Java 8 javax.net.ssl.SSLPeerUnverifiedException:peer未经过身份validation,但不是Java 7
将应用程序从Java 7切换到Java 8时出现问题。更改JDK后,我开始收到此SSLPeerUnverifiedexception。 改回Java7,也不例外。
我发现了这个问题: Java 7的SSL连接失败,这意味着这可能与服务器端问题有关。 我们的服务器确实在Ubuntu机器上运行,但它也在运行Java8(sun Java8)
不确定发布还有什么其他内容。 如果需要/有用,我可以提供代码示例。 我现在没有把它们包括在内,因为好像代码不是问题。
编辑 – 链接到我的SSLSocketFactory扩展: http : //pastebin.com/2j6HDHE7
Edit2 – Http客户端代码:
private HttpClient getHttpClient() throws GeneralSecurityException, IOException { final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(CommandChannel.class.getResourceAsStream("myKeystore"), "myPassword".toCharArray()); final SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory(trustStore); final SchemeRegistry registry = new SchemeRegistry(); registry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory())); registry.register(new Scheme("https", 443, sslSocketFactory)); final HttpParams params = new BasicHttpParams(); HttpProtocolParamBean paramsBean = new HttpProtocolParamBean(params); paramsBean.setVersion(HttpVersion.HTTP_1_1); paramsBean.setContentCharset("UTF_8"); final ClientConnectionManager ccm = new BasicClientConnectionManager(registry); final DefaultHttpClient httpClient = new DefaultHttpClient(ccm, params); return httpClient; } 包括来自java8和java7的SSL调试信息。
Java 8 SSL调试跟踪:
%% No cached client session *** ClientHello, TLSv1.2 RandomCookie: GMT: 1389745002 bytes = { 220, 201, 110, 4, 38, 166, 25, 166, 235, 253, 71, 242, 226, 124, 22, 149, 28, 207, 242, 25, 201, 123, 218, 56, 207, 67, 195, 17 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA *** JavaFX Application Thread, WRITE: TLSv1.2 Handshake, length = 207 JavaFX Application Thread, received EOFException: error JavaFX Application Thread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake JavaFX Application Thread, SEND TLSv1.2 ALERT: fatal, description = handshake_failure JavaFX Application Thread, WRITE: TLSv1.2 Alert, length = 2 JavaFX Application Thread, called closeSocket() JavaFX Application Thread, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake JavaFX Application Thread, called close() JavaFX Application Thread, called closeInternal(true) JavaFX Application Thread, called close() JavaFX Application Thread, called closeInternal(true) 18:49:14,951 ERROR [logger] [LoginController] Error logging in due to: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated com.limebrokerage.portal.communication.command.CommandChannelException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Java 7 SSL调试跟踪相同位代码:
%% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1389746267 bytes = { 91, 88, 192, 29, 58, 48, 211, 105, 40, 40, 138, 204, 154, 113, 233, 213, 120, 99, 3, 223, 26, 233, 123, 150, 251, 245, 186, 246 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] *** JavaFX Application Thread, WRITE: TLSv1 Handshake, length = 149 JavaFX Application Thread, READ: TLSv1 Handshake, length = 74 *** ServerHello, TLSv1 RandomCookie: GMT: 1389746267 bytes = { 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218 } Session ID: {83, 214, 216, 91, 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218} Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA Compression Method: 0 *** Warning: No renegotiation indication extension in ServerHello %% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA] ** TLS_RSA_WITH_AES_128_CBC_SHA JavaFX Application Thread, READ: TLSv1 Handshake, length = 1522 *** Certificate chain chain [0] = [ [ Version: V3
不确定答案,但评论太久了。
您真正的问题是hello上的服务器断开连接以及产生的SSLHandshakeException ; SSLPeerUnverifiedException是附带损害,因为握手未到达身份validation阶段。 明显的区别是Java 8正在发送TLSv1.2 ClientHello,其中Java 7发送了TLSv1。
Java 7实现了1.1和1.2,但默认情况下没有在客户端上启用它们; 8,请参阅https://bugs.openjdk.java.net/browse/JDK-7093640 。 正确编写的不支持1.2的服务器堆栈应该协商下降到1.1或1(.0),但是您的未识别服务器显然没有,或者可能是防火墙之间的某些东西搞乱了您的连接。 如果您拥有或获得OpenSSL,命令行openssl s_client将让您轻松尝试不同版本(以及密码和一些选项)以查看哪些function有效,哪些function无效。 或者您可以通过https://www.ssllabs.com/ssltest/进行jar装但相当彻底的测试。
错误条目说你可以设置sysprop jdk.tls.client.protocols ,这对我来说适用于8u05的最小SSLSocket(非HTTP)应用程序。 或者既然你已经在修改了SSLSocketFactory ,我希望你可以在你创建的套接字上做setEnabledProtocols 。
FWIW,当2012年3月OpenSSL 1.0.1发布时,“默默地”启用协议1.1和1.2(它在发行说明中很突出,但大约没有人阅读发行说明),支持列表得到了很多抱怨,我猜一百个服务器突然开始出现故障,崩溃或挂起,直到客户端恢复到1.0。 OpenSSL最终实现了一种解决方法,可以人为地减少或增加ClientHello中的一些数据,以避免最“挑衅”的大小; 我不知道JSSE是否做了或者可以做类似的事情。