双向SSL数字证书身份验证在Java 6中失败，但在Java 7中工作

Question

我有一个Java程序用双向SSL证书身份验证连接到服务器。Java 7运行得很好，但Java 6却失败了。不幸的是，我们的系统仍然使用Java 6。所以，我试图让它与Java 6一起工作。

在SSL相互身份验证事务的第一步，连接就失败了。这是ClientHello步骤。我们从服务器收到一个致命的错误。根据我的分析，我觉得问题可能与不受支持的密码套件有关(即，服务器不支持客户端发送的密码套件)，但不确定。

我尝试使用System.setProperty("javax.net.debug"，“ssl:握手”)；来调试问题，但是调试信息指向特定的问题。

我甚至无法在Java 6中获得安全类的源代码(例如:com.sun.net.ssl.内在. for .*包)来在代码中进行调试。

以下是ssl调试日志：

*** ClientHello, TLSv1
RandomCookie:  GMT: 1438890076 bytes = { 65, 109, 167, 225, 235, 81, 235, 118, 35, 88, 126, 146, 201, 181, 233, 118, 222, 126, 190, 170, 247, 232, 166, 222, 98, 157, 165, 150 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 81
main, WRITE: SSLv2 client hello message, length = 110
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Exception in thread "main" javax.net.ssl.SSLHandshakeException:     Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:476)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at com.castlight.ws.healthfund.welsforgo.WellsForgoTester_JDK6.main(WellsForgoTester_JDK6.java:72)

如何具体解决这个问题？是否有一种方法来调试Java 6安全代码(例如:com.sun.net.ssl.内在. way .*包)？

Answer 1

首先，您需要知道jdk1.6.115下面的java 6不支持TLSv1.2。您需要升级。还请注意，您不能通过代码中的system属性设置TLSv1.2。您将需要使用代码显式地设置它。在调用API之前，需要在keystore中设置TLSv1.2属性。