处理异常:javax.net.ssl.SSLHandshakeException:没有合适的协议(协议被禁用或密码套件不合适)

Posted

技术标签:

【中文标题】处理异常:javax.net.ssl.SSLHandshakeException:没有合适的协议(协议被禁用或密码套件不合适)【英文标题】:handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) 【发布时间】:2021-09-27 06:44:14 【问题描述】:

当我尝试为 jms 启用 TLSv1.2 和密码套件 TLS_RSA_WITH_AES_256_CBC_SHA256 时,我收到了我在下面的 server.xml 文件中提到的错误。我正在使用 java 1.8.0_221、tomcat 9、spring2.9。然后我替换了从https://www.oracle.com/java/technologies/javase-jce8-downloads.html 下载的/security/policy/unlimited 中的jce(java 加密扩展)的jar 文件,但得到了同样的错误。我已执行以下命令来检查 jce 策略 > jrunscript -e "exit (println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES") >= 256));"结果是假的

>错误

-------- 允许不安全的重新协商:false 允许遗留的 hello 消息:true 是初始握手:true 是安全的重新协商: 忽略不支持的密码套件: TLSv1 的 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 忽略不支持 密码套件:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 用于 TLSv1 忽略 不支持的密码套件:TLSv1 的 TLS_RSA_WITH_AES_256_CBC_SHA256 忽略不受支持的密码套件: TLSv1 的 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 忽略不支持 密码套件:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 用于 TLSv1 忽略 不支持的密码套件:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLSv1 忽略不支持的密码套件: TLSv1 的 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 忽略不支持 密码套件:TLSv1.1 的 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 忽略不受支持的密码套件: TLSv1.1 的 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 忽略不支持 密码套件:TLSv1.1 忽略的 TLS_RSA_WITH_AES_256_CBC_SHA256 不支持的密码套件:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLSv1.1 忽略不支持的密码套件: TLSv1.1 的 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 忽略不支持 密码套件:TLSv1.1 忽略的 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 不支持的密码套件:TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLSv1.1 %% 没有缓存的客户端会话更新握手状态: client_hello1即将握手状态:server_hello[2] *** ClientHello, TLSv1.2 RandomCookie: GMT: 1609878173 bytes = 249, 22, 95, 249, 42, 246, 180, 241, 102, 79, 48, 131, 82, 55, 217, 46, 69, 118、173、155、13、170、188、28、45、107、53、45 会话 ID: 密码套件:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA、TLS_RSA_WITH_AES_256_CBC_SHA、 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA、TLS_DHE_RSA_WITH_AES_256_CBC_SHA、 TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA、 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA、TLS_DHE_RSA_WITH_AES_128_CBC_SHA、 TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 压缩方法: 0 扩展 elliptic_curves,曲线名称:secp256r1, secp384r1, secp521r1、sect283k1、sect283r1、sect409k1、sect409r1、sect571k1、 sect571r1, secp256k1 扩展 ec_point_formats,格式: [未压缩] 扩展签名算法、签名算法: SHA512 与 ECDSA,SHA512 与 RSA,SHA384 与 ECDSA,SHA384 与 RSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA、SHA1withDSA 扩展 extended_master_secret *** main, WRITE: TLSv1.2 Handshake, length = 193 main, READ: TLSv1 Handshake, length = 813 检查握手状态:server_hello[2] *** ServerHello, TLSv1 RandomCookie: GMT: 1609870596 bytes = 82, 117, 120, 216, 104, 30, 226, 142, 149, 245, 48, 199, 220, 35, 55, 234, 192, 65, 5, 236, 34, 46, 7, 104, 196, 192, 207, 66 会话 ID: 211、6、0、0、74、154、90、231、222、237、76、181、155、196、93、56、 200、242、251、176、8、194、23、29、168、183、148、71、154、158、61、 174 密码套件:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 压缩 方法:0 扩展 extended_master_secret 扩展 重新协商信息,重新协商连接:


> server.xml

<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="-1" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->


    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8082
    -->
    <!--<Connector port="8082" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" /> -->
    <!-- A "Connector" using the shared thread pool-->
    
    <Connector executor="tomcatThreadPool"
               port="8082" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    
    <!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->

               
                   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="700" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,+TLSv1.2"
keystoreFile="D:/Tomcat9/conf/key.jks" keystorePass="clientpass" keystoreType="JKS"
keyAlias="ibmwebspheremqshabeeb" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"/>
               
<!--<Connector protocol="org.apache.coyote.http11.Http11Protocol"
           port="8443" maxThreads="200" scheme="https"
           secure="true" SSLEnabled="true"
           keystoreFile="D:/Tomcat9/conf/client.jks"
           keystorePass="clientpass"
           clientAuth="false" sslProtocol="TLS"
           URIEncoding="UTF-8"
           compression="force"
           compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"/>-->


<!--<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="D:/Tomcat9/conf/client.jks" keystorePass="clientpass"
           clientAuth="true" sslProtocol="TLS"/>-->    
   
   <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation. The default
         SSLImplementation will depend on the presence of the APR/native
         library and the useOpenSSL attribute of the
         AprLifecycleListener.
         Either JSSE or OpenSSL style configuration may be used regardless of                                                                                                                                                                                                                                       
         the SSLImplementation selected. JSSE style configuration is used below.
    -->
    
  <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true"/>
        <SSLHostConfig
             certificateKeystoreFile="D:/Tomcat9/conf/client.jks"
                         type="RSA" /> -->
        
   
    
    
    

 <!--<Connector className="org.apache.catalina.connector.http.HttpConnector"
           port="8443" minProcessors="5" maxProcessors="75"
           enableLookups="true"
           acceptCount="10" debug="0" scheme="https" secure="true">
  <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
           clientAuth="true" protocol="TLS"/>
</Connector>-->
 <!--<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocols="TLS" sslEnabledProtocols="TLSv1.2" keystoreFile="D:/Tomcat9/conf/client.jks" keystorePass="clientpass"
           port="8443"/>-->
           
           


 <!--<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
           clientAuth="true" protocol="TLS" 
       keystoreFile="C:/certificate/ibmclientm2.jks" keystorePass="clientpass"/>-->
       
     
    
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
         This connector uses the APR/native implementation which always uses
         OpenSSL for TLS.
         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
         configuration is used below.
    -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
    -->

    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>

【问题讨论】:

【参考方案1】:

TLSv1jmsReplyQListener-1 没有可用的密码套件

您必须启用对 TLSv1 的支持,因此首先更新 server.xml 中的连接器标签

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
      maxThreads="700" scheme="https" secure="true"
         <SSLHostConfig protocols="TLSv1,+TLSv1.2">
            <Certificate 
                 certificateKeystoreFile="D:/Tomcat9/conf/key.jks"
                 certificateKeystorePassword="clientpass"
                 type="RSA" />
        </SSLHostConfig>
</Connector>

【讨论】:

添加对 TLSv1 的支持 是的,我已经支持 TLSv1,所以我在 server.xml 文件中更改了 sslEnabledProtocols="TLSv1,+TLSv1.2" 但收到上面提到的错误,请参阅上面的错误,即“忽略不支持的密码套件:TLSv1 的 TLS_RSA_WITH_AES_256_CBC_SHA256" 即使我在 server.xml 中给出了协议 TLSv1.2

以上是关于处理异常:javax.net.ssl.SSLHandshakeException:没有合适的协议(协议被禁用或密码套件不合适)的主要内容,如果未能解决你的问题,请参考以下文章

Koa异常处理说明

springmvc在处理请求过程中出现异常信息交由异常处理器进行处理,自定义异常处理器可以实现一个系统的异常处理逻辑。为了区别不同的异常通常根据异常类型自定义异常类,这里我们创建一个自定义系统异常,如

java异常处理详解!!

Kotlin 协程Flow 流异常处理 ( 收集元素异常处理 | 使用 try...catch 代码块捕获处理异常 | 发射元素时异常处理 | 使用 Flow#catch 函数捕获处理异常 )

Kotlin 协程Flow 流异常处理 ( 收集元素异常处理 | 使用 try...catch 代码块捕获处理异常 | 发射元素时异常处理 | 使用 Flow#catch 函数捕获处理异常 )

异常处理,约束,MD5加密,日志处理