收到致命警报：java 1.7.0_80 中的握手失败异常

Posted 2023-02-22

【中文标题】收到致命警报：java 1.7.0_80 中的握手失败异常

【英文标题】：Getting Received fatal alert: handshake_failure exception in java 1.7.0_80

【发布时间】：2021-12-12 19:50:37

【问题描述】：

我正在尝试调用 ups 服务器以获取一些与费率相关的详细信息。最近他们迁移到新的密码。 由于某种原因，我们无法更新我们的 jdk 版本，所以我们需要坚持 1.7.0_80。 调用 ups 调用时，我低于堆栈跟踪

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
Ignoring disabled protocol: SSLv3
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1635344196 bytes =  88, 0, 128, 81, 194, 87, 28, 140, 174, 104, 190, 184, 32, 3, 190, 29, 68, 66, 220, 248, 56, 153, 156, 98, 76, 74, 32, 115 
Session ID:  
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:   0 
Extension elliptic_curves, curve names: secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: onlinetools.ups.com]
***
main, WRITE: TLSv1.2 Handshake, length = 221
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1092)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)

API调用如下

try 
            OutputStream outputStream = null;
            URL url = new URL("https://onlinetools.ups.com/......");
            HttpURLConnection uc = (HttpURLConnection) url.openConnection();
            uc.setDoOutput(true);
            uc.setDoInput(true);
            uc.setUseCaches(false);
            outputStream = uc.getOutputStream(); //Exception getting thrown from here
            outputStream.write(xmlInputString.getBytes());
            outputStream.flush();
            outputStream.close();
            
            StringBuilder buffer = new StringBuilder();
            BufferedReader reader = null;
            try 
                reader = new BufferedReader(new InputStreamReader(uc.getInputStream()));
                int letter = 0;
                while ((letter = reader.read()) != -1) 
                    buffer.append((char) letter);
                
                reader.close();
             catch (Exception e) 
                System.out.println("Error reading UPS response"+ e);
             finally 
                if (reader != null) 
                    reader.close();
                    reader = null;
                
            
            System.out.println("response is :"+ buffer.toString());

         catch (IOException e) 
            e.printStackTrace();
        

xmlInputString 是请求字符串。

已经尝试使用 bouncycastle 但没有运气并更新了安全 jar（local_policies 和其他 jar）。 请提供建议。 提前谢谢你。

【问题讨论】：

#1 启用更详细的日志-Djavax.net.debug=ssl,handshake 并重试。如果日志有新的重要行，请与我们分享。 access.redhat.com/solutions/973783#2 open-jdk 8 不是一个选项？

@JRichardsz，感谢您的回复。我添加了一个 -D 参数并在 cmets 下提取并进行了更新。是的，open-jdk 8 不是一个选项，因为上面提到的代码 sn-p 来自一个非常大的项目，迁移到 java 8 就像是非常重大的努力。

试试这个java -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1

@JRichardsz，我们已经有了这个论点。在那次争论之后，我们得到了汉斯摇晃异常。在此之前，错误是“protocl_version”

该服务器仅支持使用 GCM 的密码套件； Java 7 JSSE 支持 TLS1.2（例如使用https.protocols）但不支持 GCM 套件。 Bouncy (bctls&bcprov) 1.68 或 1.67 上下文 "TLSv1.2" 在 7u80 上为我工作，但我必须修复信任库，因为该服务器使用不在 7u80 cacerts 中的 CA (Comodo RSA)。 （1.69 似乎有一些内部不一致；1.66 和 1.65 不提供 GCM 套件，即使它们已列出；1.64 及更低版本的 SecureRandom 存在一些问题，我不明白。）但如果你找到了替代方案，那很好。

【参考方案1】：

由于我们没有找到任何可靠的信息来使用 java 7 进行此操作，因此我们在 open jdk 11 上运行了一个微服务。因此我们在内部调用该微服务并进行实际调用。