javax.net.ssl.SSLException:收到致命警报:protocol_version
有没有人遇到此错误? 我是SSL的新手,我的ClientHello有什么明显的错误吗? 抛出该exception时没有ServerHello响应。 任何建议表示赞赏。
*** ClientHello, TLSv1 RandomCookie: GMT: 1351745496 bytes = { 154, 151, 225, 128, 127, 137, 198, 245, 160, 35, 124, 13, 135, 120, 33, 240, 82, 223, 56, 25, 207, 231, 231, 124, 103, 205, 66, 218 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } *** [write] MD5 and SHA1 hashes: len = 75 0000: 01 00 00 47 03 01 51 92 00 D8 9A 97 E1 80 7F 89 ...G..Q......... 0010: C6 F5 A0 23 7C 0D 87 78 21 F0 52 DF 38 19 CF E7 ...#...x!.R.8... 0020: E7 7C 67 CD 42 DA 00 00 20 00 04 00 05 00 2F 00 ..gB.. ...../. 0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2............. 0040: 03 00 08 00 14 00 11 00 FF 01 00 ........... xxx, WRITE: TLSv1 Handshake, length = 75 [write] MD5 and SHA1 hashes: len = 101 0000: 01 03 01 00 3C 00 00 00 20 00 00 04 01 00 80 00 ....<... ....... 0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2..... 0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@... 0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................ 0040: 00 11 00 00 FF 51 92 00 D8 9A 97 E1 80 7F 89 C6 .....Q.......... 0050: F5 A0 23 7C 0D 87 78 21 F0 52 DF 38 19 CF E7 E7 ..#...x!.R.8.... 0060: 7C 67 CD 42 DA .gB xxx, WRITE: SSLv2 client hello message, length = 101 [Raw write]: length = 103 0000: 80 65 01 03 01 00 3C 00 00 00 20 00 00 04 01 00 .e....<... ..... 0010: 80 00 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A ....../..3..2... 0020: 07 00 C0 00 00 16 00 00 13 00 00 09 06 00 40 00 ..............@. 0030: 00 15 00 00 12 00 00 03 02 00 80 00 00 08 00 00 ................ 0040: 14 00 00 11 00 00 FF 51 92 00 D8 9A 97 E1 80 7F .......Q........ 0050: 89 C6 F5 A0 23 7C 0D 87 78 21 F0 52 DF 38 19 CF ....#...x!.R.8.. 0060: E7 E7 7C 67 CD 42 DA ...gB [Raw read]: length = 5 0000: 15 03 01 00 02 ..... [Raw read]: length = 2 0000: 02 46 .F { http://xml.apache.org/axis/ } stackTrace:
javax.net.ssl.SSLException: Received fatal alert: protocol_version at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1806) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:986) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) at
…
在Java 1.8上,默认TLS协议是v1.2。 在Java 1.6和1.7上,默认值已经过时TLS1.0。 我在Java 1.8上遇到此错误,因为url使用旧的TLS1.0(就像你的 – 你看到ClientHello, TLSv1 )。 解决此错误您需要使用Java 1.8的覆盖默认值。
System.setProperty("https.protocols", "TLSv1");
有关Oracle博客的更多信息。
marioosh的回答似乎在正确的轨道上。 它对我不起作用。 所以我找到了:
通过HTTPS / SSL通过自己的Java客户端连接的问题
使用:
java.lang.System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
这似乎是Java 7和TLSv1.2站点所必需的。
我检查了网站:
openssl s_client -connect www.st.nmfs.noaa.gov:443
运用
openssl version OpenSSL 1.0.2l 25 May 2017
得到了结果:
... SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 ...
请注意,我的Mac上的较旧的openssl版本不起作用,我不得不使用macports。
这似乎是协议版本不匹配,当客户端和服务器使用的SSL协议版本不匹配时,通常会发生此exception。 您的客户应使用服务器支持的proctocol版本。
这是因为您发送了TLSv1握手,然后使用SSLv2协议发送消息;
xxx, WRITE: TLSv1 Handshake, length = 75 xxx, WRITE: SSLv2 client hello message, length = 101
这意味着服务器需要使用TLSv1协议,并且不接受连接。 尝试指定要使用的协议,或发布一些相关代码,以便我们查看
@marioosh添加了一些关于密码套件加密的额外信息。
密码套件是主机用于在传输层安全性(TLS)/安全套接字层(SSL)网络协议中建立安全通信的对称和非对称加密算法的集合。
密码是算法,更具体地说,它们是执行加密以及相应解密的一组步骤。
密码套件为以下每个任务指定一种算法:
- 密钥交换
- 批量加密
- 消息validation
SocketFactory « 默认握手协议 «要避免SSLException,请使用https.protocols系统属性。
它包含以逗号分隔的协议套件名称列表,用于指定在此HttpsURLConnection上启用的协议套件。 请参见SSLSocket.setEnabledProtocols(String [])方法 。
System.setProperty("https.protocols", "SSLv3"); // (OR) System.setProperty("https.protocols", "TLSv1");
JAVA8«TLS 1.1和TLS 1.2默认启用:SunJSSE提供程序默认启用客户端上的协议TLS 1.1和TLS 1.2。
System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
Java8网络文件示例:
public class SecureSocket { static { // System.setProperty("javax.net.debug", "all"); System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2"); } public static void main(String[] args) { String GhitHubSSLFile = "https://raw.githubusercontent.com/Yash-777/SeleniumWebDrivers/master/pom.xml"; try { String str = readCloudFileAsString(GhitHubSSLFile); // new String(Files.readAllBytes(Paths.get( "D:/Sample.file" ))); System.out.println("Cloud File Data : "+ str); } catch (IOException e) { e.printStackTrace(); } } public static String readCloudFileAsString( String urlStr ) throws java.io.IOException { if( urlStr != null && urlStr != "" ) { java.io.InputStream s = null; String content = null; try { URL url = new URL( urlStr ); s = (java.io.InputStream) url.getContent(); content = IOUtils.toString(s, "UTF-8"); } finally { if (s != null) s.close(); } return content.toString(); } return null; } }
JDK 8安全性您可以通过设置系统属性来自定义JSSE的某些方面,通过指定以下属性,您可以检查文件中的加密数据。
System.setProperty("javax.net.debug", "all");
例外
javax.net.ssl.SSLException: Received fatal alert: protocol_version
如果握手因任何原因失败,SSLSocket将关闭,无法进行进一步的通信。
以上示例的Observer LOG示例:
*** ClientHello, TLSv1.2 RandomCookie: GMT: 1505482843 bytes = { 12, 11, 111, 99, 8, 177, 101, 27, 84, 176, 147, 215, 116, 208, 31, 178, 141, 170, 29, 118, 29, 192, 61, 191, 53, 201, 127, 100 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA Extension server_name, server_name: [host_name: raw.githubusercontent.com] *** [write] MD5 and SHA1 hashes: len = 213 0000: 01 00 00 D1 03 03 5A BC D8 5B 0C 0B 6F 63 08 B1 ......Z..[..oc.. 0010: 65 1B 54 B0 93 D7 74 D0 1F B2 8D AA 1D 76 1D C0 eT..t......v.. 0020: 3D BF 35 C9 7F 64 00 00 2A C0 09 C0 13 00 2F C0 =.5..d..*...../. 0030: 04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 ....3.2......... 0040: 0D 00 16 00 13 C0 07 C0 11 00 05 C0 02 C0 0C 00 ................ 0050: 04 00 FF 01 00 00 7E 00 0A 00 34 00 32 00 17 00 ..........4.2... 0060: 01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ................ 0070: 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 ................ 0080: 11 00 02 00 12 00 04 00 05 00 14 00 08 00 16 00 ................ 0090: 0B 00 02 01 00 00 0D 00 1A 00 18 06 03 06 01 05 ................ 00A0: 03 05 01 04 03 04 01 03 03 03 01 02 03 02 01 02 ................ 00B0: 02 01 01 00 00 00 1E 00 1C 00 00 19 72 61 77 2E ............raw. 00C0: 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E githubuserconten 00D0: 74 2E 63 6F 6D t.com main, WRITE: TLSv1.2 Handshake, length = 213 [Raw write]: length = 218 0000: 16 03 03 00 D5 01 00 00 D1 03 03 5A BC D8 5B 0C ...........Z..[. 0010: 0B 6F 63 08 B1 65 1B 54 B0 93 D7 74 D0 1F B2 8D .oc..eT..t.... 0020: AA 1D 76 1D C0 3D BF 35 C9 7F 64 00 00 2A C0 09 ..v..=.5..d..*.. 0030: C0 13 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 .../.....3.2.... 0040: 00 0A C0 03 C0 0D 00 16 00 13 C0 07 C0 11 00 05 ................ 0050: C0 02 C0 0C 00 04 00 FF 01 00 00 7E 00 0A 00 34 ...............4 0060: 00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2.............. 0070: 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ................ 0080: 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 00 14 ................ 0090: 00 08 00 16 00 0B 00 02 01 00 00 0D 00 1A 00 18 ................ 00A0: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................ 00B0: 02 03 02 01 02 02 01 01 00 00 00 1E 00 1C 00 00 ................ 00C0: 19 72 61 77 2E 67 69 74 68 75 62 75 73 65 72 63 .raw.githubuserc 00D0: 6F 6E 74 65 6E 74 2E 63 6F 6D ontent.com [Raw read]: length = 5 0000: 16 03 03 00 5D ....]
使用whatsapp进行密码学和安全通信
@看到
- AZURE TLS / SSL密码套件
- javax.net.ssl.SSLHandshakeException:没有合适的协议
- Whatsapp端到端加密
我得到了同样的错误。 对于Java版本7,以下是适合我的。
java.lang.System.setProperty(“https.protocols”,“TLSv1.2”);
我在尝试安装PySpark软件包时遇到了这个问题。 我通过使用环境变量更改TLS版本解决了这个问题:
echo 'export JAVA_TOOL_OPTIONS="-Dhttps.protocols=TLSv1.2"' >> ~/.bashrc source ~/.bashrc