javax.net.ssl.SSLHandshakeException:收到致命警报:docker容器内的handshake_failure

Posted

技术标签:

【中文标题】javax.net.ssl.SSLHandshakeException:收到致命警报:docker容器内的handshake_failure【英文标题】:javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure inside docker container 【发布时间】:2019-10-05 01:09:33 【问题描述】:

我正在使用以下代码对远程端点运行本地测试:

        URL url = new URL(remoteEndpointUrl);
        String encoded = Base64.getEncoder().encodeToString((login + ":"+ password).getBytes("UTF-8"));  //Java 8
        conn = (HttpURLConnection) url.openConnection();
        conn.setRequestProperty("Authorization", "Basic "+encoded);
        conn.setRequestMethod("DELETE");
        conn.setRequestProperty("Accept", "application/json");
        conn.setDoOutput(true);
        conn.getResponseCode();

这在我的具有以下 Java 版本的 Mac OS 上完美运行

java version "1.8.0_152"
Java(TM) SE Runtime Environment (build 1.8.0_152-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, 
mixed mode)

现在,如果我在一个 docker 容器中运行它并运行一个 openjdk:8u151 图像(我也是从我的 Mac OS 启动的),我最终会遇到以下异常:

    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:203)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:162)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
    at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)

显然,我的本地 TLS 默认设置与 docker 容器内的设置之间似乎没有任何区别。这是使用-Djavax.net.debug=all 运行的调试输出:

本地输出:

    Allow unsafe renegotiation: false
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    main, setSoTimeout(0) called
    main, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
    %% No cached client session
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: 1541229707 bytes =  122, 255, 53, 110, 142, 33, 132, 23, 192, 232, 102, 11, 200, 33, 185, 187, 146, 150, 134, 215, 2, 72, 62, 10, 76, 46, 224, 66 
    Session ID:  
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
    Compression Methods:   0 
    Extension elliptic_curves, curve names: secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1
    Extension ec_point_formats, formats: [uncompressed]
    Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
    Extension server_name, server_name: [type=host_name (0), value=example.com]
    ***
    [write] MD5 and SHA1 hashes:  len = 198
    0000: 01 00 00 C2 03 03 5C DD   4D 8B 7A FF 35 6E 8E 21  ......\.M.z.5n.!
    0010: 84 17 C0 E8 66 0B C8 21   B9 BB 92 96 86 D7 02 48  ....f..!.......H
    0020: 3E 0A 4C 2E E0 42 00 00   3A C0 23 C0 27 00 3C C0  >.L..B..:.#.'.<.
    0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.).g.@...../...
    0040: 0E 00 33 00 32 C0 2B C0   2F 00 9C C0 2D C0 31 00  ..3.2.+./...-.1.
    0050: 9E 00 A2 C0 08 C0 12 00   0A C0 03 C0 0D 00 16 00  ................
    0060: 13 00 FF 01 00 00 5F 00   0A 00 16 00 14 00 17 00  ......_.........
    0070: 18 00 19 00 09 00 0A 00   0B 00 0C 00 0D 00 0E 00  ................
    0080: 16 00 0B 00 02 01 00 00   0D 00 1C 00 1A 06 03 06  ................
    0090: 01 05 03 05 01 04 03 04   01 04 02 03 03 03 01 03  ................
    00A0: 02 02 03 02 01 02 02 00   00 00 1B 00 19 00 00 16  ................
    00B0: 73 75 6D 69 74 64 65 76   2E 6D 79 73 68 6F 70 69  example.com
    00C0: 66 79 2E 63 6F 6D
    main, WRITE: TLSv1.2 Handshake, length = 198
    [Raw write]: length = 203
    0000: 16 03 03 00 C6 01 00 00   C2 03 03 5C DD 4D 8B 7A  ...........\.M.z
    0010: FF 35 6E 8E 21 84 17 C0   E8 66 0B C8 21 B9 BB 92  .5n.!....f..!...
    0020: 96 86 D7 02 48 3E 0A 4C   2E E0 42 00 00 3A C0 23  ....H>.L..B..:.#
    0030: C0 27 00 3C C0 25 C0 29   00 67 00 40 C0 09 C0 13  .'.<.%.).g.@....
    0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 2B C0 2F 00 9C  ./.....3.2.+./..
    0050: C0 2D C0 31 00 9E 00 A2   C0 08 C0 12 00 0A C0 03  .-.1............
    0060: C0 0D 00 16 00 13 00 FF   01 00 00 5F 00 0A 00 16  ..........._....
    0070: 00 14 00 17 00 18 00 19   00 09 00 0A 00 0B 00 0C  ................
    0080: 00 0D 00 0E 00 16 00 0B   00 02 01 00 00 0D 00 1C  ................
    0090: 00 1A 06 03 06 01 05 03   05 01 04 03 04 01 04 02  ................
    00A0: 03 03 03 01 03 02 02 03   02 01 02 02 00 00 00 1B  ................
    00B0: 00 19 00 00 16 73 75 6D   69 74 64 65 76 2E 6D 79  .....example.com
    [Raw read]: length = 5
    0000: 16 03 03 00 57                                     ....W
    [Raw read]: length = 87
    0000: 02 00 00 53 03 03 5C DD   4D 8B A2 3C 5D 36 46 82  ...S..\.M..<]6F.
    0010: BE 0E 5E DA 23 05 66 D5   1B AE 13 AA 8F 98 12 30  ..^.#.f........0
    0020: DF 52 9C 28 AA 7B 20 43   4F 5E 40 8C B4 C4 1E 26  .R.(.. CO^@....&
    0030: 4F 5D B8 3D 39 16 D5 56   41 9C B0 F8 D5 F4 2A 55  O].=9..VA.....*U
    0040: B3 0A E9 A2 6F 9D 88 C0   2B 00 00 0B FF 01 00 01  ....o...+.......
    0050: 00 00 0B 00 02 01 00                               .......
    main, READ: TLSv1.2 Handshake, length = 87
    *** ServerHello, TLSv1.2
    RandomCookie:  GMT: 1541229707 bytes =  162, 60, 93, 54, 70, 130, 190, 14, 94, 218, 35, 5, 102, 213, 27, 174, 19, 170, 143, 152, 18, 48, 223, 82, 156, 40, 170, 123 
    Session ID:  67, 79, 94, 64, 140, 180, 196, 30, 38, 79, 93, 184, 61, 57, 22, 213, 86, 65, 156, 176, 248, 213, 244, 42, 85, 179, 10, 233, 162, 111, 157, 136
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    Compression Method: 0
    Extension renegotiation_info, renegotiated_connection: <empty>
    Extension ec_point_formats, formats: [uncompressed]
    ***
    %% Initialized:  [Session-4, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
    ** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    [read] MD5 and SHA1 hashes:  len = 87ere

docker 容器内输出:

    Allow unsafe renegotiation: false
    Allow legacy hello messages: true
    Is initial handshake: true
    Is secure renegotiation: false
    Test worker, setSoTimeout(0) called
    Test worker, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
    %% No cached client session
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: 1541242532 bytes =  118, 119, 70, 101, 0, 69, 160, 231, 254, 159, 164, 222, 99, 67, 81, 99, 102, 20, 11, 71, 1, 162, 231, 238, 141, 93, 75, 42 
    Session ID:  
    Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
    Compression Methods:   0 
    Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
    Extension server_name, server_name: [type=host_name (0), value=example.com]
    ***
    [write] MD5 and SHA1 hashes:  len = 208
    0000: 01 00 00 CC 03 03 5C DD   7F A4 76 77 46 65 00 45  ......\...vwFe.E
    0010: A0 E7 FE 9F A4 DE 63 43   51 63 66 14 0B 47 01 A2  ......cCQcf..G..
    0020: E7 EE 8D 5D 4B 2A 00 00   64 C0 24 C0 28 00 3D C0  ...]K*..d.$.(.=.
    0030: 26 C0 2A 00 6B 00 6A C0   0A C0 14 00 35 C0 05 C0  &.*.k.j.....5...
    0040: 0F 00 39 00 38 C0 23 C0   27 00 3C C0 25 C0 29 00  ..9.8.#.'.<.%.).
    0050: 67 00 40 C0 09 C0 13 00   2F C0 04 C0 0E 00 33 00  g.@...../.....3.
    0060: 32 C0 2C C0 2B C0 30 00   9D C0 2E C0 32 00 9F 00  2.,.+.0.....2...
    0070: A3 C0 2F 00 9C C0 2D C0   31 00 9E 00 A2 C0 08 C0  ../...-.1.......
    0080: 12 00 0A C0 03 C0 0D 00   16 00 13 00 FF 01 00 00  ................
    0090: 3F 00 0D 00 1C 00 1A 06   03 06 01 05 03 05 01 04  ?...............
    00A0: 03 04 01 04 02 03 03 03   01 03 02 02 03 02 01 02  ................
    00B0: 02 00 00 00 1B 00 19 00   00 16 73 75 6D 69 74 64  ..........
    00C0: 65 76 2E 6D 79 73 68 6F   70 69 66 79 2E 63 6F 6D  example.com
    Test worker, WRITE: TLSv1.2 Handshake, length = 208
    [Raw write]: length = 213
    0000: 16 03 03 00 D0 01 00 00   CC 03 03 5C DD 7F A4 76  ...........\...v
    0010: 77 46 65 00 45 A0 E7 FE   9F A4 DE 63 43 51 63 66  wFe.E......cCQcf
    0020: 14 0B 47 01 A2 E7 EE 8D   5D 4B 2A 00 00 64 C0 24  ..G.....]K*..d.$
    0030: C0 28 00 3D C0 26 C0 2A   00 6B 00 6A C0 0A C0 14  .(.=.&.*.k.j....
    0040: 00 35 C0 05 C0 0F 00 39   00 38 C0 23 C0 27 00 3C  .5.....9.8.#.'.<
    0050: C0 25 C0 29 00 67 00 40   C0 09 C0 13 00 2F C0 04  .%.).g.@...../..
    0060: C0 0E 00 33 00 32 C0 2C   C0 2B C0 30 00 9D C0 2E  ...3.2.,.+.0....
    0070: C0 32 00 9F 00 A3 C0 2F   00 9C C0 2D C0 31 00 9E  .2...../...-.1..
    0080: 00 A2 C0 08 C0 12 00 0A   C0 03 C0 0D 00 16 00 13  ................
    0090: 00 FF 01 00 00 3F 00 0D   00 1C 00 1A 06 03 06 01  .....?..........
    00A0: 05 03 05 01 04 03 04 01   04 02 03 03 03 01 03 02  ................
    00B0: 02 03 02 01 02 02 00 00   00 1B 00 19 00 00 16 73  ...............s
    00C0: 75 6D 69 74 64 65 76 2E   6D 79 73 68 6F 70 69 66  example.com
    00D0: 79 2E 63 6F 6D                                     
    [Raw read]: length = 5
    0000: 15 03 03 00 02                                     .....
    [Raw read]: length = 2
    0000: 02 28                                              .(
    Test worker, READ: TLSv1.2 Alert, length = 2
    Test worker, RECV TLSv1.2 ALERT:  fatal, handshake_failure
    Test worker, called closeSocket()
    Test worker, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureere

现在,我尝试根据https://www.petefreitag.com/item/844.cfm 将安全属性crypto.policy 设置为unlimited,这应该可以轻松启用我从https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https 获得的领先的JCE(Java 加密扩展)但是它仍然失败。

我一直在与此作斗争,不知道要检查什么,因为两次执行都使用TLSv1.2 作为 https 协议,并且都使用相同的密码套件,所以知道为什么它在 docker 内失败了吗?

非常感谢任何帮助, 提前致谢

编辑:在我的 Mac OS 上使用-Dcom.sun.net.ssl.enableECC=false 运行

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1541432023 bytes =  91, 55, 180, 242, 51, 13, 227, 239, 109, 218, 210, 217, 65, 181, 16, 146, 251, 182, 30, 23, 156, 83, 207, 5, 80, 0, 133, 88 
Session ID:  
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:   0 
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=example.com]
***
[write] MD5 and SHA1 hashes:  len = 134
0000: 01 00 00 82 03 03 5C E0   63 D7 5B 37 B4 F2 33 0D  ......\.c.[7..3.
0010: E3 EF 6D DA D2 D9 41 B5   10 92 FB B6 1E 17 9C 53  ..m...A........S
0020: CF 05 50 00 85 58 00 00   1A 00 3C 00 67 00 40 00  ..P..X....<.g.@.
0030: 2F 00 33 00 32 00 9C 00   9E 00 A2 00 0A 00 16 00  /.3.2...........
0040: 13 00 FF 01 00 00 3F 00   0D 00 1C 00 1A 06 03 06  ......?.........
0050: 01 05 03 05 01 04 03 04   01 04 02 03 03 03 01 03  ................
0060: 02 02 03 02 01 02 02 00   00 00 1B 00 19 00 00 16  ................
0070: 73 75 6D 69 74 64 65 76   2E 6D 79 73 68 6F 70 69  example.com
0080: 66 79 2E 63 6F 6D                                  
main, WRITE: TLSv1.2 Handshake, length = 134
[Raw write]: length = 139
0000: 16 03 03 00 86 01 00 00   82 03 03 5C E0 63 D7 5B  ...........\.c.[
0010: 37 B4 F2 33 0D E3 EF 6D   DA D2 D9 41 B5 10 92 FB  7..3...m...A....
0020: B6 1E 17 9C 53 CF 05 50   00 85 58 00 00 1A 00 3C  ....S..P..X....<
0030: 00 67 00 40 00 2F 00 33   00 32 00 9C 00 9E 00 A2  .g.@./.3.2......
0040: 00 0A 00 16 00 13 00 FF   01 00 00 3F 00 0D 00 1C  ...........?....
0050: 00 1A 06 03 06 01 05 03   05 01 04 03 04 01 04 02  ................
0060: 03 03 03 01 03 02 02 03   02 01 02 02 00 00 00 1B  ................
0070: 00 19 00 00 16 73 75 6D   69 74 64 65 76 2E 6D 79  .....example.com
0080: 73 68 6F 70 69 66 79 2E   63 6F 6D                 
[Raw read]: length = 5 
0000: 16 03 03 00 51                                     ....Q
[Raw read]: length = 81
0000: 02 00 00 4D 03 03 5C E0   63 DA 99 74 67 FF 71 48  ...M..\.c..tg.qH
0010: B5 9B 8F 63 A4 06 15 AE   1D E6 1B CA 27 C6 9C 85  ...c........'...
0020: B8 E8 40 03 89 54 20 29   3F 81 6A E8 E4 54 39 D7  ..@..T )?.j..T9.
0030: 5A 95 5B DD 7C 59 18 28   05 C2 49 75 22 2E 69 78  Z.[..Y.(..Iu".ix
0040: E1 1B 11 62 03 62 C0 00   9C 00 00 05 FF 01 00 01  ...b.b..........
0050: 00                                                 .
main, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1541432026 bytes =  153, 116, 103, 255, 113, 72, 181, 155, 143, 99, 164, 6, 21, 174, 29, 230, 27, 202, 39, 198, 156, 133, 184, 232, 64, 3, 137, 84 
Session ID:  41, 63, 129, 106, 232, 228, 84, 57, 215, 90, 149, 91, 221, 124, 89, 24, 40, 5, 194, 73, 117, 34, 46, 105, 120, 225, 27, 17, 98, 3, 98, 192
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-4, TLS_RSA_WITH_AES_128_GCM_SHA256]
** TLS_RSA_WITH_AES_128_GCM_SHA256
[read] MD5 and SHA1 hashes: len = 81

【问题讨论】:

你能得到服务器端的日志吗? 您是否也将example.com 前面的十六进制数字更改为包含example.com,我已经看到了足够多的例子,人们只将人类可读版本更改为示例域,但仍然离开“二进制调试”文本中的原始域,当人们重建实际的 SSL 数据包以查看发生了什么问题时使用该域 @SvetlinZarev 不幸的是,不,它超出了我的能力范围。 我首先要确保我运行的是完全相同的 JVM 版本并且来自同一个供应商。例如,两者都必须是 Oracle 或 openjdk。 确切地说 crypto.policysecurity 属性而不是系统属性,但在工作情况下,服务器同意 AES-128(GCM) 套件,所以它不是无论如何都不需要。 【参考方案1】:

不完全是一个答案,但我希望它有所帮助。

在第一种情况下,客户端发送两个椭圆曲线扩展,但在第二种情况下不发送。我不知道这种不同行为的原因,但这可能会导致服务器无法更进一步,因为无法找到通用密码套件。

RFC 4492 给出了 2 个理由,说明您不应该对缺少扩展名有任何问题:

    如果缺少握手失败,则默认情况下不会提及握手失败:

如果服务器不理解支持的椭圆曲线 扩展,不理解支持的点格式扩展, 或在限制自身时无法完成 ECC 握手 对于枚举曲线和点格式,它不能协商 使用 ECC 密码套件。取决于其他密码套件 由客户端提出并由服务器支持,这可能 由于缺乏公共性而导致致命的握手失败警报 密码套件。

    发送它们并不完全是强制性的,只是带有“应该”字样的更可取的行为:

在其 ClientHello 中提出 ECC 密码套件的 TLS 客户端 消息应该包含这些扩展。

这会导致客户端或服务器上出现软件错误或安装错误(文件丢失、权限错误……)。

如果您使用 -Dcom.sun.net.ssl.enableECC=false 运行本地测试,会发生什么情况?

您可以比较 jre/lib 中所有目录的内容,以找出可能缺少的内容。

例如,您的 docker 客户端是否包含文件 libsunec.so

您的端点上有什么 TLS 服务器?它也被码头化了吗?

至少Release Notes for JDK 8 没有提到任何可以解决的客户端问题。但相反,它提到了在8u131 中解决的jdk.tls.namedGroups(null) 问题,错误JDK-8173783 很好地解释了它的重复错误-JDK-8173960 错误。这并不能解释为什么您面临两种不同的行为,但也许它周围有一些没有提到的东西(另一个丢失的文件而不是 sunec.jar 在错误中说,导致同样的问题)。从我的角度来看,客户端丢失文件会导致服务器端错误(也由丢失文件或简单的软件错误触发)。如果您找到解决方案,请告诉我们。

【讨论】:

我在本地使用-Dcom.sun.net.ssl.enableECC=false 运行它,现在我在调试中看不到elliptic_curvesec_point_formats,但是,测试成功完成。这意味着缺少椭圆曲线扩展(在 docker 执行中)与容器内部的故障无关。 如果它是唯一的区别,它一定有关系,不是吗?或者我们错过了什么。 enableECC=false 可能还会从 Client Hello 密码列表中删除 EC 密码套件。请您使用此测试编辑并发布您的新 SSL 跟踪吗?然后,当 EC 不存在时,我们将查看服务器选择的密码,我们将尝试强制您的 docker 仅使用此密码套件(带有https.protocols 系统属性)-本地所有密码也出现在 docker 的列表中,这个甚至更长一点。 我们看到密码套件列表现在很短,没有任何 EC,并且服务器选择了TLS_RSA_WITH_AES_128_GCM_SHA256。如上所述(我在考虑密码,但给出了错误的属性 - 抱歉),你可以尝试使用 -Dhttps.cipherSuites=TLS_RSA_WITH_AES_128_GCM_SHA256 的 docker 吗? 不,顺序无关紧要。我得出的结论是,我的答案几乎是好的:当接收到带有 EC 密码套件且没有 EC 扩展的客户端 Hello 时,服务器出现了问题。它不符合 RFC。我提到的错误是同一件事,或者如果您可以检查服务器上安装的内容,则应进一步调查。 @Ewoks 握手失败的原因有很多。尝试上述解决方案,如果它不能帮助正确打开一个新问题(带有调试跟踪,版本,..)【参考方案2】:

“握手失败”通常意味着服务器的 TLS 级别(例如 TLS1.2)和密码套件以及您的 WebSphere 可以处理的内容之间没有重叠。

我会针对服务器运行类似https://www.ssllabs.com/ssltest/ 的测试,然后在 WebSphere 安全 > SSL 证书和密钥管理 > SSL 配置中查看您的 QoP 设置

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

【讨论】:

这是一个复制/粘贴,发表评论就足够了(或者当你 100% 确定它是同一件事时甚至标记为重复)

以上是关于javax.net.ssl.SSLHandshakeException:收到致命警报:docker容器内的handshake_failure的主要内容,如果未能解决你的问题,请参考以下文章