SSLException与最新的Java 8.0.252

Question

使用最新的JavaZulu8.0.252和Payara5服务器，我无法再读取任何HTTPS。评级下调至8.0.251后，一切恢复正常。

javax.net.ssl.SSLException
at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:133)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:290)
at org.openjsse.sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1330)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:424)
at org.openjsse.sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at org.openjsse.sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at org.openjsse.sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:730)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:705)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:295)
Caused by: java.lang.NullPointerException
at org.openjsse.sun.security.ssl.CertificateAuthorityExtension$CHCertificateAuthoritiesProducer.produce(CertificateAuthorityExtension.java:185)
at org.openjsse.sun.security.ssl.SSLExtension.produce(SSLExtension.java:560)
at org.openjsse.sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:253)
at org.openjsse.sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:649)
at org.openjsse.sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at org.openjsse.sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at org.openjsse.sun.security.ssl.TransportContext.kickstart(TransportContext.java:259)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
... 97 more

Answer 1

看起来您的应用程序或库使用自定义的不安全信任管理器。

此自定义信任管理器实现X509TrustManager类，并从X509TrustManager.getAcceptedIssuers()方法中返回null。

根据java规范，getAcceptedIssuers()必须返回“可接受的CA颁发者证书的非空(可能为空)数组”，但在提供的堆栈中，getAcceptedIssuers()返回null。引起NPE。

请参阅https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509TrustManager.html#getAcceptedIssuers()

Answer 2

为了避免此错误，我在Payara中禁用了TLS 1.3支持。

在domain.xml for Java1.8.0u252及更高版本中禁用TLS1.3支持，方法是替换：

<jvm-options>[Azul-1.8.0u222|1.8.0u500]-XX:+UseOpenJSSE</jvm-options>

通过以下方式：

<jvm-options>[Azul-1.8.0u222|1.8.0u251]-XX:+UseOpenJSSE</jvm-options>

并使用不需要TLS 1.3的兼容灰熊库，方法是替换：

    <jvm-options>[1.8.0u191|1.8.0u500]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>

通过以下方式：

    <jvm-options>[1.8.0u191|1.8.0u251]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>
    <jvm-options>[1.8.0u252|1.8.0u500]-Xbootclasspath/a:${com.sun.aas.installRoot}/lib/grizzly-npn-api.jar</jvm-options>