JDK 1.6/1.7不支持TLS 1.2
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了JDK 1.6/1.7不支持TLS 1.2相关的知识,希望对你有一定的参考价值。
参考技术A 报错信息:javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureJava 8支持TLS 1.2, JDK1.6和1.7会https报错,解决方案:
1,将证书导入Java的cacerts证书库(无效):
C:\Program Files\Java\jdk1.6.0_45\bin>keytool -import -file D:\RolePlayCHNUAT2020.cer -alias RolePlayCHNUAT2020.cer -storepass changeit -keystore "C:\Program Files\Java\jdk1.6.0_45\jre\lib\security\cacerts"
2,更新JDK内jar包,旧版本安全机制问题:
jdk 6 https://www.oracle.com/java/technologies/jce-6-download.html
jdk 7 http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
jdk 8 http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
3,升级JDK1.8,先实现验证方法
后调用:
jdk1.6 支持 tls1.2协议 并忽略身份验证
jdk1.6不支持tls1.2协议,jdk1.8默认支持,比较好的解决方案是升级jdk,但是升级jdk风险极大。不能升级jdk的情况下,可以使用如下方式。
引入依赖
<dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> <version>1.54</version> </dependency>
创建协议工厂
import java.io.*; import java.net.UnknownHostException; import java.security.*; import java.security.cert.*; import java.util.*; import javax.net.ssl.*; import javax.security.cert.X509Certificate; import org.bouncycastle.crypto.tls.*; import org.bouncycastle.jce.provider.BouncyCastleProvider; public class TLSSocketConnectionFactory extends SSLSocketFactory { static { if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) { Security.addProvider(new BouncyCastleProvider()); } } @Override public Socket createSocket(Socket socket, final String host, int port, boolean arg3) throws IOException { if (socket == null) { socket = new Socket(); } if (!socket.isConnected()) { socket.connect(new InetSocketAddress(host, port)); } final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom()); return _createSSLSocket(host, tlsClientProtocol); } @Override public String[] getDefaultCipherSuites() { return null; } @Override public String[] getSupportedCipherSuites() { return null; } @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { throw new UnsupportedOperationException(); } @Override public Socket createSocket(InetAddress host, int port) throws IOException { throw new UnsupportedOperationException(); } @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return null; } @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { throw new UnsupportedOperationException(); } private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) { return new SSLSocket() { private java.security.cert.Certificate[] peertCerts; @Override public InputStream getInputStream() throws IOException { return tlsClientProtocol.getInputStream(); } @Override public OutputStream getOutputStream() throws IOException { return tlsClientProtocol.getOutputStream(); } @Override public synchronized void close() throws IOException { tlsClientProtocol.close(); } @Override public void addHandshakeCompletedListener( HandshakeCompletedListener arg0) { } @Override public boolean getEnableSessionCreation() { return false; } @Override public String[] getEnabledCipherSuites() { return null; } @Override public String[] getEnabledProtocols() { return null; } @Override public boolean getNeedClientAuth() { return false; } @Override public SSLSession getSession() { return new SSLSession() { @Override public int getApplicationBufferSize() { return 0; } @Override public String getCipherSuite() { throw new UnsupportedOperationException(); } @Override public long getCreationTime() { throw new UnsupportedOperationException(); } @Override public byte[] getId() { throw new UnsupportedOperationException(); } @Override public long getLastAccessedTime() { throw new UnsupportedOperationException(); } @Override public java.security.cert.Certificate[] getLocalCertificates() { throw new UnsupportedOperationException(); } @Override public Principal getLocalPrincipal() { throw new UnsupportedOperationException(); } @Override public int getPacketBufferSize() { throw new UnsupportedOperationException(); } @Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { return null; } @Override public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { return peertCerts; } @Override public String getPeerHost() { throw new UnsupportedOperationException(); } @Override public int getPeerPort() { return 0; } @Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return null; } @Override public String getProtocol() { throw new UnsupportedOperationException(); } @Override public SSLSessionContext getSessionContext() { throw new UnsupportedOperationException(); } @Override public Object getValue(String arg0) { throw new UnsupportedOperationException(); } @Override public String[] getValueNames() { throw new UnsupportedOperationException(); } @Override public void invalidate() { throw new UnsupportedOperationException(); } @Override public boolean isValid() { throw new UnsupportedOperationException(); } @Override public void putValue(String arg0, Object arg1) { throw new UnsupportedOperationException(); } @Override public void removeValue(String arg0) { throw new UnsupportedOperationException(); } }; } @Override public String[] getSupportedProtocols() { return null; } @Override public boolean getUseClientMode() { return false; } @Override public boolean getWantClientAuth() { return false; } @Override public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) { } @Override public void setEnableSessionCreation(boolean arg0) { } @Override public void setEnabledCipherSuites(String[] arg0) { } @Override public void setEnabledProtocols(String[] arg0) { } @Override public void setNeedClientAuth(boolean arg0) { } @Override public void setUseClientMode(boolean arg0) { } @Override public void setWantClientAuth(boolean arg0) { } @Override public String[] getSupportedCipherSuites() { return null; } @Override public void startHandshake() throws IOException { tlsClientProtocol.connect(new DefaultTlsClient() { @SuppressWarnings("unchecked") @Override public Hashtable<Integer, byte[]> getClientExtensions() throws IOException { Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions(); if (clientExtensions == null) { clientExtensions = new Hashtable<Integer, byte[]>(); } //Add host_name byte[] host_name = host.getBytes(); final ByteArrayOutputStream baos = new ByteArrayOutputStream(); final DataOutputStream dos = new DataOutputStream(baos); dos.writeShort(host_name.length + 3); dos.writeByte(0); dos.writeShort(host_name.length); dos.write(host_name); dos.close(); clientExtensions.put(ExtensionType.server_name, baos.toByteArray()); return clientExtensions; } @Override public TlsAuthentication getAuthentication() throws IOException { return new TlsAuthentication() { @Override public void notifyServerCertificate(Certificate serverCertificate) throws IOException { try { KeyStore ks = _loadKeyStore(); CertificateFactory cf = CertificateFactory.getInstance("X.509"); List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>(); boolean trustedCertificate = false; for ( org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) { java.security.cert.Certificate cert = cf.generateCertificate(new ByteArrayInputStream(c.getEncoded())); certs.add(cert); String alias = ks.getCertificateAlias(cert); if(alias != null) { if (cert instanceof java.security.cert.X509Certificate) { try { ( (java.security.cert.X509Certificate) cert).checkValidity(); trustedCertificate = true; } catch(CertificateExpiredException cee) { // Accept all the certs! } } } else { // Accept all the certs! } } if (!trustedCertificate) { // Accept all the certs! } peertCerts = certs.toArray(new java.security.cert.Certificate[0]); } catch (Exception ex) { ex.printStackTrace(); throw new IOException(ex); } } @Override public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException { return null; } private KeyStore _loadKeyStore() throws Exception { FileInputStream trustStoreFis = null; try { KeyStore localKeyStore = null; String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType")!=null?System.getProperty("javax.net.ssl.trustStoreType"):KeyStore.getDefaultType(); String trustStoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider")!=null?System.getProperty("javax.net.ssl.trustStoreProvider"):""; if (trustStoreType.length() != 0) { if (trustStoreProvider.length() == 0) { localKeyStore = KeyStore.getInstance(trustStoreType); } else { localKeyStore = KeyStore.getInstance(trustStoreType, trustStoreProvider); } char[] keyStorePass = null; String str5 = System.getProperty("javax.net.ssl.trustStorePassword")!=null?System.getProperty("javax.net.ssl.trustStorePassword"):""; if (str5.length() != 0) { keyStorePass = str5.toCharArray(); } localKeyStore.load(trustStoreFis, keyStorePass); if (keyStorePass != null) { for (int i = 0; i < keyStorePass.length; i++) { keyStorePass[i] = 0; } } } return localKeyStore; } finally { if (trustStoreFis != null) { trustStoreFis.close(); } } } }; } }); } // startHandshake }; } }
import org.apache.http.Consts; import javax.net.ssl.HttpsURLConnection; import java.io.*; import java.net.URL; public class HttpsUtils { /** * content-type类型为xml方式发送post请求 * * @param urlPath * @param data * @param charSet * @return */ public static String postXml(String urlPath, String data, String charSet) { String result = httpPostData(urlPath, data, charSet, null, "application/xml", "application/xml"); return result; } private static String httpPostData(String urlPath, String data, String charSet, String[] header, String contentType, String accpect) { String result = null; URL url = null; HttpsURLConnection httpurlconnection = null; OutputStreamWriter out = null; BufferedReader reader = null; try { url = new URL(urlPath); httpurlconnection = (HttpsURLConnection) url.openConnection(); httpurlconnection.setSSLSocketFactory(new TSLSocketConnectionFactory()); httpurlconnection.setDoInput(true); httpurlconnection.setDoOutput(true); if (header != null) { for (int i = 0; i < header.length; i++) { String[] content = header[i].split(":"); httpurlconnection.setRequestProperty(content[0], content[1]); } } httpurlconnection.setRequestMethod("POST"); httpurlconnection.setRequestProperty("Content-Type", contentType); if (null != accpect) { httpurlconnection.setRequestProperty("Accpect", accpect); } httpurlconnection.connect(); out = new OutputStreamWriter(httpurlconnection.getOutputStream(), charSet); // utf-8编码 out.append(data); out.flush(); out.close(); int code = httpurlconnection.getResponseCode(); if (code == 200) { // 读取响应 int length = (int) httpurlconnection.getContentLength();// 获取长度 InputStream is = httpurlconnection.getInputStream(); reader = new BufferedReader(new InputStreamReader(is)); String line = reader.readLine(); StringBuilder builder = new StringBuilder(); while (line != null) { builder.append(line); line = reader.readLine(); } result = builder.toString(); } else { // TODO } } catch (Exception e) { // TODO } finally { url = null; if (httpurlconnection != null) { httpurlconnection.disconnect(); } try { if (out != null) { out.close(); } if (reader != null) { reader.close(); } } catch (IOException e) { // TODO } } return result; } public static void main(String[] args) throws Exception { String dtdXml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><!DOCTYPE cXML SYSTEM \"http://xml.cxml.org/schemas/cXML/1.2.014/cXML.dtd\"><cXML timestamp=\"2017-01-19T19:56:30\" payloadID=\"bac4b4a82e3342da919c7b427ee0fef2\"><Header><From><Credential domain=\"NetworkID\"><Identity>JDVEP4DIDI</Identity></Credential></From><To><Credential domain=\"NetworkID\"><Identity>Didipur</Identity></Credential></To><Sender><Credential domain=\"NetworkID\"><Identity>JDVEP4DIDI</Identity><SharedSecret>OGNmNGM3OGYtNWJhYi00ZTUwLTk0YTYtODAwZDVmYTU4NjMx</SharedSecret></Credential><UserAgent>JD VEP</UserAgent></Sender></Header><Message><PunchOutOrderMessage><BuyerCookie>3e3e68a280f45796cc24e59573e88ef7</BuyerCookie><PunchOutOrderMessageHeader operationAllowed=\"edit\"><Total><Money currency=\"CNY\">102.00</Money></Total><Shipping><Money currency=\"CNY\">0.00</Money><Description xml:lang=\"zh-CN\">运费</Description></Shipping></PunchOutOrderMessageHeader><ItemIn quantity=\"1\"><ItemID><SupplierPartID>102196</SupplierPartID><SupplierPartAuxiliaryID>46666778472</SupplierPartAuxiliaryID></ItemID><ItemDetail><UnitPrice><Money currency=\"CNY\">102.00</Money></UnitPrice><Description xml:lang=\"zh-CN\">维氏VICTORINOX瑞士军刀星座系列双鱼座0.6223.2PISC</Description><UnitOfMeasure>EA</UnitOfMeasure></ItemDetail></ItemIn><ItemIn quantity=\"1\"><ItemID><SupplierPartID>150706</SupplierPartID><SupplierPartAuxiliaryID>46666778472</SupplierPartAuxiliaryID></ItemID><ItemDetail><UnitPrice><Money currency=\"CNY\">0.00</Money></UnitPrice><Description xml:lang=\"zh-CN\">锐步Reebok女短袖T恤R537589 M码</Description><UnitOfMeasure>EA</UnitOfMeasure></ItemDetail></ItemIn></PunchOutOrderMessage></Message></cXML>"; String url = "https://www.baidu.com"; String result = ""; // postXml(url, dtdXml, "UTF-8"); result = httpPostData(url, dtdXml, Consts.UTF_8.name(), null, "application/xml", "application/xml"); System.out.println(result); } }
以上是关于JDK 1.6/1.7不支持TLS 1.2的主要内容,如果未能解决你的问题,请参考以下文章
markdown 在Mac上安装卸载jdk 1.6 1.7 1.8