收到致命警报:java 1.7.0_80 中的握手失败异常
Posted
技术标签:
【中文标题】收到致命警报:java 1.7.0_80 中的握手失败异常【英文标题】:Getting Received fatal alert: handshake_failure exception in java 1.7.0_80 【发布时间】:2021-12-12 19:50:37 【问题描述】:我正在尝试调用 ups 服务器以获取一些与费率相关的详细信息。最近他们迁移到新的密码。 由于某种原因,我们无法更新我们的 jdk 版本,所以我们需要坚持 1.7.0_80。 调用 ups 调用时,我低于堆栈跟踪
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
Ignoring disabled protocol: SSLv3
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1635344196 bytes = 88, 0, 128, 81, 194, 87, 28, 140, 174, 104, 190, 184, 32, 3, 190, 29, 68, 66, 220, 248, 56, 153, 156, 98, 76, 74, 32, 115
Session ID:
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: 0
Extension elliptic_curves, curve names: secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: onlinetools.ups.com]
***
main, WRITE: TLSv1.2 Handshake, length = 221
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1092)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
API调用如下
try
OutputStream outputStream = null;
URL url = new URL("https://onlinetools.ups.com/......");
HttpURLConnection uc = (HttpURLConnection) url.openConnection();
uc.setDoOutput(true);
uc.setDoInput(true);
uc.setUseCaches(false);
outputStream = uc.getOutputStream(); //Exception getting thrown from here
outputStream.write(xmlInputString.getBytes());
outputStream.flush();
outputStream.close();
StringBuilder buffer = new StringBuilder();
BufferedReader reader = null;
try
reader = new BufferedReader(new InputStreamReader(uc.getInputStream()));
int letter = 0;
while ((letter = reader.read()) != -1)
buffer.append((char) letter);
reader.close();
catch (Exception e)
System.out.println("Error reading UPS response"+ e);
finally
if (reader != null)
reader.close();
reader = null;
System.out.println("response is :"+ buffer.toString());
catch (IOException e)
e.printStackTrace();
xmlInputString 是请求字符串。
已经尝试使用 bouncycastle 但没有运气并更新了安全 jar(local_policies 和其他 jar)。 请提供建议。 提前谢谢你。
【问题讨论】:
#1 启用更详细的日志-Djavax.net.debug=ssl,handshake
并重试。如果日志有新的重要行,请与我们分享。 access.redhat.com/solutions/973783#2 open-jdk 8 不是一个选项?
@JRichardsz,感谢您的回复。我添加了一个 -D 参数并在 cmets 下提取并进行了更新。是的,open-jdk 8 不是一个选项,因为上面提到的代码 sn-p 来自一个非常大的项目,迁移到 java 8 就像是非常重大的努力。
试试这个java -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1
@JRichardsz,我们已经有了这个论点。在那次争论之后,我们得到了汉斯摇晃异常。在此之前,错误是“protocl_version”
该服务器仅支持使用 GCM 的密码套件; Java 7 JSSE 支持 TLS1.2(例如使用https.protocols
)但不支持 GCM 套件。 Bouncy (bctls&bcprov) 1.68 或 1.67 上下文 "TLSv1.2"
在 7u80 上为我工作,但我必须修复信任库,因为该服务器使用不在 7u80 cacerts 中的 CA (Comodo RSA)。 (1.69 似乎有一些内部不一致;1.66 和 1.65 不提供 GCM 套件,即使它们已列出;1.64 及更低版本的 SecureRandom 存在一些问题,我不明白。)但如果你找到了替代方案,那很好。
【参考方案1】:
由于我们没有找到任何可靠的信息来使用 java 7 进行此操作,因此我们在 open jdk 11 上运行了一个微服务。因此我们在内部调用该微服务并进行实际调用。
【讨论】:
以上是关于收到致命警报:java 1.7.0_80 中的握手失败异常的主要内容,如果未能解决你的问题,请参考以下文章
SSLHandshakeException:收到致命警报:在 tomcat 7 服务器上设置密码时握手失败
SSL 握手错误 javax.net.ssl.SSLHandshakeException 收到致命警报 bad_certificate
SSL 握手警报:升级到 Java 1.7.0 后出现 unrecognized_name 错误