc-dfsvq] at java.base/java.lang.Thread.run(Thread.java:835)}
[native-api-5bc89d67bc-dfsvq]
[native-api-5bc89d67bc-dfsvq] )
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.500 UTC|SSLSocketImpl.java:1389|close the underlying socket
[native-api-5bc89d67bc-dfsvq] javax.net.ssl|DEBUG|1A|Gax-1|2019-05-15 16:27:19.500 UTC|SSLSocketImpl.java:1408|close the SSL connection (initiative)
关于我的环境的一些细节
$ java Ciphers # see https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html
Default Cipher
* TLS_AES_128_GCM_SHA256
* TLS_AES_256_GCM_SHA384
* TLS_CHACHA20_POLY1305_SHA256
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA256
* TLS_RSA_WITH_AES_256_GCM_SHA384
$ java --version
openjdk 12.0.1 2019-04-16
OpenJDK Runtime Environment (build 12.0.1+12)
OpenJDK 64-Bit Server VM (build 12.0.1+12, mixed mode)
$ java --list-modules
java.base@12.0.1
java.datatransfer@12.0.1
java.desktop@12.0.1
java.instrument@12.0.1
java.logging@12.0.1
java.management@12.0.1
java.naming@12.0.1
java.net.http@12.0.1
java.prefs@12.0.1
java.security.jgss@12.0.1
java.security.sasl@12.0.1
java.sql@12.0.1
java.transaction.xa@12.0.1
java.xml@12.0.1
jdk.management@12.0.1
jdk.unsupported@12.0.1
这就是 nmap 告诉我的关于 google 云 api
$ nmap -sV --script ssl-enum-ciphers -p 443 oauth2.googleapis.com
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 17:02 BST
Nmap scan report for oauth2.googleapis.com (216.58.198.170)
Host is up (0.0036s latency).
Other addresses for oauth2.googleapis.com (not scanned): 172.217.169.42 172.217.169.74 216.58.210.202 216.58.206.74 216.58.213.106 216.58.206.138 216.58.212.74 216.58.204.42 216.58.211.170 216.58.204.74
rDNS record for 216.58.198.170: lhr25s10-in-f10.1e100.net
PORT STATE SERVICE VERSION
443/tcp open ssl/https gws
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Date: Wed, 15 May 2019 16:03:08 GMT
| Expires: -1
| Cache-Control: private, max-age=0
| Content-Type: text/html; charset=ISO-8859-1
| P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
| Server: gws
| X-XSS-Protection: 0
| X-Frame-Options: SAMEORIGIN
| Set-Cookie: 1P_JAR=2019-05-15-16; expires=Fri, 14-Jun-2019 16:03:08 GMT; path=/; domain=.google.com
| Set-Cookie: NID=183=YYh48j3880NJp7Imev2IuA6fbZh2XB92x0D3woXT1l1aOhSgvVdNElia3mL7IBtyYDp7cShGyWcN0qcDkXNqKuA2S0cEpm122vmlrifWE0oeur1eeLovYqpvS4typQhxJMKagpV93VHW6avhd4F_5mGJSjaPgCNzhVFlJEdCGfA; expires=Thu, 14-Nov-2019 16:03:08 GMT; path=/; domain=.google.com; HttpOnly
| Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
| Accept-Ranges: none
| Vary: Accept-Encoding
| <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Ty
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: GET, HEAD
| Date: Wed, 15 May 2019 16:03:08 GMT
| Content-Type: text/html; charset=UTF-8
| Server: gws
| Content-Length: 1592
| X-XSS-Protection: 0
| X-Frame-Options: SAMEORIGIN
| Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
| <!DOCTYPE html>
| <html lang=en>
| <meta charset=utf-8>
| <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
| <title>Error 405 (Method Not Allowed)!!1</title>
| <style>
|_ *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:n
| http-server-header:
| ESF
|_ gws
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.70%T=SSL%I=7%D=5/15%Time=5CDC383C%P=x86_64-apple-darwin
SF:17.3.0%r(GetRequest,4BF6,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2015
SF:\x20May\x202019\x2016:03:08\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\
SF:x20private,\x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-
SF:8859-1\r\nP3P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20policy!\x20See\
SF:x20g\.co/p3phelp\x20for\x20more\x20info\.\"\r\nServer:\x20gws\r\nX-XSS-
SF:Protection:\x200\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSet-Cookie:\x201P
SF:_JAR=2019-05-15-16;\x20expires=Fri,\x2014-Jun-2019\x2016:03:08\x20GMT;\
SF:x20path=/;\x20domain=\.google\.com\r\nSet-Cookie:\x20NID=183=YYh48j3880
SF:NJp7Imev2IuA6fbZh2XB92x0D3woXT1l1aOhSgvVdNElia3mL7IBtyYDp7cShGyWcN0qcDk
SF:XNqKuA2S0cEpm122vmlrifWE0oeur1eeLovYqpvS4typQhxJMKagpV93VHW6avhd4F_5mGJ
SF:SjaPgCNzhVFlJEdCGfA;\x20expires=Thu,\x2014-Nov-2019\x2016:03:08\x20GMT;
SF:\x20path=/;\x20domain=\.google\.com;\x20HttpOnly\r\nAlt-Svc:\x20quic=\"
SF::443\";\x20ma=2592000;\x20v=\"46,44,43,39\"\r\nAccept-Ranges:\x20none\r
SF:\nVary:\x20Accept-Encoding\r\n\r\n<!doctype\x20html><html\x20itemscope=
SF:\"\"\x20itemtype=\"http://schema\.org/WebPage\"\x20lang=\"en-GB\"><head
SF:><meta\x20content=\"text/html;\x20charset=UTF-8\"\x20http-equiv=\"Conte
SF:nt-Ty")%r(HTTPOptions,742,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed
SF:\r\nAllow:\x20GET,\x20HEAD\r\nDate:\x20Wed,\x2015\x20May\x202019\x2016:
SF:03:08\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nServer:
SF:\x20gws\r\nContent-Length:\x201592\r\nX-XSS-Protection:\x200\r\nX-Frame
SF:-Options:\x20SAMEORIGIN\r\nAlt-Svc:\x20quic=\":443\";\x20ma=2592000;\x2
SF:0v=\"46,44,43,39\"\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=en>\n\x20\x
SF:20<meta\x20charset=utf-8>\n\x20\x20<meta\x20name=viewport\x20content=\"
SF:initial-scale=1,\x20minimum-scale=1,\x20width=device-width\">\n\x20\x20
SF:<title>Error\x20405\x20\(Method\x20Not\x20Allowed\)!!1</title>\n\x20\x2
SF:0<style>\n\x20\x20\x20\x20\*{margin:0;padding:0}html,code{font:15px/22p
SF:x\x20arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
SF:{margin:7%\x20auto\x200;max-width:390px;min-height:180px;padding:30px\x
SF:200\x2015px}\*\x20>\x20body{background:url\(//www\.google\.com/images/e
SF:rrors/robot\.png\)\x20100%\x205px\x20no-repeat;padding-right:205px}p{ma
SF:rgin:11px\x200\x2022px;overflow:hidden}ins{color:#777;text-decoration:n
SF:one}a\x20img{border:0}@media\x20screen\x20and\x20\(max-width:772px\){bo
SF:dy{background:n");
原因是缺少模块jdk.crypto.cryptoki
我使用的运行时是这样生成的:
jlink \
--add-modules java.base,java.logging,java.xml,jdk.unsupported,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument,jdk.management,java.net.http \
--module-path $(find $JAVA_HOME -name lib -type d) \
--output ~/jre
Fix 只是在运行时 JRE 中包含 jdk.crypto.cryptoki
模块。我不清楚为什么这对 JDK12 是必需的而不是 JDK11(我对两者都做同样的事情)
jlink \
--add-modules java.base,java.logging,java.xml,jdk.unsupported,java.sql,java.naming,java.desktop,java.management,java.security.jgss,java.instrument,jdk.management,java.net.http,jdk.crypto.cryptoki \
--module-path $(find $JAVA_HOME -name lib -type d) \
--output ~/jre