Java 1.6_u45 + BouncyCastle + TLS1.2 抛出 handshake_failure(40)(notifySecureRenegotiation)
Java 1.6_u45 + BouncyCastle + TLS1.2 throws handshake_failure(40) (notifySecureRenegotiation)
我的情况已经接近Another post here
我在使用 JDK1。6_u45 尝试使用 BouncyCastle 连接到 TLS1.2 上的 https 端点。
我已将端点 public 密钥证书添加到 jre/lib/security
下的 cacerts
但是我得到的错误遵循不同的堆栈跟踪,如下所示:
Exception in thread "Main Thread" org.bouncycastle.crypto.tls.TlsFatalAlert: handshake_failure(40)
at org.bouncycastle.crypto.tls.AbstractTlsPeer.notifySecureRenegotiation(Unknown Source)
at org.bouncycastle.crypto.tls.TlsClientProtocol.receiveServerHelloMessage(Unknown Source)
at org.bouncycastle.crypto.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.crypto.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.crypto.tls.TlsClientProtocol.connect(Unknown Source)
at TLSSocketConnectionFactory.startHandshake(TLSSocketConnectionFactory.java:498)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:134)
at CopyOfTest.getResponseJsonString(CopyOfTest.java:40)
at CopyOfTest.main(CopyOfTest.java:15)
BouncyCastle TLSSocketConnectionFactory 与本link中提供的相同,所以这里不再post。 (link: another post here
我的测试class如下:
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
import com.google.gson.Gson;
public class CopyOfTest {
public static void main(String[] args) throws IOException, Exception {
//below url is a not an actual endpoint.
URL url = new URL(
"https://abc.def.ghi/Customer/v1/nonexistantlink/?postalCode=80120&clientId=ABC");
String returnData = getResponseJsonString(url);
System.out.println("returnData: " + returnData);
ArrayNameDescDTO msg = new Gson().fromJson(returnData,
ArrayNameDescDTO.class);
System.out.println(msg.toString());
}
private static String getResponseJsonString(URL url) throws IOException {
// Security.addProvider(new BouncyCastleJsseProvider());
// SSLContext sslcontext = SSLContext.getInstance("TLS",new BouncyCastleJsseProvider())
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(new TLSSocketConnectionFactory());
conn.setRequestMethod("GET");
byte[] message = ("username" + ":" + "andItsPassword").getBytes("UTF-8");
String encoded = javax.xml.bind.DatatypeConverter.printBase64Binary(message);
System.out.println("encoded: Basic " + encoded);
conn.setRequestProperty("Authorization", "Basic " + encoded);
conn.setConnectTimeout(10000); // 10 sec
conn.connect();
int status = conn.getResponseCode();
if (conn.getResponseCode() != 200) {
throw new RuntimeException("Failed : HTTP error code : "
+ conn.getResponseCode());
}
switch (status) {
case 200:
case 201:
BufferedReader br = new BufferedReader(new InputStreamReader(
conn.getInputStream()));
StringBuilder sb = new StringBuilder();
String line;
while ((line = br.readLine()) != null) {
sb.append(line + "\n");
}
br.close();
conn.disconnect();
return sb.toString();
}
conn.disconnect();
return null;
}
}
有什么建议或指点吗?
此解决方案由@James Reinstate Monica Polk 提供。我在这里重新发布解决方案,以便其他人可以从中受益。
解决方案是创建一个扩展 'org.bouncycastle.crypto.tls.DefaultTlsClient' 并覆盖方法 'notifySecureRenegotiation' 的新 TLS 客户端。
如下所示:
import org.bouncycastle.crypto.tls.DefaultTlsClient;
public class NewDefaultTlsClient extends DefaultTlsClient{
@Override
public void notifySecureRenegotiation(boolean secureRenegotiation){
//do nothing here
}
@Override
public org.bouncycastle.crypto.tls.TlsAuthentication getAuthentication()
throws IOException {
// TODO Auto-generated method stub
return null;
}
}
现在在 TLSSocketConnectionFactory 上,转到 startHandshake() 方法,然后更改
tlsClientProtocol.connect(new DefaultTlsClient(){ ....
与
tlsClientProtocol.connect(new NewDefaultTlsClient(){ ....
就是这样!上述更改后,上述错误不再出现,JDK6 代码能够命中 TLS1.2 端点。
我的情况已经接近Another post here
我在使用 JDK1。6_u45 尝试使用 BouncyCastle 连接到 TLS1.2 上的 https 端点。 我已将端点 public 密钥证书添加到 jre/lib/security
下的 cacerts但是我得到的错误遵循不同的堆栈跟踪,如下所示:
Exception in thread "Main Thread" org.bouncycastle.crypto.tls.TlsFatalAlert: handshake_failure(40)
at org.bouncycastle.crypto.tls.AbstractTlsPeer.notifySecureRenegotiation(Unknown Source)
at org.bouncycastle.crypto.tls.TlsClientProtocol.receiveServerHelloMessage(Unknown Source)
at org.bouncycastle.crypto.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.crypto.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.crypto.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.crypto.tls.TlsClientProtocol.connect(Unknown Source)
at TLSSocketConnectionFactory.startHandshake(TLSSocketConnectionFactory.java:498)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:134)
at CopyOfTest.getResponseJsonString(CopyOfTest.java:40)
at CopyOfTest.main(CopyOfTest.java:15)
BouncyCastle TLSSocketConnectionFactory 与本link中提供的相同,所以这里不再post。 (link: another post here
我的测试class如下:
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import javax.net.ssl.HttpsURLConnection;
import com.google.gson.Gson;
public class CopyOfTest {
public static void main(String[] args) throws IOException, Exception {
//below url is a not an actual endpoint.
URL url = new URL(
"https://abc.def.ghi/Customer/v1/nonexistantlink/?postalCode=80120&clientId=ABC");
String returnData = getResponseJsonString(url);
System.out.println("returnData: " + returnData);
ArrayNameDescDTO msg = new Gson().fromJson(returnData,
ArrayNameDescDTO.class);
System.out.println(msg.toString());
}
private static String getResponseJsonString(URL url) throws IOException {
// Security.addProvider(new BouncyCastleJsseProvider());
// SSLContext sslcontext = SSLContext.getInstance("TLS",new BouncyCastleJsseProvider())
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(new TLSSocketConnectionFactory());
conn.setRequestMethod("GET");
byte[] message = ("username" + ":" + "andItsPassword").getBytes("UTF-8");
String encoded = javax.xml.bind.DatatypeConverter.printBase64Binary(message);
System.out.println("encoded: Basic " + encoded);
conn.setRequestProperty("Authorization", "Basic " + encoded);
conn.setConnectTimeout(10000); // 10 sec
conn.connect();
int status = conn.getResponseCode();
if (conn.getResponseCode() != 200) {
throw new RuntimeException("Failed : HTTP error code : "
+ conn.getResponseCode());
}
switch (status) {
case 200:
case 201:
BufferedReader br = new BufferedReader(new InputStreamReader(
conn.getInputStream()));
StringBuilder sb = new StringBuilder();
String line;
while ((line = br.readLine()) != null) {
sb.append(line + "\n");
}
br.close();
conn.disconnect();
return sb.toString();
}
conn.disconnect();
return null;
}
}
有什么建议或指点吗?
此解决方案由@James Reinstate Monica Polk 提供。我在这里重新发布解决方案,以便其他人可以从中受益。
解决方案是创建一个扩展 'org.bouncycastle.crypto.tls.DefaultTlsClient' 并覆盖方法 'notifySecureRenegotiation' 的新 TLS 客户端。 如下所示:
import org.bouncycastle.crypto.tls.DefaultTlsClient;
public class NewDefaultTlsClient extends DefaultTlsClient{
@Override
public void notifySecureRenegotiation(boolean secureRenegotiation){
//do nothing here
}
@Override
public org.bouncycastle.crypto.tls.TlsAuthentication getAuthentication()
throws IOException {
// TODO Auto-generated method stub
return null;
}
}
现在在 TLSSocketConnectionFactory 上,转到 startHandshake() 方法,然后更改
tlsClientProtocol.connect(new DefaultTlsClient(){ ....
与
tlsClientProtocol.connect(new NewDefaultTlsClient(){ ....
就是这样!上述更改后,上述错误不再出现,JDK6 代码能够命中 TLS1.2 端点。