SSL:收到致命警报:handshake_failure

Posted

技术标签:

【中文标题】SSL:收到致命警报:handshake_failure【英文标题】:SSL : Received fatal alert: handshake_failure 【发布时间】:2018-02-09 00:02:06 【问题描述】:

专门提到使用这两个密码的服务器

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-nio-8080-exec-3, setSoTimeout(0) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1487315819 bytes =  91, 21, 137, 185, 34, 110, 50, 54, 243, 46, 201, 26, 211, 196, 2, 180, 194, 116, 50, 153, 193, 101, 112, 52, 55, 244, 198, 134 
Session ID:  
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:   0 
Extension elliptic_curves, curve names: secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=connect.pointclickcare.com]
***
http-nio-8080-exec-3, WRITE: TLSv1.2 Handshake, length = 202
http-nio-8080-exec-3, READ: TLSv1.2 Alert, length = 2
http-nio-8080-exec-3, RECV TLSv1.2 ALERT:  fatal, handshake_failure
http-nio-8080-exec-3, called closeSocket()
http-nio-8080-exec-3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
http-nio-8080-exec-3, called close()
http-nio-8080-exec-3, called closeInternal(true)

然后我得到了

javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

我正在使用 HttpsURLConnection

【问题讨论】:

【参考方案1】:

问题在于 Java 加密扩展 (JCE),必须替换 $JAVA_HOME 路径中 /lib/security 文件夹中的一些 jar 文件。

Link to use JCE

【讨论】:

【参考方案2】:

专门提到使用这两个密码的服务器

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

如果这些是服务器支持的唯一密码,那么服务器不支持客户端支持的密码。客户端支持的密码列表可以在调试输出中看到:

 Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,  ...

如果您查看原始调试输出,您会发现存在 *SHA384 密码,这意味着客户端不提供服务器接受的密码。

【讨论】:

如何让我的客户接受这些特定的密码套件 @M.Ron:我不知道您的特定客户端和您使用的代码,但 Java 8 应该默认启用 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384。当然本地配置或代码可能会覆盖这些默认值。跨度> 我使用了这个 SSLSocketFactory factory = m_ctx.getSocketFactory(); availableCiphers = factory.getSupportedCipherSuites(); :它返回除指定服务器之外的所有密码。【参考方案3】:

就像 M.Ron 提到的,您需要为您的 JVM 安装 JCE 扩展。 基本上这个问题是由于本地 JAVA 和 https 站点之间的密码不匹配造成的。

1: 使用https://www.ssllabs.com/ 检查您的 REST API 是否支持 java, check this image example

2:在这里查看解决方案,我只是累了,它对我有用并节省了我的一天!

How to debug the ssl connection error

【讨论】:

以上是关于SSL:收到致命警报:handshake_failure的主要内容,如果未能解决你的问题,请参考以下文章

javax.net.ssl.SSLException:收到致命警报:带有 Selenium 的协议版本

ChangeCipherSpec - javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

SSL 握手错误 javax.net.ssl.SSLHandshakeException 收到致命警报 bad_certificate

javax.net.ssl.SSLException:收到致命警报:protocol_version

javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

获取 javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure 错误