带有undertow servlet容器的spring-boot应用程序中的“没有共同的密码套件”错误

Posted 2023-02-27

【中文标题】带有undertow servlet容器的spring-boot应用程序中的“没有共同的密码套件”错误

【英文标题】："no cipher suites in common" error in spring-boot application with undertow servlet container

【发布时间】：2018-03-18 02:33:06

【问题描述】：

我正在尝试在我的 Web 应用程序中使用 SSL。当我访问https://127.0.0.1:8443 时，我得到javax.net.ssl.SSLHandshakeException: no cipher suites in common。

我使用 undertow 嵌入式 servlet 容器。

以下是我的 spring-boot 配置：

server:
    port: 8443
    ssl:
        key-store: keystore.p12
        key-store-password: PASSWD
        key-password: PASSWD
        keyAlias: API
        key-store-type: PKCS12

我使用以下命令生成密钥库：

keytool -genkey -alias API -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650

如何解决此错误？

我还在日志中看到了一些不受支持的扩展消息。这些是重要的还是可以忽略的？

Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
[Raw read]: length = 5
0000: 16 03 01 00 AE                                     .....
[Raw read]: length = 174
0000: 01 00 00 AA 03 03 D6 77   1F 2F 88 5D 31 C6 40 69  .......w./.]1.@i
0010: 8D 78 38 FA 16 4E 19 C4   D5 43 34 91 35 2A 2A 7C  .x8..N...C4.5**.
0020: 77 B4 E8 71 E8 5B 00 00   1C DA DA C0 2B C0 2F C0  w..q.[......+./.
0030: 2C C0 30 CC A9 CC A8 C0   13 C0 14 00 9C 00 9D 00  ,.0.............
0040: 2F 00 35 00 0A 01 00 00   65 1A 1A 00 00 FF 01 00  /.5.....e.......
0050: 01 00 00 17 00 00 00 23   00 00 00 0D 00 14 00 12  .......#........
0060: 04 03 08 04 04 01 05 03   08 05 05 01 08 06 06 01  ................
0070: 02 01 00 05 00 05 01 00   00 00 00 00 12 00 00 00  ................
0080: 10 00 0E 00 0C 02 68 32   08 68 74 74 70 2F 31 2E  ......h2.http/1.
0090: 31 75 50 00 00 00 0B 00   02 01 00 00 0A 00 0A 00  1uP.............
00A0: 08 7A 7A 00 1D 00 17 00   18 2A 2A 00 01 00        .zz......**...
XNIO-3 I/O-1, READ: TLSv1 Handshake, length = 174
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -696836305 bytes =  136, 93, 49, 198, 64, 105, 141, 120, 56, 250, 22, 78, 25, 196, 213, 67, 52, 145, 53, 42, 42, 124, 119, 180, 232, 113, 232, 91 
Session ID:  
Cipher Suites: [Unknown 0xda:0xda, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:   0 
Unsupported extension type_6682, data: 
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, signature:0x5), SHA384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: unknown curve 31354, unknown curve 29, secp256r1, secp384r1
Unsupported extension type_10794, data: 00
***
[read] MD5 and SHA1 hashes:  len = 174
0000: 01 00 00 AA 03 03 D6 77   1F 2F 88 5D 31 C6 40 69  .......w./.]1.@i
0010: 8D 78 38 FA 16 4E 19 C4   D5 43 34 91 35 2A 2A 7C  .x8..N...C4.5**.
0020: 77 B4 E8 71 E8 5B 00 00   1C DA DA C0 2B C0 2F C0  w..q.[......+./.
0030: 2C C0 30 CC A9 CC A8 C0   13 C0 14 00 9C 00 9D 00  ,.0.............
0040: 2F 00 35 00 0A 01 00 00   65 1A 1A 00 00 FF 01 00  /.5.....e.......
0050: 01 00 00 17 00 00 00 23   00 00 00 0D 00 14 00 12  .......#........
0060: 04 03 08 04 04 01 05 03   08 05 05 01 08 06 06 01  ................
0070: 02 01 00 05 00 05 01 00   00 00 00 00 12 00 00 00  ................
0080: 10 00 0E 00 0C 02 68 32   08 68 74 74 70 2F 31 2E  ......h2.http/1.
0090: 31 75 50 00 00 00 0B 00   02 01 00 00 0A 00 0A 00  1uP.............
00A0: 08 7A 7A 00 1D 00 17 00   18 2A 2A 00 01 00        .zz......**...
%% Initialized:  [Session-7, SSL_NULL_WITH_NULL_NULL]
XNIO-3 task-7, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-7, SSL_NULL_WITH_NULL_NULL]
XNIO-3 task-7, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
XNIO-3 task-7, WRITE: TLSv1.2 Alert, length = 2
XNIO-3 I/O-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
XNIO-3 I/O-1, called closeInbound()
XNIO-3 I/O-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
XNIO-3 I/O-1, called closeOutbound()
XNIO-3 I/O-1, closeOutboundInternal()

【问题讨论】：

服务器无法使用您的私钥。尝试使用与密钥库相同的密钥密码。

嗨@halil，你解决了吗？

不，我没有。我决定使用 AWS 负载均衡器并将 SSL 放入负载均衡器。然后我不必对应用程序进行任何更改。

【参考方案1】：

如果您使用 chrome 浏览器并且您的服务器使用 OpenJDK 1.8，则可能会发生这种情况。您可以通过升级 OpenJDK 版本或使用其他浏览器来检查这一点