Java版本“1.7.0_79”的SSL握手失败
我正在使用Apache HttpClient与Java中的一个主机进行通信,它正在抛出handshake_failure 。 完整的痕迹是
SecureRandom的触发播种完成播种的SecureRandom忽略不可用的加密套件:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA忽略不可用的加密套件:TLS_DHE_RSA_WITH_AES_256_CBC_SHA忽略不可用的加密套件:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA忽略不支持的加密算法套件:TLS_DHE_DSS_WITH_AES_128_CBC_SHA256忽略不支持的加密算法套件:TLS_DHE_DSS_WITH_AES_256_CBC_SHA256忽略不支持的加密算法套件:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256忽略不支持的加密算法套件:TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256忽略不支持的密码套件:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256忽略不支持的加密算法套件:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384忽略不支持的加密算法套件:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384忽略不支持的加密算法套件:TLS_RSA_WITH_AES_256_CBC_SHA256忽略不可用的加密套件:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA忽略不支持的加密算法套件:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256忽略不支持 密码套件:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384忽略不可用的加密套件:TLS_DHE_DSS_WITH_AES_256_CBC_SHA忽略不支持的加密算法套件:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384忽略不支持的加密算法套件:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256忽略不支持的加密算法套件:TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256忽略不可用的加密套件:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA忽略不可用的加密套件:TLS_RSA_WITH_AES_256_CBC_SHA忽略不支持的加密算法套件:TLS_RSA_WITH_AES_128_CBC_SHA256允许不安全的重新协商: false允许旧版hello消息:true是初始握手:true是安全重新协商:false %%没有高速缓存客户机会话* ClientHello,TLSv1 RandomCookie:GMT:1477593324 bytes = {140,171,214,217,33,165,60,228 ,102,207,88,112,29,40,198,242,159,61,172,89,116,98,7,195,182,144,159,226}会话ID:{}密码套件:[ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS _RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV]压缩方法:{0}扩展elliptic_curves,曲线名称: {secp256r1,sect163k1,sect163r2,secp192r1,secp224r1,sect233k1,sect233r1,sect283k1,sect283r1,secp384r1,sect409k1,sect409r1,secp521r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,sect163r1,secp192k1,sect193r1,sect193r2,secp224k1,sect239k1,secp256k1扩展ec_point_for 垫,格式:[未压缩]扩展server_name,server_name:[host_name:integration.swiggy.com] [写入] MD5和SHA1哈希:len = 180 0000:01 00 00 B0 03 01 58 12 49 EC 8C AB D6 D9 21 A5 ……十一….!。 0010:3C E4 66 CF 58 70 1D 28 C6 F2 9F 3D AC 59 74 62 <.f.Xp。(… =。Ytb 0020:07 C3 B6 90 9F E2 00 00 2A C0 09 C0 13 00 2F C0。 ……. ….. /。0030:04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 …. 3.2 ……… 0040:0D 00 16 00 13 C0 07 C0 11 00 05 C0 02 C0 0C 00 ……………. 0050:04 00 FF 01 00 00 5D 00 0A 00 34 00 32 00 17 00 .. ….] … 4.2 … 0060:01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ……………. 0070:18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 ……………. 0080:11 00 02 00 12 00 04 00 05 00 14 00 08 00 16 00 .. ………….. 0090:0B 00 02 01 00 00 00 00 1B 00 19 00 00 16 69 6E ………….. in 00A0:74 65 67 72 61 74 69 6F 6E 2E 73 77 69 67 67 79 tegration.swiggy 00B0:2E 63 6F 6D
.com main,WRITE:TLSv1握手,长度= 180 [原始写入]:长度= 185 0000:16 03 01 00 B4 01 00 00 B0 03 01 58 12 49 EC 8C ……….. XI 。 0010:AB D6 D9 21 A5 3C E4 66 CF 58 70 1D 28 C6 F2 9F …!。<。f.Xp。(… 0020:3D AC 59 74 62 07 C3 B6 90 9F E2 00 00 2A C0 09 = .Ytb …….. * .. 0030:C0 13 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 … / ….. 3.2 …. 0040:00 0A C0 03 C0 0D 00 16 00 13 C0 07 C0 11 00 05 ……………. 0050:C0 02 C0 0C 00 04 00 FF 01 00 00 5D 00 0A 00 34。 ……….] … 4 0060:00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2 ………….. 0070 :00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ……………. 0080:00 0F 00 10 00 11 00 02
00 12 00 04 00 05 00 14 ……………. 0090:00 08 00 16 00 0B 00 02 01 00 00 00 00 1B 00 19 …….. …….. 00A0:00 00 16 69 6E 74 65 67 72 61 74 69 6F 6E 2E 73 … integration.s00B0:77 69 67 67 79 2E 63 6F 6D wiggy.com线程中的例外情况“ main“javax.net.ssl.SSLHandshakeException:在sun.security.ssl.Alerts.getSSLException(Alerts.java:154)at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)收到致命警报:handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)at the sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory) .java:394)at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket (SSLConnectionSocketFactory.java:353)org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)atg.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)位于org.apache.http.impl的org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)。 execchain.ProtocolExec.execute(ProtocolExec.java:184)org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec。 java:110)org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)atg.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)org.apache HttpURLConnectionExample.sendGet1上的.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)(HttpURLConnectionExample。 java:83)at HttpURLConnectionExample.main(HttpURLConnectionExample.java:48)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:606)at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)[原始读取]:长度= 5 0000:15 03 01 00 02
….. [原始读取]:长度= 2 0000:02 28
。(main,READ:TLSv1 Alert,length = 2 main,RECV TLSv1 ALERT:致命,handshake_failure main,名为closeSocket()main,处理exception:javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure
我尝试了很多东西,但无法弄清楚到底是什么问题。
您的问题是Integration.swiggy.com和Java 7没有共享任何常见的密码套件。启用TLSv1.2无济于事。
您可以从http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html下载Java 7的JCE Unlimited Strength Jurisdiction Policy文件,并替换两个JAR(local_policy.jar) ,JRE的lib / security目录下的US_export_policy.jar)和下载的包中的那些。 这将添加额外的(更强大的)密码套件,您应该能够连接而无需对代码进行任何更改或启用TLSv1.2。
作为参考,这里是Java 7(1.7.0_79)中提供的密码套件:
Default Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_NULL_SHA * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_NULL_SHA * TLS_ECDHE_RSA_WITH_RC4_128_SHA * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_NULL_SHA * TLS_ECDH_ECDSA_WITH_RC4_128_SHA * TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_NULL_SHA * TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_RC4_128_SHA * TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256
以下是使用Unlimited Stringth Jurisdiction策略文件后的文件:
Default Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_256_CBC_SHA * TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_256_CBC_SHA * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_NULL_SHA * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_NULL_SHA * TLS_ECDHE_RSA_WITH_RC4_128_SHA * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_NULL_SHA * TLS_ECDH_ECDSA_WITH_RC4_128_SHA * TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_NULL_SHA * TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_RC4_128_SHA * TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256
由integration.swiggy.com提供的密码套件是:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS 256
这些都不在Java 7提供的标准密码集中。但是,最后4个是通过Unlimited Strength Jurisdiction Policy文件添加的。