无法下载站点地图:SSLHandshakeException:收到致命警报:handshake_failure

Posted

技术标签:

【中文标题】无法下载站点地图:SSLHandshakeException:收到致命警报:handshake_failure【英文标题】:Cannot download sitemap: SSLHandshakeException: Received fatal alert: handshake_failure 【发布时间】:2018-08-03 04:19:04 【问题描述】:

我无法确定特定握手失败的原因。我无法连接到特定站点,也无法确定它失败的原因。它在我的一台服务器上运行,但在另一台服务器上运行。我的应用程序能够使用 SSL 成功连接到其他站点。我已经做了很多搜索,但没有运气。

堆栈跟踪

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:730)
    at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:757)
    at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:706)
    at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:299)

-Djavax.net.debug=所有输出

22-Feb-2018 22:07:02.632 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
trustStore is: /etc/pki/java/cacerts
trustStore type is : jks
trustStore provider is : 
init truststore

... a bunch of "adding as trusted cert" ...

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
pool-1-thread-2, setSoTimeout(15000) called
pool-1-thread-2, the previous server name in SNI (type=host_name (0), value=www.wta.org) was replaced with (type=host_name (0), value=www.wta.org)
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1502523033 bytes =  53, 17, 44, 60, 223, 247, 43, 100, 70, 139, 96, 93, 171, 101, 44, 228, 62, 27, 106, 57, 23, 205, 135, 35, 20, 69, 197, 176 
Session ID:  
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:   0 
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=www.wta.org]
***
[write] MD5 and SHA1 hashes:  len = 143
0000: 01 00 00 8B 03 03 5A 8F   AF 99 35 11 2C 3C DF F7  ......Z...5.,<..
0010: 2B 64 46 8B 60 5D AB 65   2C E4 3E 1B 6A 39 17 CD  +dF.`].e,.>.j9..
0020: 87 23 14 45 C5 B0 00 00   2C 00 3D 00 6B 00 6A 00  .#.E....,.=.k.j.
0030: 35 00 39 00 38 00 3C 00   67 00 40 00 2F 00 33 00  5.9.8.<.g.@./.3.
0040: 32 00 9D 00 9F 00 A3 00   9C 00 9E 00 A2 00 0A 00  2...............
0050: 16 00 13 00 FF 01 00 00   36 00 0D 00 1E 00 1C 06  ........6.......
0060: 03 06 01 05 03 05 01 04   03 04 01 04 02 03 03 03  ................
0070: 01 03 02 02 03 02 01 02   02 01 01 00 00 00 10 00  ................
0080: 0E 00 00 0B 77 77 77 2E   77 74 61 2E 6F 72 67     ....www.wta.org
pool-1-thread-2, WRITE: TLSv1.2 Handshake, length = 143
[Raw write]: length = 148
0000: 16 03 03 00 8F 01 00 00   8B 03 03 5A 8F AF 99 35  ...........Z...5
0010: 11 2C 3C DF F7 2B 64 46   8B 60 5D AB 65 2C E4 3E  .,<..+dF.`].e,.>
0020: 1B 6A 39 17 CD 87 23 14   45 C5 B0 00 00 2C 00 3D  .j9...#.E....,.=
0030: 00 6B 00 6A 00 35 00 39   00 38 00 3C 00 67 00 40  .k.j.5.9.8.<.g.@
0040: 00 2F 00 33 00 32 00 9D   00 9F 00 A3 00 9C 00 9E  ./.3.2..........
0050: 00 A2 00 0A 00 16 00 13   00 FF 01 00 00 36 00 0D  .............6..
0060: 00 1E 00 1C 06 03 06 01   05 03 05 01 04 03 04 01  ................
0070: 04 02 03 03 03 01 03 02   02 03 02 01 02 02 01 01  ................
0080: 00 00 00 10 00 0E 00 00   0B 77 77 77 2E 77 74 61  .........www.wta
0090: 2E 6F 72 67                                        .org
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
pool-1-thread-2, READ: TLSv1.2 Alert, length = 2
pool-1-thread-2, RECV TLSv1.2 ALERT:  fatal, handshake_failure
pool-1-thread-2, called closeSocket()
pool-1-thread-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
pool-1-thread-2, called close()
pool-1-thread-2, called closeInternal(true)

申请详情

我的应用程序在 Java 8 和 Tomcat 8.5 上。我的操作系统是 Fedora 24。我正在使用 Jsoup 尝试下载 http://www.wta.org/sitemap.xml.gz,但收到握手失败。我可以连接到其他使用 SSL 的网站。

我的尝试

    我已尝试将 cacerts 文件从工作服务器复制到故障服务器。 我已尝试安装 Java Cryptography Extension (JCE) Unlimited Strength:http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html 我试图读取来自 -Djavax.net.debug=all 的输出,但其中大部分内容超出了我的范围。

大部分想法来自这篇文章:Received fatal alert: handshake_failure through SSLHandshakeException

更新: 我认为他们最终修复了 SSL 证书,因为事情只是神奇地开始工作而没有任何变化。

【问题讨论】:

Java 通常会告诉你什么时候没有找到共同的密码套件。我认为问题更可能是服务器期待SSLvHello 而不是TLSv1.2-hello。尝试调整您的客户端,使其支持以下协议:TLSv1.2, SSLv2Hello。 (请注意,SSLv2Hello不是一个旧的、易受攻击的协议...它只允许与仅 TLS 握手不兼容的旧式握手。) @ChristopherSchultz Java 只能告诉您服务器所说的内容。今天很少有服务器甚至接受 SSL2 hello,我无法相信任何需要它。该服务器清楚地响应了 TLS1.2 格式警报(请参阅 15 03 03 00 02 / 02 28),这使得这种可能性更小,并且与答案中的openssl s_client 或 SSLLabs 进行检查证明它确实接受 TLS1.2。 【参考方案1】:

在SSL Labs 上测试网站时,我们会看到允许使用哪些密码套件。不幸的是,它们都不在您的客户端发送的密码套件数组中([TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_...)。

事实上,服务器只接受来自高加密前向保密列表的套件(出于安全原因,这是推荐的)。

您确定您正确安装了 Unlimited Strength jar 文件(在 $JAVA_HOME\jre\lib\security 中)并重新启动了您的 tomcat 吗? [这里$JAVA_HOME是tomcat使用的]

这应该允许加密套件,例如 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,它们被标记为不可用,但从 unrestricted set 传递

【讨论】:

我有信心将它安装在正确的位置。当我启动 tomcat 时,它会写入 Using JRE_HOME: /usr/lib/jvm/java-openjdk。在/usr/lib/jvm/java-openjdk/jre/lib/security 中,我对原始local_policy.jar 和US_export_policy.jar 进行了备份,然后将文件替换为JCE ones。会不会是因为 JCE 是 oracle JDK 而我已经打开了 JDK java?似乎不太可能成为问题,但我想我应该问一下。 是的。尽管有人说您无需做任何事情来运行这些密码(eyrie.org/~eagle/notes/debian/jce-policy.html),但我自己并没有尝试。与此同时,这似乎证实了这一点(hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/e164409e5948)。使用 Java 9,它不再不受限制,它应该可以工作于您选择的任何实现。帮不上忙,今天就不调试openjdk了。 客户端发送了几个 AES256 套件,证明无限制策略不是问题,实际上 OpenJDK 从不 需要无限制策略开始。 (Oracle 8u161+, 9, 10 也没有。)服务器需要而这个客户端不提供的是 elliptic-curve keyexchange (ECDHE_ECDSA),而 j8 应该去做。 @derfsubterfuge:您使用 Fedora 进行报告。确保您是最新的。直到大约 2 年前,RedHat 从他们的软件包中删除所有 EC 加密,显然是因为担心 Certicom 的专利。

以上是关于无法下载站点地图:SSLHandshakeException:收到致命警报:handshake_failure的主要内容,如果未能解决你的问题,请参考以下文章

如何修复站点地图错误?

在 Heroku 中构建可下载的站点地图 zip 文件

无法访问放置在根文件夹中的 yii2 项目中的站点地图

广州高清卫星地图 用百度卫星地图server下载 含标签道路数据叠加 可商用

Gatsby 站点地图:GraphQLError:语法错误:预期名称,找到 <EOF>

从站点地图和数据库填充 ASP.NET 菜单