如何解决收到致命警报:SSLHandshakeException导致握手失败
|| 授权SSL连接有问题。我已经创建了Struts Action,它使用客户端授权的SSL证书连接到外部服务器。在我的操作中,我尝试将一些数据发送到银行服务器,但是没有任何运气,因为由于服务器的原因,我出现以下错误:error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
我的Action类中的My Method将数据发送到服务器
//Getting external IP from host
URL whatismyip = new URL(\"http://automation.whatismyip.com/n09230945.asp\");
BufferedReader inIP = new BufferedReader(new InputStreamReader(whatismyip.openStream()));
String IPStr = inIP.readLine(); //IP as a String
Merchant merchant;
System.out.println(\"amount: \" + amount + \",currency: \" + currency + \",clientIp: \" + IPStr + \",description: \" + description);
try {
merchant = new Merchant(context.getRealPath(\"/\") + \"merchant.properties\");
} catch (ConfigurationException e) {
Logger.getLogger(HomeAction.class.getName()).log(Level.INFO,\"message\",e);
System.err.println(\"error: \" + e.getMessage());
return ERROR;
}
String result = merchant.sendTransData(amount,currency,IPStr,description);
System.out.println(\"result: \" + result);
return SUCCESS;
我的merchant.properties文件:
bank.server.url=https://-servernameandport-/
https.cipher=-cipher-
keystore.file=-key-.jks
keystore.type=JKS
keystore.password=-password-
ecomm.server.version=2.0
encoding.source=UTF-8
encoding.native=UTF-8
我第一次以为这是证书问题,我将其从.pfx转换为.jks,但我遇到了相同的错误,没有任何更改。
解决方法
握手失败可能是由于多种原因引起的:
客户端和服务器使用的密码套件不兼容。这将要求客户端使用(或启用)服务器支持的密码套件。
正在使用不兼容的SSL版本(服务器可能仅接受TLS v1,而客户端只能使用SSL v3)。同样,客户端可能必须确保使用兼容版本的SSL / TLS协议。
服务器证书的信任路径不完整;客户端可能不信任服务器的证书。这通常会导致更冗长的错误,但是很有可能。通常,解决方法是将服务器的CA证书导入到客户端的信任库中。
证书是针对其他域发布的。再次,这将导致出现更详细的消息,但是如果这是原因,我将在此处进行说明。在这种情况下,解决方案将是使服务器(似乎不是您的服务器)使用正确的证书。
由于无法确定潜在的故障,因此最好打开“ 3”标志以启用对已建立的SSL连接的调试。启用调试后,您可以查明握手中的哪些活动失败。
更新资料
根据现在可用的详细信息,看来该问题是由于颁发给服务器的证书和根CA之间的证书信任路径不完整所致。在大多数情况下,这是因为信任存储中不存在根CA的证书,导致无法存在证书信任路径的情况。证书基本上不受客户端信任。浏览器可以发出警告,以便用户可以忽略此警告,但是SSL客户端(例如HttpsURLConnection类或任何HTTP客户端库(例如Apache HttpComponents Client))并非如此。
这些客户端类/库中的大多数都将依赖JVM使用的信任库来进行证书验证。在大多数情况下,这是JRE_HOME / lib / security目录中的“ 4”文件。如果信任库的位置已使用JVM系统属性“ 5”指定,则该路径中的库通常是客户机库使用的库。如果您有疑问,请查看您的
Merchant
类,并找出用于建立连接的类/库。
将服务器的证书颁发机构CA添加到此信任存储区应该可以解决此问题。您可以在有关为此目的获取工具的相关问题上参考我的回答,但是Java keytool实用程序足以满足此目的。
警告:信任库实质上是您信任的所有CA的列表。如果您输入的证书不属于您不信任的CA,则如果私钥可用,则可以解密到具有由该实体颁发的证书的站点的SSL / TLS连接。
更新#2:了解JSSE跟踪的输出
JVM所使用的密钥库和信任库通常在一开始就列出,如下所示:
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\\Java\\jdk1.6.0_21\\jre\\lib\\security\\cacerts
trustStore type is : jks
trustStore provider is :
如果使用了错误的信任库,则需要将服务器的证书重新导入到正确的证书中,或者将服务器重新配置为使用列出的证书(如果您有多个JVM,并且所有JVM都不建议使用,则不建议使用用于不同的需求)。
如果要验证信任证书列表中是否包含必需的证书,则有一个相同的部分,其开头为:
adding as trusted cert:
Subject: CN=blah,O=blah,C=blah
Issuer: CN=biggerblah,O=biggerblah,C=biggerblah
Algorithm: RSA; Serial number: yadda
Valid from SomeDate until SomeDate
您需要查找服务器的CA是否为主题。
握手过程中将有几个显着的条目(您需要了解SSL才能详细了解它们,但是出于调试当前问题的目的,知道在ServerHello中通常报告出handshake_failure就足够了。
1. ClientHello
初始化连接时,将报告一系列条目。客户端在SSL / TLS连接设置中发送的第一条消息是ClientHello消息,通常在日志中报告为:
*** ClientHello,TLSv1
RandomCookie: GMT: 1291302508 bytes = { some byte array }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
请注意使用的密码套件。这可能必须与商人。属性文件中的条目一致,因为银行的库可能采用相同的约定。如果使用的约定不同,则无需担心,因为如果密码套件不兼容,ServerHello会声明。
2. ServerHello
服务器以ServerHello响应,这将指示连接设置是否可以继续。日志中的条目通常为以下类型:
*** ServerHello,TLSv1
RandomCookie: GMT: 1291302499 bytes = { some byte array}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
***
注意它选择的密码套件;这是服务器和客户端均可使用的最佳套件。如果出现错误,通常不指定密码套件。服务器的证书(以及可选的整个链)是由服务器发送的,可以在以下条目中找到:
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=server,O=server\'s org,L=server\'s location,ST =Server\'s state,C=Server\'s country
Signature Algorithm: SHA1withRSA,OID = some identifer
.... the rest of the certificate
***
如果证书验证成功,您将找到类似于以下内容的条目:
Found trusted certificate:
[
[
Version: V1
Subject: OU=Server\'s CA,O=\"Server\'s CA\'s company name\",C=CA\'s country
Signature Algorithm: SHA1withRSA,OID = some identifier
上述步骤之一将不会成功,从而导致handshake_failure,因为握手通常在此阶段完成(不是真的,但是握手的后续阶段通常不会导致握手失败)。您需要弄清楚哪个步骤失败了,并发布相应的消息作为问题的更新(除非您已经理解了该消息,并且知道如何解决)。
,安装Java密码术扩展(JCE)无限强度(对于JDK7 |对于JDK8)可能会解决此错误。解压缩文件并按照自述文件进行安装。
, 当客户端需要出示证书时,也会发生这种情况。服务器列出证书链后,可能会发生以下情况:
3.证书申请
服务器将从客户端发出证书请求。该请求将列出服务器接受的所有证书。
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
<CN=blah,OU=blah,L=blah,ST=blah,C=blah>
<CN=yadda,DC=yadda,DC=yadda>
<CN=moreblah,OU=moreblah,O=moreblah,C=moreblah>
<CN=moreyada,OU=moreyada,O=moreyada,C=moreyada>
... the rest of the request
*** ServerHelloDone
4.客户证书链
这是客户端发送到服务器的证书。
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=client\'s email,CN=client,OU=client\'s ou,O=client\'s Org,L=client\'s location,ST=client\'s state,C=client\'s Country
Signature Algorithm: SHA1withRSA,OID = 1.2.840.113549.1.1.5
... the rest of the certificate
*** ClientKeyExchange,RSA PreMasterSecret,TLSv1
... key exchange info
如果链中没有证书,并且服务器需要证书,那么您将在此处收到握手错误。可能的原因是找不到证书的路径。
5.证书验证
客户端要求服务器验证证书
*** CertificateVerify
... payload of verify check
仅当您发送证书时,此步骤才会发生。
6.完成
服务器将以验证响应进行响应
*** Finished
verify_data: { 345,... }
, 我不认为这可以解决第一个提问者的问题,但对于来这里寻求答案的Google员工来说:
在更新51中,默认情况下,默认情况下,Java 1.8禁止[1] RC4密码,如我们在“发行说明”页面上所见:
错误修正:禁止RC4密码套件
RC4现在被认为是泄露的密码。
在Oracle JSSE实现中,已从客户端和服务器默认启用的密码套件列表中删除了RC4密码套件。仍可以通过SSLEngine.setEnabledCipherSuites()
和SSLSocket.setEnabledCipherSuites()
方法启用这些密码套件。参见JDK-8077109(非公开)。
如果您的服务器强烈希望使用此密码(或仅使用此密码),则这会在Java上触发“ trigger19”。
您可以测试连接到启用RC4密码的服务器的方式(首先,尝试不带enabled
参数,以查看是否触发了handshake_failure
,然后设置enabled
:
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;
import java.util.Arrays;
/** Establish a SSL connection to a host and port,writes a byte and
* prints the response. See
* http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
*/
public class SSLRC4Poke {
public static void main(String[] args) {
String[] cyphers;
if (args.length < 2) {
System.out.println(\"Usage: \"+SSLRC4Poke.class.getName()+\" <host> <port> enable\");
System.exit(1);
}
try {
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0],Integer.parseInt(args[1]));
cyphers = sslsocketfactory.getSupportedCipherSuites();
if (args.length ==3){
sslsocket.setEnabledCipherSuites(new String[]{
\"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5\",\"SSL_DH_anon_WITH_RC4_128_MD5\",\"SSL_RSA_EXPORT_WITH_RC4_40_MD5\",\"SSL_RSA_WITH_RC4_128_MD5\",\"SSL_RSA_WITH_RC4_128_SHA\",\"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA\",\"TLS_ECDHE_RSA_WITH_RC4_128_SHA\",\"TLS_ECDH_ECDSA_WITH_RC4_128_SHA\",\"TLS_ECDH_RSA_WITH_RC4_128_SHA\",\"TLS_ECDH_anon_WITH_RC4_128_SHA\",\"TLS_KRB5_EXPORT_WITH_RC4_40_MD5\",\"TLS_KRB5_EXPORT_WITH_RC4_40_SHA\",\"TLS_KRB5_WITH_RC4_128_MD5\",\"TLS_KRB5_WITH_RC4_128_SHA\"
});
}
InputStream in = sslsocket.getInputStream();
OutputStream out = sslsocket.getOutputStream();
// Write a test byte to get a reaction :)
out.write(1);
while (in.available() > 0) {
System.out.print(in.read());
}
System.out.println(\"Successfully connected\");
} catch (Exception exception) {
exception.printStackTrace();
}
}
}
1-https://www.java.com/en/download/faq/release_changes.xml
, 握手失败可能是错误的TLSv1协议实现。
在我们的案例中,这对Java 7有所帮助:
java -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1
jvm将以此顺序协商。具有最新更新的服务器将执行1.2,有问题的服务器将降至v1,并且可与Java 7中的类似v1一起使用。
, 尝试使用JDK 1.7时出现此错误。
当我将JDK升级到jdk1.8.0_66时,一切都开始正常工作。
因此,解决此问题的最简单方法可能是-升级JDK,它可能会开始正常工作。
, 假设您使用的是正确的SSL / TLS协议,正确配置了keyStore
和trustStore
,并确认证书本身不存在任何问题,则可能需要增强安全算法。
如Vineet的回答中所述,收到此错误的一个可能原因是由于使用了不兼容的密码套件。通过使用Java密码学扩展(JCE)中提供的更新了JDK的security
文件夹中的local_policy
和US_export_policy
jars,我能够成功完成握手。
, 在我的情况下,证书被导入,错误仍然存在,通过在连接前加ѭ30来解决此问题
, 今天,我在OkHttp客户端上遇到相同的问题,以获取基于https的url。这是由Https协议版本和服务器端与客户端之间的Cipher方法不匹配引起的。
1)检查您的网站https协议版本和密码方法。
openssl>s_client -connect your_website.com:443 -showcerts
您将获得许多详细信息,关键信息如下:
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
2)配置您的http客户端,例如,在OkHttp客户端的情况下:
@Test()
public void testHttpsByOkHttp() {
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_0) //protocol version
.cipherSuites(
CipherSuite.TLS_RSA_WITH_RC4_128_SHA,//cipher method
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
.build();
OkHttpClient client = new OkHttpClient();
client.setConnectionSpecs(Collections.singletonList(spec));
Request request = new Request.Builder().url(\"https://your_website.com/\").build();
try {
Response response = client.newCall(request).execute();
if(response.isSuccessful()){
logger.debug(\"result= {}\",response.body().string());
}
} catch (IOException e) {
e.printStackTrace();
}
}
这将得到我们想要的。
, 我发现一个HTTPS服务器以这种方式失败,如果我的Java客户端进程配置了
-Djsse.enableSNIExtension=false
在成功完成ServerHello
之后但未开始数据流之前,with19 connection连接失败。
没有明确的错误消息可以确定问题所在,该错误看起来像
main,READ: TLSv1.2 Alert,length = 2
main,RECV TLSv1.2 ALERT: fatal,handshake_failure
%% Invalidated: [Session-3,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main,called closeSocket()
main,handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
我通过尝试使用和不使用\“-Djsse.enableSNIExtension=false
\”选项来隔离问题
, 我的版本不兼容,版本为39。
以前是40英镑,我改成了41英镑,这解决了我的问题。
, 我正在使用com.google.api http客户端。当我与公司内部网站通信时,我错误地使用https而不是http时遇到了此问题。
main,handshake_failure
main,handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main,IOException in getSession(): javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main,called close()
main,called closeInternal(true)
262 [main] DEBUG org.apache.http.impl.conn.DefaultClientConnection - Connection shut down
main,called closeInternal(true)
263 [main] DEBUG org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager - Released connection is not reusable.
263 [main] DEBUG org.apache.http.impl.conn.tsccm.ConnPoolByRoute - Releasing connection [HttpRoute[{s}->https://<I-replaced>]][null]
263 [main] DEBUG org.apache.http.impl.conn.tsccm.ConnPoolByRoute - Notifying no-one,there are no waiting threads
Exception in thread \"main\" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
at com.google.api.client.http.apache.ApacheHttpRequest.execute(ApacheHttpRequest.java:67)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:960)
, 我有一个类似的问题;升级到Apache HTTPClient 4.5.3修复了该问题。
, gg!对我来说,这简直就是Java版本的问题。我使用JRE 1.6遇到握手错误,而使用JRE 1.8.0_144则一切正常。
,免责声明:我不知道答案是否会对很多人有用,只是分享,因为它可能会。
使用Parasoft SOATest发送请求XML(SOAP)时出现此错误。
问题是添加证书并对其进行身份验证后,我从下拉列表中选择了错误的别名。
, 就我而言,该网站只能使用TLSv1.2。我使用apache httpclient 4.5.6,我使用以下代码并安装jce来解决此问题(JDK1.7):
杰西
jdk7 http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
jdk 8 http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
码:
SSLContext sslContext = SSLContext.getDefault();
SSLConnectionSocketFactory sslConnectionFactory = new SSLConnectionSocketFactory(
sslContext,new String[]{\"TLSv1.2\"},// important
null,NoopHostnameVerifier.INSTANCE);
Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
.register(\"https\",sslConnectionFactory)
.register(\"http\",PlainConnectionSocketFactory.INSTANCE)
.build();
HttpClientConnectionManager ccm = new BasicHttpClientConnectionManager(registry);
httpclient = HttpClientBuilder.create().
.setSSLSocketFactory(sslConnectionFactory)
.setConnectionManager(ccm)
.build();
, 从开发人员(项目1)和系统管理员(项目2和3)的角度进行故障排除:
通过-Djavax.net.debug=ssl:handshake:verbose
在Java上启用SSL握手调试。
如果您在以下步骤中运行时在密码中发现Unknown value
,则通过sudo apt install ssldump
在服务器上安装ssldump或通过此链接从源代码进行编译。
在服务器上,sudo ssldump -k <your-private-key> -i <your-network-interface>
检查有关失败的真正原因的日志。
ssldump日志无法正常握手的示例:
New TCP connection #1: 10.1.68.86(45308) <-> 10.1.68.83(5671)
1 1 0.0111 (0.0111) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
1 2 0.0122 (0.0011) S>C Alert
level fatal
value insufficient_security
1 0.0126 (0.0004) S>C TCP RST
ssldump日志成功握手的示例
New TCP connection #1: 10.1.68.86(56558) <-> 10.1.68.83(8443)
1 1 0.0009 (0.0009) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Unknown value 0xcca9
Unknown value 0xcca8
Unknown value 0xccaa
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
1 2 0.0115 (0.0106) S>C Handshake
ServerHello
Version 3.3
session_id[0]=
cipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
compressionMethod NULL
1 3 0.0115 (0.0000) S>C Handshake
Certificate
1 4 0.0115 (0.0000) S>C Handshake
ServerKeyExchange
Not enough data. Found 294 bytes (expecting 32767)
1 5 0.0115 (0.0000) S>C Handshake
ServerHelloDone
1 6 0.0141 (0.0025) C>S Handshake
ClientKeyExchange
Not enough data. Found 31 bytes (expecting 16384)
1 7 0.0141 (0.0000) C>S ChangeCipherSpec
1 8 0.0141 (0.0000) C>S Handshake
1 9 0.0149 (0.0008) S>C Handshake
1 10 0.0149 (0.0000) S>C ChangeCipherSpec
1 11 0.0149 (0.0000) S>C Handshake
Java日志无法正常运行的示例
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.778 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.779 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.779 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.780 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.780 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.780 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.781 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.781 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.781 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.782 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.782 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.782 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.782 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.783 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.783 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.783 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.783 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.783 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.784 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.784 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: T LS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.784 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLS11
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.784 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.784 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.784 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.784 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.785 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.785 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.785 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.785 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.785 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.785 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.785 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.785 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.786 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.786 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.786 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.786 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.786 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.786 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLS10 javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.786 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.786 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLS10
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.787 MYT|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLS10
javax.net.ssl|WARNING|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.818 MYT|SignatureScheme.java:282|Signature algorithm,ed25519,is not supported by the underlying providers
javax.net.ssl|WARNING|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.818 MYT|SignatureScheme.java:282|Signature algorithm,ed448,is not supported by the underlying providers
javax.net.ssl|ALL|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.822 MYT|SignatureScheme.java:358|Ignore disabled signature sheme: rsa_md5
javax.net.ssl|INFO|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.822 MYT|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.823 MYT|SSLExtensions.java:256|Ignore,context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.823 MYT|SSLExtensions.java:256|Ignore,context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.825 MYT|ClientHello.java:651|Produced ClientHello handshake message (
\"ClientHello\": {
\"client version\" : \"TLSv1.2\",\"random\" : \"FB BC CD 7C 17 65 86 49 3E 1C 15 37 24 94 7D E7 60 44 1B B8 F4 18 21 D0 E1 B1 31 0D E1 80 D6 A7\",\"session id\" : \"\",\"cipher suites\" : \"[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E),TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032),TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D),TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031),TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D),TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026),TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A),TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),TLS_RSA_WITH_AES_256_CBC_SHA(0x0035),TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005),TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F),TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C),TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025),TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029),TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004),TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E),TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]\",\"compression methods\" : \"00\",\"extensions\" : [
\"server_name (0)\": {
type=host_name (0),value=mq.tpc-ohcis.moh.gov.my
},\"status_request (5)\": {
\"certificate status type\": ocsp
\"OCSP status request\": {
\"responder_id\": <empty>
\"request extensions\": {
<empty>
}
}
},\"supported_groups (10)\": {
\"versions\": [secp256r1,secp384r1,secp521r1,sect283k1,sect283r1,sect409k1,sect409r1,sect571k1,sect571r1,secp256k1,ffdhe2048,ffdhe3072,ffdhe4096,ffdhe6144,ffdhe8192]
},\"ec_point_formats (11)\": {
\"formats\": [uncompressed]
},\"signature_algorithms (13)\": {
\"signature schemes\": [ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384,ecdsa_secp512r1_sha512,rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512,rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha512,dsa_sha256,ecdsa_sha224,rsa_sha224,dsa_sha224,ecdsa_sha1,rsa_pkcs1_sha1,dsa_sha1]
},\"signature_algorithms_cert (50)\": {
\"signature schemes\": [ecdsa_secp256r1_sha256,\"status_request_v2 (17)\": {
\"cert status request\": {
\"certificate status type\": ocsp_multi
\"OCSP status request\": {
\"responder_id\": <empty>
\"request extensions\": {
<empty>
}
} }
},\"extended_master_secret (23)\": {
<empty>
},\"supported_versions (43)\": {
\"versions\": [TLSv1.2,TLSv1]
}
]
}
)
javax.net.ssl|DEBUG|43|SimpleAsyncTaskExecutor-1|2019-07-03 17:35:01.829 MYT|Alert.java:238|Received alert message (
\"Alert\": {
\"level\" : \"fatal\",\"description\": \"insufficient_security\"
}
)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。