最新 Java Zulu 8.0.252 的 SSLException
SSLException with latest Java Zulu 8.0.252
使用最新的 Java Zulu 8.0.252 和 Payara5 服务器,我无法再读取任何 HTTPS URL。降级到 8.0.251 后一切正常。
javax.net.ssl.SSLException
at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:133)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:290)
at org.openjsse.sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1330)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:424)
at org.openjsse.sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at org.openjsse.sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at org.openjsse.sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:730)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:705)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:295)
Caused by: java.lang.NullPointerException
at org.openjsse.sun.security.ssl.CertificateAuthorityExtension$CHCertificateAuthoritiesProducer.produce(CertificateAuthorityExtension.java:185)
at org.openjsse.sun.security.ssl.SSLExtension.produce(SSLExtension.java:560)
at org.openjsse.sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:253)
at org.openjsse.sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:649)
at org.openjsse.sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at org.openjsse.sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at org.openjsse.sun.security.ssl.TransportContext.kickstart(TransportContext.java:259)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
... 97 more
为了避免这个错误,我在 Payara 中禁用了 TLS 1.3 支持。
在 domain.xml 中为 Java 1.8.0u252 及更高版本禁用 TLS 1.3 支持,替换为:
<jvm-options>[Azul-1.8.0u222|1.8.0u500]-XX:+UseOpenJSSE</jvm-options>
与:
<jvm-options>[Azul-1.8.0u222|1.8.0u251]-XX:+UseOpenJSSE</jvm-options>
并使用不需要 TLS 1.3 的兼容灰熊库替换:
<jvm-options>[1.8.0u191|1.8.0u500]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>
与:
<jvm-options>[1.8.0u191|1.8.0u251]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>
<jvm-options>[1.8.0u252|1.8.0u500]-Xbootclasspath/a:${com.sun.aas.installRoot}/lib/grizzly-npn-api.jar</jvm-options>
您的应用程序或库似乎使用了自定义的不安全信任管理器。
此自定义信任管理器从 X509TrustManager.getAcceptedIssuers() 方法实现 X509TrustManager class 和 returns null。
根据 java 规范 getAcceptedIssuers() 必须 return "non-null (possibly empty) array of acceptable CA issuer certificates" 但在提供的堆栈跟踪中 getAcceptedIssuers() return 为空。它会导致 NPE。
见https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509TrustManager.html#getAcceptedIssuers()
使用最新的 Java Zulu 8.0.252 和 Payara5 服务器,我无法再读取任何 HTTPS URL。降级到 8.0.251 后一切正常。
javax.net.ssl.SSLException
at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:133)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:290)
at org.openjsse.sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1330)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:424)
at org.openjsse.sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at org.openjsse.sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at org.openjsse.sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:730)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:705)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:295)
Caused by: java.lang.NullPointerException
at org.openjsse.sun.security.ssl.CertificateAuthorityExtension$CHCertificateAuthoritiesProducer.produce(CertificateAuthorityExtension.java:185)
at org.openjsse.sun.security.ssl.SSLExtension.produce(SSLExtension.java:560)
at org.openjsse.sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:253)
at org.openjsse.sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:649)
at org.openjsse.sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at org.openjsse.sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at org.openjsse.sun.security.ssl.TransportContext.kickstart(TransportContext.java:259)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
... 97 more
为了避免这个错误,我在 Payara 中禁用了 TLS 1.3 支持。
在 domain.xml 中为 Java 1.8.0u252 及更高版本禁用 TLS 1.3 支持,替换为:
<jvm-options>[Azul-1.8.0u222|1.8.0u500]-XX:+UseOpenJSSE</jvm-options>
与:
<jvm-options>[Azul-1.8.0u222|1.8.0u251]-XX:+UseOpenJSSE</jvm-options>
并使用不需要 TLS 1.3 的兼容灰熊库替换:
<jvm-options>[1.8.0u191|1.8.0u500]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>
与:
<jvm-options>[1.8.0u191|1.8.0u251]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>
<jvm-options>[1.8.0u252|1.8.0u500]-Xbootclasspath/a:${com.sun.aas.installRoot}/lib/grizzly-npn-api.jar</jvm-options>
您的应用程序或库似乎使用了自定义的不安全信任管理器。
此自定义信任管理器从 X509TrustManager.getAcceptedIssuers() 方法实现 X509TrustManager class 和 returns null。
根据 java 规范 getAcceptedIssuers() 必须 return "non-null (possibly empty) array of acceptable CA issuer certificates" 但在提供的堆栈跟踪中 getAcceptedIssuers() return 为空。它会导致 NPE。
见https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509TrustManager.html#getAcceptedIssuers()