javax.net.ssl.SSLHandshakeException:收到致命警报:码头集装箱内的handshake_failure
javax.net.ssl.SSLHandshakeException:收到致命警报:码头集装箱内的handshake_failure
提问于 2019-05-17 17:13:04
我使用以下代码对远程端点运行本地测试:
URL url = new URL(remoteEndpointUrl);
String encoded = Base64.getEncoder().encodeToString((login + ":"+ password).getBytes("UTF-8")); //Java 8
conn = (HttpURLConnection) url.openConnection();
conn.setRequestProperty("Authorization", "Basic "+encoded);
conn.setRequestMethod("DELETE");
conn.setRequestProperty("Accept", "application/json");
conn.setDoOutput(true);
conn.getResponseCode();这在我的Mac上是完美无缺的,它有下面的Java版本
java version "1.8.0_152"
Java(TM) SE Runtime Environment (build 1.8.0_152-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16,
mixed mode)现在,如果我在一个带有openjdk:8u151映像的码头容器中运行它(我也是从Mac启动的),那么我最终会遇到以下异常:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:203)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:162)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)显然,我的本地TLS默认设置与停靠容器中的设置似乎没有任何区别。这是使用-Djavax.net.debug=all运行的调试输出。
本地输出:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1541229707 bytes = { 122, 255, 53, 110, 142, 33, 132, 23, 192, 232, 102, 11, 200, 33, 185, 187, 146, 150, 134, 215, 2, 72, 62, 10, 76, 46, 224, 66 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=example.com]
***
[write] MD5 and SHA1 hashes: len = 198
0000: 01 00 00 C2 03 03 5C DD 4D 8B 7A FF 35 6E 8E 21 ......\.M.z.5n.!
0010: 84 17 C0 E8 66 0B C8 21 B9 BB 92 96 86 D7 02 48 ....f..!.......H
0020: 3E 0A 4C 2E E0 42 00 00 3A C0 23 C0 27 00 3C C0 >.L..B..:.#.'.<.
0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../...
0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1.
0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................
0060: 13 00 FF 01 00 00 5F 00 0A 00 16 00 14 00 17 00 ......_.........
0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................
0080: 16 00 0B 00 02 01 00 00 0D 00 1C 00 1A 06 03 06 ................
0090: 01 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 ................
00A0: 02 02 03 02 01 02 02 00 00 00 1B 00 19 00 00 16 ................
00B0: 73 75 6D 69 74 64 65 76 2E 6D 79 73 68 6F 70 69 example.com
00C0: 66 79 2E 63 6F 6D
main, WRITE: TLSv1.2 Handshake, length = 198
[Raw write]: length = 203
0000: 16 03 03 00 C6 01 00 00 C2 03 03 5C DD 4D 8B 7A ...........\.M.z
0010: FF 35 6E 8E 21 84 17 C0 E8 66 0B C8 21 B9 BB 92 .5n.!....f..!...
0020: 96 86 D7 02 48 3E 0A 4C 2E E0 42 00 00 3A C0 23 ....H>.L..B..:.#
0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./..
0050: C0 2D C0 31 00 9E 00 A2 C0 08 C0 12 00 0A C0 03 .-.1............
0060: C0 0D 00 16 00 13 00 FF 01 00 00 5F 00 0A 00 16 ..........._....
0070: 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B 00 0C ................
0080: 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 0D 00 1C ................
0090: 00 1A 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................
00A0: 03 03 03 01 03 02 02 03 02 01 02 02 00 00 00 1B ................
00B0: 00 19 00 00 16 73 75 6D 69 74 64 65 76 2E 6D 79 .....example.com
[Raw read]: length = 5
0000: 16 03 03 00 57 ....W
[Raw read]: length = 87
0000: 02 00 00 53 03 03 5C DD 4D 8B A2 3C 5D 36 46 82 ...S..\.M..<]6F.
0010: BE 0E 5E DA 23 05 66 D5 1B AE 13 AA 8F 98 12 30 ..^.#.f........0
0020: DF 52 9C 28 AA 7B 20 43 4F 5E 40 8C B4 C4 1E 26 .R.(.. CO^@....&
0030: 4F 5D B8 3D 39 16 D5 56 41 9C B0 F8 D5 F4 2A 55 O].=9..VA.....*U
0040: B3 0A E9 A2 6F 9D 88 C0 2B 00 00 0B FF 01 00 01 ....o...+.......
0050: 00 00 0B 00 02 01 00 .......
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1541229707 bytes = { 162, 60, 93, 54, 70, 130, 190, 14, 94, 218, 35, 5, 102, 213, 27, 174, 19, 170, 143, 152, 18, 48, 223, 82, 156, 40, 170, 123 }
Session ID: {67, 79, 94, 64, 140, 180, 196, 30, 38, 79, 93, 184, 61, 57, 22, 213, 86, 65, 156, 176, 248, 213, 244, 42, 85, 179, 10, 233, 162, 111, 157, 136}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-4, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[read] MD5 and SHA1 hashes: len = 87ere在码头集装箱输出:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Test worker, setSoTimeout(0) called
Test worker, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1541242532 bytes = { 118, 119, 70, 101, 0, 69, 160, 231, 254, 159, 164, 222, 99, 67, 81, 99, 102, 20, 11, 71, 1, 162, 231, 238, 141, 93, 75, 42 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=example.com]
***
[write] MD5 and SHA1 hashes: len = 208
0000: 01 00 00 CC 03 03 5C DD 7F A4 76 77 46 65 00 45 ......\...vwFe.E
0010: A0 E7 FE 9F A4 DE 63 43 51 63 66 14 0B 47 01 A2 ......cCQcf..G..
0020: E7 EE 8D 5D 4B 2A 00 00 64 C0 24 C0 28 00 3D C0 ...]K*..d.$.(.=.
0030: 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 C0 &.*.k.j.....5...
0040: 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 00 ..9.8.#.'.<.%.).
0050: 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 00 g.@...../.....3.
0060: 32 C0 2C C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 2.,.+.0.....2...
0070: A3 C0 2F 00 9C C0 2D C0 31 00 9E 00 A2 C0 08 C0 ../...-.1.......
0080: 12 00 0A C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 ................
0090: 3F 00 0D 00 1C 00 1A 06 03 06 01 05 03 05 01 04 ?...............
00A0: 03 04 01 04 02 03 03 03 01 03 02 02 03 02 01 02 ................
00B0: 02 00 00 00 1B 00 19 00 00 16 73 75 6D 69 74 64 ..........
00C0: 65 76 2E 6D 79 73 68 6F 70 69 66 79 2E 63 6F 6D example.com
Test worker, WRITE: TLSv1.2 Handshake, length = 208
[Raw write]: length = 213
0000: 16 03 03 00 D0 01 00 00 CC 03 03 5C DD 7F A4 76 ...........\...v
0010: 77 46 65 00 45 A0 E7 FE 9F A4 DE 63 43 51 63 66 wFe.E......cCQcf
0020: 14 0B 47 01 A2 E7 EE 8D 5D 4B 2A 00 00 64 C0 24 ..G.....]K*..d.$
0030: C0 28 00 3D C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 .(.=.&.*.k.j....
0040: 00 35 C0 05 C0 0F 00 39 00 38 C0 23 C0 27 00 3C .5.....9.8.#.'.<
0050: C0 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 .%.).g.@...../..
0060: C0 0E 00 33 00 32 C0 2C C0 2B C0 30 00 9D C0 2E ...3.2.,.+.0....
0070: C0 32 00 9F 00 A3 C0 2F 00 9C C0 2D C0 31 00 9E .2...../...-.1..
0080: 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 13 ................
0090: 00 FF 01 00 00 3F 00 0D 00 1C 00 1A 06 03 06 01 .....?..........
00A0: 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 02 ................
00B0: 02 03 02 01 02 02 00 00 00 1B 00 19 00 00 16 73 ...............s
00C0: 75 6D 69 74 64 65 76 2E 6D 79 73 68 6F 70 69 66 example.com
00D0: 79 2E 63 6F 6D
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
Test worker, READ: TLSv1.2 Alert, length = 2
Test worker, RECV TLSv1.2 ALERT: fatal, handshake_failure
Test worker, called closeSocket()
Test worker, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureere现在,我已经尝试将安全属性crypto.policy设置为unlimited,根据https://www.petefreitag.com/item/844.cfm,它应该是容易启用的JCE (Java加密扩展),这是我从https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https获得的,但是仍然失败。
长期以来,我一直在与此作斗争,并且不知道应该检查什么,因为两次执行都使用TLSv1.2作为https协议,而且都使用相同的密码套件,所以您知道为什么在对接程序中失败了吗?
任何帮助都是非常感谢的,谢谢
编辑:在我的Mac上使用-Dcom.sun.net.ssl.enableECC=false运行
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1541432023 bytes = { 91, 55, 180, 242, 51, 13, 227, 239, 109, 218, 210, 217, 65, 181, 16, 146, 251, 182, 30, 23, 156, 83, 207, 5, 80, 0, 133, 88 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=example.com]
***
[write] MD5 and SHA1 hashes: len = 134
0000: 01 00 00 82 03 03 5C E0 63 D7 5B 37 B4 F2 33 0D ......\.c.[7..3.
0010: E3 EF 6D DA D2 D9 41 B5 10 92 FB B6 1E 17 9C 53 ..m...A........S
0020: CF 05 50 00 85 58 00 00 1A 00 3C 00 67 00 40 00 ..P..X....<.g.@.
0030: 2F 00 33 00 32 00 9C 00 9E 00 A2 00 0A 00 16 00 /.3.2...........
0040: 13 00 FF 01 00 00 3F 00 0D 00 1C 00 1A 06 03 06 ......?.........
0050: 01 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 ................
0060: 02 02 03 02 01 02 02 00 00 00 1B 00 19 00 00 16 ................
0070: 73 75 6D 69 74 64 65 76 2E 6D 79 73 68 6F 70 69 example.com
0080: 66 79 2E 63 6F 6D
main, WRITE: TLSv1.2 Handshake, length = 134
[Raw write]: length = 139
0000: 16 03 03 00 86 01 00 00 82 03 03 5C E0 63 D7 5B ...........\.c.[
0010: 37 B4 F2 33 0D E3 EF 6D DA D2 D9 41 B5 10 92 FB 7..3...m...A....
0020: B6 1E 17 9C 53 CF 05 50 00 85 58 00 00 1A 00 3C ....S..P..X....<
0030: 00 67 00 40 00 2F 00 33 00 32 00 9C 00 9E 00 A2 .g.@./.3.2......
0040: 00 0A 00 16 00 13 00 FF 01 00 00 3F 00 0D 00 1C ...........?....
0050: 00 1A 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................
0060: 03 03 03 01 03 02 02 03 02 01 02 02 00 00 00 1B ................
0070: 00 19 00 00 16 73 75 6D 69 74 64 65 76 2E 6D 79 .....example.com
0080: 73 68 6F 70 69 66 79 2E 63 6F 6D
[Raw read]: length = 5
0000: 16 03 03 00 51 ....Q
[Raw read]: length = 81
0000: 02 00 00 4D 03 03 5C E0 63 DA 99 74 67 FF 71 48 ...M..\.c..tg.qH
0010: B5 9B 8F 63 A4 06 15 AE 1D E6 1B CA 27 C6 9C 85 ...c........'...
0020: B8 E8 40 03 89 54 20 29 3F 81 6A E8 E4 54 39 D7 ..@..T )?.j..T9.
0030: 5A 95 5B DD 7C 59 18 28 05 C2 49 75 22 2E 69 78 Z.[..Y.(..Iu".ix
0040: E1 1B 11 62 03 62 C0 00 9C 00 00 05 FF 01 00 01 ...b.b..........
0050: 00 .
main, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1541432026 bytes = { 153, 116, 103, 255, 113, 72, 181, 155, 143, 99, 164, 6, 21, 174, 29, 230, 27, 202, 39, 198, 156, 133, 184, 232, 64, 3, 137, 84 }
Session ID: {41, 63, 129, 106, 232, 228, 84, 57, 215, 90, 149, 91, 221, 124, 89, 24, 40, 5, 194, 73, 117, 34, 46, 105, 120, 225, 27, 17, 98, 3, 98, 192}
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-4, TLS_RSA_WITH_AES_128_GCM_SHA256]
** TLS_RSA_WITH_AES_128_GCM_SHA256
[read] MD5 and SHA1 hashes: len = 81回答 2
Stack Overflow用户
回答已采纳
发布于 2019-05-17 18:50:13
不是一个确切的答案,但我希望这能帮上忙。
在第一种情况下,客户端发送两个椭圆曲线扩展,而不是在第二个。我不知道这种不同行为的原因,但这可能以服务器无法进一步发展而告终,因为无法找到通用的密码套件。
RFC 4492给出了两个理由,说明在缺少扩展时不应该有任何问题:
- 如果握手失败缺失,则不会将其视为默认情况:
如果服务器不理解支持的椭圆曲线 扩展,不理解支持的点格式扩展,或无法完成ECC握手,同时限制自身 对于枚举曲线和点格式,它不能协商使用ECC密码套件。取决于其他密码套件 由客户端提出并得到服务器的支持,这可能是 由于缺乏公共功能,造成致命握手失败警报。 密码套房。
- 发送它们并不完全是强制性的,只是使用“应该”一词的更好的行为:
一个在其ClientHello中提出ECC密码套件的TLS客户端 消息应该包括这些扩展。
这将导致软件错误或错误安装(缺少文件、错误的权限、..)无论是在客户端还是服务器上。
如果使用-Dcom.sun.net.ssl.enableECC=false运行本地测试,会发生什么情况?
您可以比较jre/lib中所有目录的内容,以找到可能缺少的任何内容。
例如,您的码头客户端是否包含文件libsunec.so?
您的端点上有什么TLS服务器?这也是伪造的吗?
至少JDK 8发行说明没有提到任何本来可以解决的客户端问题。相反,它提到了一个在jdk.tls.namedGroups(null)中解决的8u 131问题,即由其重复的bug ( JDK-8173960 bug )很好地解释的bug JDK-8173783。这并不能解释为什么您面临着两种不同的行为,但可能有一些东西没有提到(另一个丢失的文件,sunec.jar在错误中说,导致了同样的问题)。在我看来,客户端缺少的文件会导致服务器端错误(也是由丢失的文件或简单的软件错误触发的)。如果你找到了让我们知道解决办法。
Stack Overflow用户
发布于 2019-05-17 17:46:56
“握手失败”通常意味着服务器的TLS级别(例如TLS1.2)和密码套件之间没有重叠,以及您的WebSphere可以处理什么。
我将在服务器上运行类似https://www.ssllabs.com/ssltest/的测试,然后查看WebSphere安全性> SSL证书和密钥管理> SSL配置中的WebSphere设置。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/56190856
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号