Java 11.0.11 SSL 握手失败并出现异常 'No common named group'
Java 11.0.11 SSL handshake fails with exception 'No common named group'
我们在 Java11 中开发了一个服务器应用程序,它接受来自客户端的传入 HTTPS 连接。一切正常 to/including Java 11.0.10 (AdoptOpenJDK).
升级到 Java 11.0.11 后,我们遇到连接握手问题(javax.net.ssl.SSLProtocolException:没有通用的命名组 )来自 Chrome 客户。 Firefox 客户端没有问题。
启用 SSL 日志 (-Djavax.net.debug=ssl:handshake) 后,我们可以看到两个版本之间的差异:
11.0.11:
Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)
Ignore unsupported named group: x25519
Consumed extension: key_share
11.0.10:
Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)
Consumed extension: key_share
新的 Java 版本似乎忽略了对 x25519 的请求。
两个 Java 运行时都未更改地从 AdoptOpenJDK 下载。
这里有一些更详细的日志:
从 Chrome 失败 Java 11.0.11:
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (64,250)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"session_ticket (35)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"signed_certificate_timestamp (18)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (27)": {
0000: 02 00 02 ...
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (60,138)": {
0000: 00 .
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.399 CEST|null:-1|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "E0 14 47 3E 55 DE 2D 30 FF 5C CE E1 D1 27 3D 4B F4 CB 42 EE 3E 22 14 C7 BE 16 1A FA BF 35 EE DD",
"session id" : "D7 59 27 6A 00 46 84 3A AB 32 FD 30 79 AD C4 DE 11 55 52 D5 07 1F 66 B0 7D 7E 80 A6 6F 95 2D 2B",
"cipher suites" : "[UNKNOWN-CIPHER-SUITE(0x2A2A)(0x2A2A), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
"compression methods" : "00",
"extensions" : [
"unknown extension (64,250)": {
},
"server_name (0)": {
type=host_name (0), value=local.3dmapping.cloud
},
"extended_master_secret (23)": {
<empty>
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
},
"supported_groups (10)": {
"versions": [UNDEFINED-NAMED-GROUP(31354), x25519, secp256r1, secp384r1]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"session_ticket (35)": {
},
"application_layer_protocol_negotiation (16)": {
[h2, http/1.1]
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512]
},
"signed_certificate_timestamp (18)": {
},
"key_share (51)": {
"client_shares": [
{
"named group": UNDEFINED-NAMED-GROUP(31354)
"key_exchange": {
0000: 00
}
},
{
"named group": x25519
"key_exchange": {
0000: AA F1 CE 3D 91 DD 66 C1 50 6F 5F B6 21 B3 EC 15 ...=..f.Po_.!...
0010: A9 56 23 C7 3C 33 22 7B EC 6C 3F 0C 37 C4 B6 45 .V#.<3"..l?.7..E
}
},
]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"supported_versions (43)": {
"versions": [(D)TLS-10.10, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"unknown extension (27)": {
0000: 02 00 02 ...
},
"unknown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
},
"unknown extension (60,138)": {
0000: 00 .
},
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
]
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.400 CEST|null:-1|Consumed extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.401 CEST|null:-1|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.402 CEST|null:-1|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.403 CEST|null:-1|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|Consumed extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.406 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: status_request
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.408 CEST|null:-1|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.409 CEST|null:-1|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.410 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.418 CEST|null:-1|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.420 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.421 CEST|null:-1|Ignore unsupported named group: x25519
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Consumed extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.423 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|ERROR|19|PortServer:Http1111|2021-07-14 10:00:46.426 CEST|null:-1|Fatal (UNEXPECTED_MESSAGE): No common named group (
"throwable" : {
javax.net.ssl.SSLProtocolException: No common named group
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.KeyShareExtension$HRRKeyShareProducer.produce(Unknown Source)
at java.base/sun.security.ssl.SSLExtension.produce(Unknown Source)
at java.base/sun.security.ssl.SSLExtensions.produce(Unknown Source)
at java.base/sun.security.ssl.ServerHello$T13HelloRetryRequestProducer.produce(Unknown Source)
at java.base/sun.security.ssl.SSLHandshake.produce(Unknown Source)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goHelloRetryRequest(Unknown Source)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(Unknown Source)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown Source)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown Source)
at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.a(SourceFile:1505)
at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.read(SourceFile:653)
at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.e(SourceFile:502)
at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.run(SourceFile:951)
at java.base/java.lang.Thread.run(Unknown Source)}
)
Chrome 成功 Java 11.0.10:
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (31,354)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unknown or unsupported extension (
"session_ticket (35)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.905 CEST|null:-1|Ignore unknown or unsupported extension (
"signed_certificate_timestamp (18)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.906 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (27)": {
0000: 02 00 02 ...
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (10,794)": {
0000: 00 .
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.908 CEST|null:-1|Ignore unknown or unsupported extension (
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.916 CEST|null:-1|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "F0 2C 2D B7 E0 B2 5C 59 20 66 E7 61 53 6A F5 3F AC FB 8B 14 22 51 D2 8E 7D 1D 52 17 A4 C1 33 E3",
"session id" : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB",
"cipher suites" : "[UNKNOWN-CIPHER-SUITE(0xCACA)(0xCACA), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
"compression methods" : "00",
"extensions" : [
"unknown extension (31,354)": {
},
"server_name (0)": {
type=host_name (0), value=local.3dmapping.cloud
},
"extended_master_secret (23)": {
<empty>
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
},
"supported_groups (10)": {
"versions": [UNDEFINED-NAMED-GROUP(6682), x25519, secp256r1, secp384r1]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"session_ticket (35)": {
},
"application_layer_protocol_negotiation (16)": {
[h2, http/1.1]
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512]
},
"signed_certificate_timestamp (18)": {
},
"key_share (51)": {
"client_shares": [
{
"named group": UNDEFINED-NAMED-GROUP(6682)
"key_exchange": {
0000: 00
}
},
{
"named group": x25519
"key_exchange": {
0000: D8 DB B4 6D 69 D4 44 C2 21 7C 59 8C 3F EB 18 20 ...mi.D.!.Y.?..
0010: B5 13 73 41 2C 57 18 2E 1C DB 03 64 50 57 0B 6B ..sA,W.....dPW.k
}
},
]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"supported_versions (43)": {
"versions": [(D)TLS--6.-6, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"unknown extension (27)": {
0000: 02 00 02 ...
},
"unknown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
},
"unknown extension (10,794)": {
0000: 00 .
},
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
]
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.917 CEST|null:-1|Consumed extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: status_request
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: renegotiation_info
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.935 CEST|null:-1|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.938 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.943 CEST|null:-1|Ignore impact of unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.945 CEST|null:-1|Ignore impact of unsupported extension: psk_key_exchange_modes
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.946 CEST|null:-1|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.947 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.949 CEST|null:-1|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.950 CEST|null:-1|Produced ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "59 39 C8 98 37 AF C6 72 50 DF 02 74 43 DF 4C 29 F6 65 CE 97 66 79 E2 69 6F 8C B1 E4 1B B6 65 54",
"session id" : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
},
"key_share (51)": {
"server_share": {
"named group": x25519
"key_exchange": {
0000: 3A 89 E5 8E E2 1E 7D 48 E2 FE 44 92 BD 03 EE BA :......H..D.....
0010: 27 08 8E 06 06 86 D8 7D 8E 74 D3 BF A7 55 5D 03 '........t...U].
}
},
}
]
}
)
Java 11.0.11 似乎已经放弃了对 TLSv1 和 TLSv1.1 的开箱即用支持,但我不确定这是否相关。启用这些并不能解决问题。
知道为什么不再支持 x25519 了吗?或者如何开启?
问题的原因是模块路径中有一个 jar 文件。 jar 本身与网络、加密或安全无关,它用于更改 UI 外观。 jar 是 7 年前签署的,之前没有造成任何问题。
用未签名的副本替换此 jar 可以解决所有问题并使 Java 11.0.11 再次完全运行,呈现预期的安全提供程序列表(13 个而不是 4 个)。
为什么这个问题只发生在 Java 11.0.11 仍然是个谜。我没有看到来自 Java 类加载器的任何错误消息。
我们在 Java11 中开发了一个服务器应用程序,它接受来自客户端的传入 HTTPS 连接。一切正常 to/including Java 11.0.10 (AdoptOpenJDK).
升级到 Java 11.0.11 后,我们遇到连接握手问题(javax.net.ssl.SSLProtocolException:没有通用的命名组 )来自 Chrome 客户。 Firefox 客户端没有问题。
启用 SSL 日志 (-Djavax.net.debug=ssl:handshake) 后,我们可以看到两个版本之间的差异:
11.0.11:
Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)
Ignore unsupported named group: x25519
Consumed extension: key_share
11.0.10:
Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)
Consumed extension: key_share
新的 Java 版本似乎忽略了对 x25519 的请求。
两个 Java 运行时都未更改地从 AdoptOpenJDK 下载。
这里有一些更详细的日志:
从 Chrome 失败 Java 11.0.11:
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (64,250)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"session_ticket (35)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"signed_certificate_timestamp (18)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (27)": {
0000: 02 00 02 ...
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (60,138)": {
0000: 00 .
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unknown or unsupported extension (
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.399 CEST|null:-1|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "E0 14 47 3E 55 DE 2D 30 FF 5C CE E1 D1 27 3D 4B F4 CB 42 EE 3E 22 14 C7 BE 16 1A FA BF 35 EE DD",
"session id" : "D7 59 27 6A 00 46 84 3A AB 32 FD 30 79 AD C4 DE 11 55 52 D5 07 1F 66 B0 7D 7E 80 A6 6F 95 2D 2B",
"cipher suites" : "[UNKNOWN-CIPHER-SUITE(0x2A2A)(0x2A2A), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
"compression methods" : "00",
"extensions" : [
"unknown extension (64,250)": {
},
"server_name (0)": {
type=host_name (0), value=local.3dmapping.cloud
},
"extended_master_secret (23)": {
<empty>
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
},
"supported_groups (10)": {
"versions": [UNDEFINED-NAMED-GROUP(31354), x25519, secp256r1, secp384r1]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"session_ticket (35)": {
},
"application_layer_protocol_negotiation (16)": {
[h2, http/1.1]
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512]
},
"signed_certificate_timestamp (18)": {
},
"key_share (51)": {
"client_shares": [
{
"named group": UNDEFINED-NAMED-GROUP(31354)
"key_exchange": {
0000: 00
}
},
{
"named group": x25519
"key_exchange": {
0000: AA F1 CE 3D 91 DD 66 C1 50 6F 5F B6 21 B3 EC 15 ...=..f.Po_.!...
0010: A9 56 23 C7 3C 33 22 7B EC 6C 3F 0C 37 C4 B6 45 .V#.<3"..l?.7..E
}
},
]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"supported_versions (43)": {
"versions": [(D)TLS-10.10, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"unknown extension (27)": {
0000: 02 00 02 ...
},
"unknown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
},
"unknown extension (60,138)": {
0000: 00 .
},
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
]
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.400 CEST|null:-1|Consumed extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.401 CEST|null:-1|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.402 CEST|null:-1|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.403 CEST|null:-1|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|Consumed extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.406 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: status_request
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.408 CEST|null:-1|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.409 CEST|null:-1|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.410 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.418 CEST|null:-1|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.420 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.421 CEST|null:-1|Ignore unsupported named group: x25519
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Consumed extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.423 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|ERROR|19|PortServer:Http1111|2021-07-14 10:00:46.426 CEST|null:-1|Fatal (UNEXPECTED_MESSAGE): No common named group (
"throwable" : {
javax.net.ssl.SSLProtocolException: No common named group
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.KeyShareExtension$HRRKeyShareProducer.produce(Unknown Source)
at java.base/sun.security.ssl.SSLExtension.produce(Unknown Source)
at java.base/sun.security.ssl.SSLExtensions.produce(Unknown Source)
at java.base/sun.security.ssl.ServerHello$T13HelloRetryRequestProducer.produce(Unknown Source)
at java.base/sun.security.ssl.SSLHandshake.produce(Unknown Source)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goHelloRetryRequest(Unknown Source)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(Unknown Source)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown Source)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown Source)
at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.a(SourceFile:1505)
at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.read(SourceFile:653)
at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.e(SourceFile:502)
at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.run(SourceFile:951)
at java.base/java.lang.Thread.run(Unknown Source)}
)
Chrome 成功 Java 11.0.10:
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (31,354)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unknown or unsupported extension (
"session_ticket (35)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.905 CEST|null:-1|Ignore unknown or unsupported extension (
"signed_certificate_timestamp (18)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.906 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (27)": {
0000: 02 00 02 ...
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unknown or unsupported extension (
"unknown extension (10,794)": {
0000: 00 .
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.908 CEST|null:-1|Ignore unknown or unsupported extension (
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.916 CEST|null:-1|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "F0 2C 2D B7 E0 B2 5C 59 20 66 E7 61 53 6A F5 3F AC FB 8B 14 22 51 D2 8E 7D 1D 52 17 A4 C1 33 E3",
"session id" : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB",
"cipher suites" : "[UNKNOWN-CIPHER-SUITE(0xCACA)(0xCACA), TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), UNKNOWN-CIPHER-SUITE(0xCCA9)(0xCCA9), UNKNOWN-CIPHER-SUITE(0xCCA8)(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]",
"compression methods" : "00",
"extensions" : [
"unknown extension (31,354)": {
},
"server_name (0)": {
type=host_name (0), value=local.3dmapping.cloud
},
"extended_master_secret (23)": {
<empty>
},
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
},
"supported_groups (10)": {
"versions": [UNDEFINED-NAMED-GROUP(6682), x25519, secp256r1, secp384r1]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"session_ticket (35)": {
},
"application_layer_protocol_negotiation (16)": {
[h2, http/1.1]
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, rsa_pkcs1_sha256, ecdsa_secp384r1_sha384, rsa_pss_rsae_sha384, rsa_pkcs1_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha512]
},
"signed_certificate_timestamp (18)": {
},
"key_share (51)": {
"client_shares": [
{
"named group": UNDEFINED-NAMED-GROUP(6682)
"key_exchange": {
0000: 00
}
},
{
"named group": x25519
"key_exchange": {
0000: D8 DB B4 6D 69 D4 44 C2 21 7C 59 8C 3F EB 18 20 ...mi.D.!.Y.?..
0010: B5 13 73 41 2C 57 18 2E 1C DB 03 64 50 57 0B 6B ..sA,W.....dPW.k
}
},
]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"supported_versions (43)": {
"versions": [(D)TLS--6.-6, TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"unknown extension (27)": {
0000: 02 00 02 ...
},
"unknown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
},
"unknown extension (10,794)": {
0000: 00 .
},
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
]
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.917 CEST|null:-1|Consumed extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: status_request
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: renegotiation_info
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.935 CEST|null:-1|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.938 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.943 CEST|null:-1|Ignore impact of unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.945 CEST|null:-1|Ignore impact of unsupported extension: psk_key_exchange_modes
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.946 CEST|null:-1|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.947 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.949 CEST|null:-1|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.950 CEST|null:-1|Produced ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "59 39 C8 98 37 AF C6 72 50 DF 02 74 43 DF 4C 29 F6 65 CE 97 66 79 E2 69 6F 8C B1 E4 1B B6 65 54",
"session id" : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
},
"key_share (51)": {
"server_share": {
"named group": x25519
"key_exchange": {
0000: 3A 89 E5 8E E2 1E 7D 48 E2 FE 44 92 BD 03 EE BA :......H..D.....
0010: 27 08 8E 06 06 86 D8 7D 8E 74 D3 BF A7 55 5D 03 '........t...U].
}
},
}
]
}
)
Java 11.0.11 似乎已经放弃了对 TLSv1 和 TLSv1.1 的开箱即用支持,但我不确定这是否相关。启用这些并不能解决问题。
知道为什么不再支持 x25519 了吗?或者如何开启?
问题的原因是模块路径中有一个 jar 文件。 jar 本身与网络、加密或安全无关,它用于更改 UI 外观。 jar 是 7 年前签署的,之前没有造成任何问题。 用未签名的副本替换此 jar 可以解决所有问题并使 Java 11.0.11 再次完全运行,呈现预期的安全提供程序列表(13 个而不是 4 个)。
为什么这个问题只发生在 Java 11.0.11 仍然是个谜。我没有看到来自 Java 类加载器的任何错误消息。