Linux中的Java SSL握手失败,但OSX和Windows中没有
[英]Java SSL handshake failure in Linux but not in OSX and Windows
问题描述
I'm trying to access a webservice via axis and I'm getting a weird error in my production server (running Oracle Java 1.7.0_51). 
我正在尝试通过axis访问Web服务,并且在生产服务器(运行Oracle Java 1.7.0_51)中遇到一个奇怪的错误。 The error is javax.net.ssl.SSLException: Received close_notify during handshake . 错误是javax.net.ssl.SSLException: Received close_notify during handshake 。 So I created a simple java application to test the SSL connection to the server I'm trying to access: 因此,我创建了一个简单的Java应用程序来测试与我尝试访问的服务器的SSL连接:
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.security.KeyStore;
import java.security.cert.Certificate;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.jsslutils.sslcontext.X509SSLContextFactory;
public class SSLTest {
public static void main(String args[]) throws Exception {
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream(System.getProperty("user.home")
+ "/store.p12"), "pwd".toCharArray());
X509SSLContextFactory sslContextFactory = new X509SSLContextFactory(ks,
"pwd", null);
SSLContext sc = sslContextFactory.buildSSLContext("TLS");
HttpsURLConnection con = (HttpsURLConnection) (new URL(
"https://producao.ginfes.com.br/")).openConnection();
con.setSSLSocketFactory(sc.getSocketFactory());
print_https_cert(con);
}
private static void print_https_cert(HttpsURLConnection con) {
if (con != null) {
try {
System.out.println("Response Code : " + con.getResponseCode());
System.out.println("Cipher Suite : " + con.getCipherSuite());
System.out.println("\n");
Certificate[] certs = con.getServerCertificates();
for (Certificate cert : certs) {
System.out.println("Cert Type : " + cert.getType());
System.out.println("Cert Hash Code : " + cert.hashCode());
System.out.println("Cert Public Key Algorithm : "
+ cert.getPublicKey().getAlgorithm());
System.out.println("Cert Public Key Format : "
+ cert.getPublicKey().getFormat());
System.out.println("\n");
}
} catch (SSLPeerUnverifiedException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
If I run this program in my OSX dev box (with Oracle Java 1.7.0_51) or in my Windows virtual machine (same Java version) it goes through the SSL handshake as expected. 如果我在OSX开发箱(使用Oracle Java 1.7.0_51)或Windows虚拟机(相同的Java版本)中运行此程序,它将按预期进行SSL握手。 However, I tried running this code in 2 different Linux machines (one running Debian and one running Ubuntu) and I got the SSL handshake error. 但是,我尝试在两台不同的Linux机器(一台运行Debian,一台运行Ubuntu)上运行此代码,但出现SSL握手错误。 I tried copying my cacerts from OSX to Linux but the result was the same. 我尝试将cacerts从OSX复制到Linux,但结果相同。 Here's the very end of the SSL debug log (what happens before this is pretty standard and seems to be fine): 这是SSL调试日志的结尾(在相当标准的情况下会发生什么,似乎还可以):
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 262
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 101, 104, 63, 185, 83, 175, 198, 66, 90, 163, 8, 111 }
***
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: warning, close_notify
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 32
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received close_notify during handshake
I also noticed that the program takes a little longer to run when the error happens (about 10s). 我还注意到错误发生时(大约10秒钟),该程序需要花费更长的时间才能运行。 Any ideas? 有任何想法吗?
Update : I tried to run the program above on OpenJDK 1.6.0_18 on the ubuntu box and the result was the same. 更新 :我尝试在ubuntu框上的OpenJDK 1.6.0_18上运行以上程序,结果是相同的。 I also tried running the same code on a Debian virtual machine and it worked. 我还尝试在Debian虚拟机上运行相同的代码,并且可以正常工作。
Update : I added the debug level and compared the logs between a machine that's working and one that is not. 更新 :我添加了调试级别,并比较了正在运行的计算机与未运行的计算机之间的日志。
Working machine: 工作机:
Padded plaintext before ENCRYPTION: len = 48
0000: 14 00 00 0C 5C A9 32 C7 47 B7 B1 83 96 47 D8 D1 ....\.2.G....G..
0010: 9B BD 15 31 51 2E 45 65 81 2B 1B 26 08 08 8D 1A ...1Q.Ee.+.&....
0020: E2 85 A5 2A 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B ...*............
main, WRITE: TLSv1 Handshake, length = 48
[Raw write]: length = 53
0000: 16 03 01 00 30 DB 48 03 85 60 A8 B9 42 0F C6 40 ....0.H..`..B..@
0010: 91 F0 E5 50 1F 41 92 79 5F FE 31 B0 D5 BC D6 61 ...P.A.y_.1....a
0020: C0 50 D6 BB 3D 97 21 A6 ED 50 C1 96 0C 17 BE 41 .P..=.!..P.....A
0030: A8 13 C7 63 C3 ...c.
[Raw read]: length = 5
0000: 14 03 01 00 01 .....
[Raw read]: length = 1
0000: 01 .
main, READ: TLSv1 Change Cipher Spec, length = 1
[Raw read]: length = 5
0000: 16 03 01 00 30 ....0
[Raw read]: length = 48
Non-working machine: 非工作机:
Padded plaintext before ENCRYPTION: len = 48
0000: 14 00 00 0C C0 77 AD 05 06 CD 4B 55 19 25 22 1E .....w....KU.%".
0010: 92 2E 87 6D CD 38 06 4E D2 33 4D 27 4B 2A 05 2B ...m.8.N.3M'K*.+
0020: DF C2 D1 47 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B ...G............
main, WRITE: TLSv1 Handshake, length = 48
[Raw write]: length = 53
0000: 16 03 01 00 30 31 5B 38 C5 0D 02 34 A4 8D BB 2D ....01[8...4...-
0010: 2E A0 96 8E E0 D4 33 43 27 3F DE FB 2D 53 A4 83 ......3C'?..-S..
0020: 67 73 12 C5 A3 61 0C C1 EA C4 AF 0F 1B 44 5F 7B gs...a.......D_.
0030: B2 21 4D 51 2D .!MQ-
***** It stops here for about 10s *****
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 01 00 ..
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: warning, close_notify
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
I guess the main difference is that I get 15 03 01 00 02 in the problematic machines and 14 03 01 00 01 in the working ones. 我想主要的区别是我在有问题的机器上得到15 03 01 00 02在工作机器上得到14 03 01 00 01 。
Here's a more complete debug log for the handshake on the problematic machine: 这是有问题的计算机上握手的更完整的调试日志:
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=AC SINCOR RFB G2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC CAIXA PF v1, OU=Caixa Economica Federal, O=ICP-Brasil, C=BR>
<CN=AC VALID RFB, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC Certisign G3, OU=Instituto Nacional de Tecnologia da Informacao - ITI, O=ICP-Brasil, C=BR>
<CN=AC SOLUTI, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=SERASA Certificadora Digital v1, O=ICP-Brasil, C=BR>
<CN=AC Certisign Multipla G5, OU=Certisign Certificadora Digital S.A., O=ICP-Brasil, C=BR>
<CN=AC Secretaria da Receita Federal do Brasil, O=ICP-Brasil, C=BR>
<CN=AC Instituto Fenacon RFB, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC BR RFB G2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC CAIXA PJ-1 v1, OU=Caixa Economica Federal, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora da Presidencia da Republica v2, O=ICP-Brasil, C=BR>
<CN=AC SOLUTI Multipla, OU=AC SOLUTI, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC PRODEST RFB v2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC Certisign-JUS G3, OU=Autoridade Certificadora da Justica - AC-JUS, O=ICP-Brasil, C=BR>
<CN=AC SINCOR RFB G4, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=SERASA Autoridade Certificadora Principal v2, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC OAB, OU=ORDEM DOS ADVOGADOS DO BRASIL CONSELHO FEDERAL, O=ICP-Brasil, C=BR>
<CN=AC Imprensa Oficial G3, OU=Imprensa Oficial do Estado S A IMESP, O=ICP-Brasil, C=BR>
<CN=SERASA Certificadora Digital v2, O=ICP-Brasil, C=BR>
<CN=AC PRODEMGE G2, OU=Companhia de Tecnologia da Informacao do Estado de MG - PRODEMGE, O=ICP-Brasil, C=BR>
<CN=AC PRODEMGE RFB G3, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC PRODEST RFB V1, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC Certisign Multipla G3, OU=Certisign Certificadora Digital S.A., O=ICP-Brasil, C=BR>
<CN=SERASA Autoridade Certificadora Principal v1, OU=Instituto Nacional de Tecnologia da Informacao - ITI, O=ICP-Brasil, C=BR>
<CN=AC Notarial RFB G3, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC SERASA RFB v1, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC Instituto Fenacon, OU=Certisign Certificadora Digital S.A., O=ICP-Brasil, C=BR>
<CN=AC VALID, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora do PRODERJ v2, OU=Servico Federal de Processamento de Dados - SERPRO, O=ICP-Brasil, C=BR>
<CN=AC CAIXA-JUS v1, OU=Autoridade Certificadora da Justica - AC-JUS, O=ICP-Brasil, C=BR>
<CN=AC CAIXA v1, OU=Autoridade Certificadora Raiz Brasileira v1, O=ICP-Brasil, C=BR>
<CN=AC SINCOR G3, OU=SINCOR-SP - Sindicato dos Corretores de Seguros no Estado de SP, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora da Casa da Moeda do Brasil, O=ICP-Brasil, C=BR>
<CN=AC Secretaria da Receita Federal do Brasil v3, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC Certisign SPB G5, OU=CSPB-2, OU=Certisign Certificadora Digital S.A., O=ICP-Brasil, C=BR>
<CN=AC Imprensa Oficial G2, OU=Imprensa Oficial do Estado S A IMESP, O=ICP-Brasil, C=BR>
<CN=AC PRODEMGE RFB G2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC FENACON Certisign RFB G3, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC Notarial RFB G2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC Certisign G5, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC OAB G2, OU=ORDEM DOS ADVOGADOS DO BRASIL CONSELHO FEDERAL, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora Raiz Brasileira v1, OU=Instituto Nacional de Tecnologia da Informacao - ITI, O=ICP-Brasil, C=BR>
<CN=AC BR RFB G3, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC FENACON Certisign RFB G2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC SINCOR G2, OU=SINCOR-SP - Sindicato dos Corretores de Seguros no Estado de SP, O=ICP-Brasil, C=BR>
<CN=AC CAIXA PF v2, OU=Caixa Economica Federal, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora do SERPRO Final v2, OU=CSPB-1, OU=Servico Federal de Processamento de Dados - SERPRO, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora SERPRO v2, O=ICP-Brasil, C=BR>
<CN=AC SERASA-JUS v2, OU=Autoridade Certificadora da Justica - AC-JUS, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora da Casa da Moeda do Brasil v2, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC Certisign RFB G3, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora SERPRO v3, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora da Presidencia da Republica v3, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC Imprensa Oficial SP RFB G3, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC Imprensa Oficial SP RFB G2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC SERPRO-JUS v4, OU=Autoridade Certificadora da Justica - AC-JUS, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora do SERPRORFB, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC PETROBRAS G3, OU=PETROLEO BRASILEIRO S A PETROBRAS, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora da Justica v3, OU=Instituto Nacional de Tecnologia da Informacao - ITI, O=ICP-Brasil, C=BR>
<CN=AC CAIXA PJ v2, OU=Caixa Economica Federal, O=ICP-Brasil, C=BR>
<CN=SERASA Autoridade Certificadora v2, OU=CSPB-4, O=ICP-Brasil, C=BR>
<CN=AC CAIXA PJ v1, OU=Caixa Economica Federal, O=ICP-Brasil, C=BR>
<CN=AC FENACOR v1, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora Raiz Brasileira v2, OU=Instituto Nacional de Tecnologia da Informacao - ITI, O=ICP-Brasil, C=BR>
<CN=AC VALID BRASIL, OU=Autoridade Certificadora VALID - AC VALID, O=ICP-Brasil, C=BR>
<CN=AC Instituto Fenacon G2, OU=Certisign Certificadora Digital S.A., O=ICP-Brasil, C=BR>
<CN=AC CAIXA-JUS v2, OU=Autoridade Certificadora da Justica - AC-JUS, O=ICP-Brasil, C=BR>
<CN=AC SERASA RFB v2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC CAIXA v2, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC SINCOR RFB G3, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC Certisign G6, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC Certisign SPB G3, OU=CSPB-2, OU=Certisign Certificadora Digital S.A., O=ICP-Brasil, C=BR>
<CN=AC Instituto Fenacon RFB G2, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC PRODEMGE G3, OU=Companhia de Tecnologia da Informacao do Estado de MG - PRODEMGE, O=ICP-Brasil, C=BR>
<CN=AC Imprensa Oficial SP G3, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora SERPRORFB v3, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=AC CAIXA PF-1 v1, OU=Caixa Economica Federal, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora da Justica v4, OU=Autoridade Certificadora Raiz Brasileira v2, O=ICP-Brasil, C=BR>
<CN=AC Certisign RFB G4, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR>
<CN=Autoridade Certificadora do SERPRO Final v3, OU=CSPB-1, OU=Servico Federal de Processamento de Dados - SERPRO, O=ICP-Brasil, C=BR>
<CN=SERASA Autoridade Certificadora v1, OU=CSPB-4, O=ICP-Brasil, C=BR>
<CN=AC PETROBRAS G2, OU=PETROLEO BRASILEIRO S A PETROBRAS, O=ICP-Brasil, C=BR>
*** ServerHelloDone
matching alias: reck
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=RECK ADUANEIRA DA AMAZONIA LTDA EPP:04196535000130, OU=Autenticado por Certisign Certificadora Digital, OU=RFB e-CNPJ A1, OU=Secretaria da Receita Federal do Brasil - RFB, L=Manaus, ST=AM, O=ICP-Brasil, C=BR
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 24264184986868774817109830233364138275159044314776683839159346319997124349933949877714767467019900893922103704627632635801354814980174333627259816789227876034401362981372036626722143197822471256073667985551606390419290945624717517336706723117075591357700922888857619015416854504245521884304442214801958124913868169748389485419085887733283148575345306707962145302335042268398018623594061588310268698492035969886039355083147115598208957166248264558044010787457176664927563276373784025971208332280527156543734405427875599738053187830200999849548622241460736320436233846016936389807957942162381899068664985384000873470187
public exponent: 65537
Validity: [From: Mon Feb 24 20:00:00 AMT 2014,
To: Tue Feb 24 19:59:59 AMT 2015]
Issuer: CN=AC Certisign RFB G4, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR
SerialNumber: [ 7fba6035 25b2378c abca9da3 6e5a5932]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://icp-brasil.certisign.com.br/repositorio/certificados/AC_Certisign_RFB_G4.p7c
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.certisign.com.br
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 2E 91 EA D6 6D E5 B2 59 82 DC 38 85 29 76 34 16 ....m..Y..8.)v4.
0010: 56 3C D0 3E V<.>
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://icp-brasil.certisign.com.br/repositorio/lcr/ACCertisignRFBG4/LatestCRL.crl]
, DistributionPoint:
[URIName: http://icp-brasil.outralcr.com.br/repositorio/lcr/ACCertisignRFBG4/LatestCRL.crl]
, DistributionPoint:
[URIName: http://repositorio.icpbrasil.gov.br/lcr/Certisign/ACCertisignRFBG4/LatestCRL.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.76.1.2.1.12]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 5C 68 74 74 70 3A 2F 2F 69 63 70 2D 62 72 61 .\http://icp-bra
0010: 73 69 6C 2E 63 65 72 74 69 73 69 67 6E 2E 63 6F sil.certisign.co
0020: 6D 2E 62 72 2F 72 65 70 6F 73 69 74 6F 72 69 6F m.br/repositorio
0030: 2F 64 70 63 2F 41 43 5F 43 65 72 74 69 73 69 67 /dpc/AC_Certisig
0040: 6E 5F 52 46 42 2F 44 50 43 5F 41 43 5F 43 65 72 n_RFB/DPC_AC_Cer
0050: 74 69 73 69 67 6E 5F 52 46 42 2E 70 64 66 tisign_RFB.pdf
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
emailProtection
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.4
Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.2
Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.3
Other-Name: Unrecognized ObjectIdentifier: 2.16.76.1.3.7
RFC822Name: raraujo@reckaduaneira.com.br
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 9E E2 B9 4D DC B5 86 67 36 2E 08 30 66 43 2A EB ...M...g6..0fC*.
0010: C6 BA 45 5F BF 5D 9D 9E B0 FD 20 50 75 12 C2 4E ..E_.].... Pu..N
0020: D1 FC 46 2C 33 DB 04 31 B9 1C 6F C1 53 DE 58 F6 ..F,3..1..o.S.X.
0030: F7 BF A8 D8 E3 DD 88 05 4B 8B 7A 37 8F 92 C6 47 ........K.z7...G
0040: 40 AE 7F 95 32 FD 82 0C 4E 10 73 A2 21 D8 BF F0 @...2...N.s.!...
0050: 0A EC 1D 14 96 32 98 78 00 18 16 62 EA 3E 99 8F .....2.x...b.>..
0060: 6F 55 71 63 A0 72 81 AE EC F7 19 70 4B 36 4C B4 oUqc.r.....pK6L.
0070: 2B 76 7B 95 36 BA DA CA 38 B7 EE 8F F2 C8 76 AE +v..6...8.....v.
0080: 47 F9 D0 C0 DB 2F 0A 21 F1 25 83 E8 E5 72 A9 7D G..../.!.%...r..
0090: 4C C7 6A F8 7D D7 7D C8 D5 7F 67 E8 F8 A2 9D 75 L.j.......g....u
00A0: D0 69 8F 44 CF 04 DA 8D 77 A6 75 BD 7E 83 4C FB .i.D....w.u...L.
00B0: E6 8C D9 79 12 3B A6 5E A6 56 1F C8 E6 99 75 DE ...y.;.^.V....u.
00C0: 93 3B 96 6C 87 A9 EF 99 8C D2 EA BD C5 24 28 86 .;.l.........$(.
00D0: 69 BD 4C 85 06 88 DE 78 06 C1 42 D0 07 1F F6 06 i.L....x..B.....
00E0: EF 32 17 49 22 B1 68 5C 80 CB 51 C4 1F F5 EB 1F .2.I".h\..Q.....
00F0: A7 D6 A9 36 04 27 38 A4 08 97 78 80 2C 10 55 47 ...6.'8...x.,.UG
0100: C3 9B 1C 72 8F 73 56 85 30 29 82 99 E6 86 F3 09 ...r.sV.0)......
0110: 7F 3D 65 40 3F 8A BE E8 6F 12 AB FE 5C B6 9F 3F .=e@?...o...\..?
0120: 37 7F B1 75 C0 3A 05 8D 5B 30 27 EA E7 A7 D2 4F 7..u.:..[0'....O
0130: 2D 57 1D E3 7B 8B 88 18 0A 53 26 8B AD D6 98 BB -W.......S&.....
0140: 05 13 EE 29 0F BD 8D BC C0 F9 40 26 28 23 D5 9F ...)......@&(#..
0150: 1B 01 3A 8A 6E 6D 07 8A 73 78 75 84 10 30 C9 E9 ..:.nm..sxu..0..
0160: 87 DC 62 C8 43 60 95 ED 42 FB 72 3F E0 F1 0E 03 ..b.C`..B.r?....
0170: CE 61 69 EC 74 E2 9E E9 99 37 AA 60 29 E6 4B 7D .ai.t....7.`).K.
0180: 68 54 8F 5F 62 33 81 98 24 FC FE 55 11 B8 D5 3F hT._b3..$..U...?
0190: 4D DC E7 91 66 99 92 66 0E 5F D9 1A B1 79 29 8F M...f..f._...y).
01A0: 2D 64 90 B6 65 27 B5 B7 50 90 7F 3D DD 9F 04 71 -d..e'..P..=...q
01B0: B2 62 6C 9D 1A 84 59 A3 C8 F2 E0 14 CC DB 7F 6E .bl...Y........n
01C0: 1F CA 26 DE C6 79 DC B4 1C 11 98 27 93 02 BF 63 ..&..y.....'...c
01D0: 9F FD 64 DB D3 AB D3 71 30 44 C3 27 81 45 66 5E ..d....q0D.'.Ef^
01E0: B1 E8 F1 31 86 57 8C 0F 56 0A F4 73 EC 92 86 6E ...1.W..V..s...n
01F0: E8 D6 AD 7A F7 46 BF 19 57 E2 10 BB 8D 10 D9 CC ...z.F..W.......
]
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 2427
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 60 9E 6C E9 27 4A 72 09 D1 52 89 13 AE 49 ..`.l.'Jr..R...I
0010: 63 C2 E7 65 01 7E B5 D3 B3 3D 8E 26 A4 EC 4F 98 c..e.....=.&..O.
0020: DF C1 75 8B 05 87 4D 49 09 85 BD E1 11 9C 39 65 ..u...MI......9e
CONNECTION KEYGEN:
Client Nonce:
0000: 53 0F 26 B0 D4 96 D4 FF C3 5A 90 A5 59 6D 62 92 S.&......Z..Ymb.
0010: C2 C0 6A 5B 53 8F 03 82 F6 DB DA 12 CF C4 92 74 ..j[S..........t
Server Nonce:
0000: 53 0F 26 AE 59 92 B6 3F 9B 5F 31 51 1C 6B C6 63 S.&.Y..?._1Q.k.c
0010: 4F 82 F3 6A 57 E3 76 8B 57 F4 1B 63 E3 FF DC F2 O..jW.v.W..c....
Master Secret:
0000: 73 EE 18 E9 0F 0A 05 B0 DC 88 93 B3 0D E0 C4 FE s...............
0010: C1 D1 18 66 D7 32 7A E2 6A 7D 8B 26 77 42 10 16 ...f.2z.j..&wB..
0020: 26 94 04 B6 41 56 E0 14 DC 1C B1 99 3A 21 DB DC &...AV......:!..
Client MAC write Secret:
0000: 18 9E 28 78 D6 7D 5C 41 7D CB C6 36 1B AC D7 43 ..(x..\A...6...C
0010: 66 4D 49 74 fMIt
Server MAC write Secret:
0000: 4F E9 4B FE 71 B0 03 7A 6E 27 34 4E 25 23 54 90 O.K.q..zn'4N%#T.
0010: 7A 09 D2 90 z...
Client write key:
0000: 36 68 CF 35 5D ED 5F 47 0B 3A 4A 7B 39 03 6C E4 6h.5]._G.:J.9.l.
Server write key:
0000: 8D 1C F6 9B A6 67 4A F6 9C 11 25 71 C1 CD D7 18 .....gJ...%q....
Client write IV:
0000: 39 D4 9B 42 92 E4 FD AA 10 82 3D 53 F1 55 14 DC 9..B......=S.U..
Server write IV:
0000: 59 75 C5 B2 AC F1 D6 BD 27 EF 95 2F B5 99 11 48 Yu......'../...H
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 262
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 88, 21, 98, 75, 128, 1, 201, 112, 209, 181, 184, 61 }
***
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: warning, close_notify
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 32
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received close_notify during handshake
Update : I mentioned before the program worked on a Debian virtual machine. 更新 :我在程序在Debian虚拟机上工作之前提到过。 It turns out that depends. 事实证明,这取决于。 If the virtual machine's network adapter is set to NAT (through my OSX dev box), it works indeed. 如果将虚拟机的网络适配器设置为NAT(通过我的OSX开发箱),则它确实可以工作。 However, if I set the network adapter to bridged and pick up a regular IP in my network, it doesn't work; 但是,如果我将网络适配器设置为桥接并在网络中获取常规IP,它将无法正常工作。 it gives me the same close_notify error as my production box. 它给了我与生产包装盒相同的close_notify错误。
Yet another update : I logged in one of the problematic machines and set up a reverse ssh tunnel to my box that points to the address in question. 另一个更新 :我登录了其中一台有问题的计算机,并在我的机器上设置了一条反向ssh隧道,该隧道指向相关地址。 Then, I ran the sample program pointing to localhost (instead of the direct address) so that the request gets tunneled to my dev box, who delivers it to the appropriate server. 然后,我运行了指向本地主机(而不是直接地址)的示例程序,以便将请求传送到我的开发箱,然后由开发箱将其传递到适当的服务器。 And guess what? 你猜怎么着? It worked. 有效。 My problem isn't solved though as this is clearly not an appropriate solution. 我的问题没有解决,尽管这显然不是适当的解决方案。
2 个解决方案
解决方案1
0 2014-02-26 21:34:05
It looks like the server didn't like the certificate you sent. 服务器似乎不喜欢您发送的证书。 You need to copy the keystore from the working platform to the non-working platform. 您需要将密钥库从工作平台复制到非工作平台。
I would need to see more of the SSL dump starting from say the CerticateRequest message to assist further. 我需要从CerticateRequest消息开始看到更多的SSL转储,以进一步提供帮助。
解决方案2
0 2014-02-28 15:03:27
As it turns out, the problem had nothing to do with Java and everything to do with the cable modem my ISP provided me with. 事实证明,问题与Java无关,与ISP提供给我的电缆调制解调器无关。 My network setup is as follows: 我的网络设置如下:
- TP-Link TL-ER5120 serves as gateway and firewall (and link load balancer) TP-Link TL-ER5120用作网关和防火墙(和链接负载平衡器)
- Two internet links server by equal Thomson DWG874B cable modems 两个由Thomson DWG874B电缆调制解调器组成的Internet链接服务器
- One internet link served by a TL-MR3020 connected to a 3G USB modem TL-MR3020连接到3G USB调制解调器的一条互联网链接
The 3G modem is a failover measure, really. 3G调制解调器确实是一种故障转移措施。 If I routed the server traffic through the 3G modem the SSL connection would work. 如果我通过3G调制解调器路由服务器流量,则SSL连接将起作用。 So the problem was either with the cable modems or the ISP itself. 因此问题出在电缆调制解调器还是ISP本身。 I use the same ISP at home (with a different cable modem) and the connection worked. 我在家中使用相同的ISP(具有不同的电缆调制解调器),并且连接正常。 So I pinned it down to the cable modem. 所以我将其固定在电缆调制解调器上。
That cable modem is actually a wireless router as well (although wireless is disabled). 该电缆调制解调器实际上也是一个无线路由器(尽管已禁用无线功能)。 The modem has a DCHP server that assigns my firewall a local IP. 调制解调器具有DCHP服务器,该服务器为我的防火墙分配了本地IP。 So my actual local network is something like 192.168.0.x, there was another network between my firewall and the cable modem, let's say 192.168.1.x, and the cable modem had a public IP address. 因此,我的实际本地网络类似于192.168.0.x,防火墙和电缆调制解调器之间还有另一个网络,例如192.168.1.x,并且电缆调制解调器具有公用IP地址。 I never really liked this setup, but it didn't seem to cause any harm so I lived with it. 我从来没有真正喜欢过这种设置,但是它似乎并没有造成任何伤害,所以我忍受了它。
The cable modem has a setting that makes it behave as a pure cable modem and assigns whatever is connecting to it the public IP from the ISP. 电缆调制解调器的设置使其可以充当纯电缆调制解调器,并分配从ISP连接到其的任何公用IP。 The setting is called switch mode, as shown below (the previous setting was Legacy RG IPv4 Mode). 该设置称为交换模式,如下所示(先前的设置为Legacy RG IPv4 Mode)。
As soon as I used that, my SSL connections to that specific website started working again from Linux. 一经使用,与该特定网站的SSL连接就可以从Linux重新开始工作。 I have no clue of what was going on, but I am glad it's fixed. 我不知道发生了什么,但我很高兴它已解决。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.