[英]Java 8 javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated, but not Java 7
I have an issue when switching my application from Java 7 to Java 8. After changing the JDK I start getting this SSLPeerUnverified Exception. 将应用程序从Java 7切换到Java 8时出现问题。更改JDK后,我开始收到此SSLPeerUnverified异常。 Changing back to Java7, there is no exception.
改回Java7,也不例外。
I found this question: SSL connection failing for Java 7 which implies that this may be related to a server side issue. 我发现了这个问题: Java 7的SSL连接失败,这意味着这可能与服务器端问题有关。 Our server is indeed running on an Ubuntu machine, but it is running Java8 as well (sun Java8)
我们的服务器确实在Ubuntu机器上运行,但它也在运行Java8(sun Java8)
Not sure what else would be helpful to post. 不确定发布还有什么其他内容。 I can provide code samples if needed/useful.
如果需要/有用,我可以提供代码示例。 I didn't incude them now because it appears as though the code is not the issue.
我现在没有把它们包括在内,因为好像代码不是问题。
Edit - link to my extension of SSLSocketFactory: http://pastebin.com/2j6HDHE7 编辑 - 链接到我的SSLSocketFactory扩展: http : //pastebin.com/2j6HDHE7
Edit2 - Http client code: Edit2 - Http客户端代码:
private HttpClient getHttpClient() throws GeneralSecurityException, IOException {
final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(CommandChannel.class.getResourceAsStream("myKeystore"), "myPassword".toCharArray());
final SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory(trustStore);
final SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));
registry.register(new Scheme("https", 443, sslSocketFactory));
final HttpParams params = new BasicHttpParams();
HttpProtocolParamBean paramsBean = new HttpProtocolParamBean(params);
paramsBean.setVersion(HttpVersion.HTTP_1_1);
paramsBean.setContentCharset("UTF_8");
final ClientConnectionManager ccm = new BasicClientConnectionManager(registry);
final DefaultHttpClient httpClient = new DefaultHttpClient(ccm, params);
return httpClient;
}
Including the SSL-debug information from java8 & java7 below. 包括来自java8和java7的SSL调试信息。
Java 8 SSL debug trace: Java 8 SSL调试跟踪:
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1389745002 bytes = { 220, 201, 110, 4, 38, 166, 25, 166, 235, 253, 71, 242, 226, 124, 22, 149, 28, 207, 242, 25, 201, 123, 218, 56, 207, 67, 195, 17 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
JavaFX Application Thread, WRITE: TLSv1.2 Handshake, length = 207
JavaFX Application Thread, received EOFException: error
JavaFX Application Thread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JavaFX Application Thread, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
JavaFX Application Thread, WRITE: TLSv1.2 Alert, length = 2
JavaFX Application Thread, called closeSocket()
JavaFX Application Thread, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JavaFX Application Thread, called close()
JavaFX Application Thread, called closeInternal(true)
JavaFX Application Thread, called close()
JavaFX Application Thread, called closeInternal(true)
18:49:14,951 ERROR [logger] [LoginController] Error logging in due to: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
com.limebrokerage.portal.communication.command.CommandChannelException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Java 7 SSL debug trace of the same bit of code: Java 7 SSL调试跟踪相同位代码:
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1389746267 bytes = { 91, 88, 192, 29, 58, 48, 211, 105, 40, 40, 138, 204, 154, 113, 233, 213, 120, 99, 3, 223, 26, 233, 123, 150, 251, 245, 186, 246 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
JavaFX Application Thread, WRITE: TLSv1 Handshake, length = 149
JavaFX Application Thread, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1389746267 bytes = { 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218 }
Session ID: {83, 214, 216, 91, 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
JavaFX Application Thread, READ: TLSv1 Handshake, length = 1522
*** Certificate chain
chain [0] = [
[
Version: V3
Not for sure an answer, but too long for a comment. 不确定答案,但评论太久了。
Your real problem is the server disconnect on hello and resulting SSLHandshakeException
; 你真正的问题是hello上的服务器断开连接以及产生的
SSLHandshakeException
; SSLPeerUnverifiedException
is collateral damage because the handshake didn't reach the authentication stage. SSLPeerUnverifiedException
是附带损害,因为握手未到达身份验证阶段。 The obvious difference is that Java 8 is sending TLSv1.2 ClientHello where Java 7 sent TLSv1. 明显的区别是Java 8正在发送TLSv1.2 ClientHello,其中Java 7发送了TLSv1。
Java 7 implemented 1.1 and 1.2, but didn't enable them on client by default; Java 7实现了1.1和1.2,但默认情况下没有在客户端上启用它们; 8 does, see https://bugs.openjdk.java.net/browse/JDK-7093640 .
8确实如此,请参阅https://bugs.openjdk.java.net/browse/JDK-7093640 。 A correctly written server stack that doesn't support 1.2 should negotiate down to 1.1 or 1(.0), but your unidentified server apparently doesn't, or possibly something in-between like a firewall is messing up your connection.
正确编写的不支持1.2的服务器堆栈应该协商下降到1.1或1(.0),但是您的未识别服务器显然没有,或者可能是防火墙之间的某些东西搞乱了您的连接。 If you have or get OpenSSL, commandline
openssl s_client
will let you easily try different versions (and ciphers and some options) to see what does and does not work. 如果您拥有或获得OpenSSL,命令行
openssl s_client
将让您轻松尝试不同的版本(以及密码和一些选项),以查看哪些功能有效,哪些功能无效。 Or you could have https://www.ssllabs.com/ssltest/ do their canned but fairly thorough tests. 或者您可以通过https://www.ssllabs.com/ssltest/进行罐装但相当彻底的测试。
The bug entry says you can set sysprop jdk.tls.client.protocols
and that works for me in a minimal SSLSocket (not HTTP) app on 8u05. 错误条目说你可以设置sysprop
jdk.tls.client.protocols
,这对我来说适用于8u05上的最小SSLSocket(非HTTP)应用程序。 Or since you're already doing a modified SSLSocketFactory
, I expect you could do setEnabledProtocols
on the sockets you create. 或者既然您已经在修改了
SSLSocketFactory
,我希望您可以在您创建的套接字上执行setEnabledProtocols
。
FWIW, when OpenSSL release 1.0.1 in March 2012 "silently" turned on protocols 1.1 and 1.2 (it was prominent in the release notes, but approximately nobody reads release notes), the support list got lots of complaints, I'd guess over a hundred total, of servers that suddenly started failing, crashing, or hanging until clients reverted to 1.0. FWIW,当2012年3月OpenSSL 1.0.1版“默默地”启用协议1.1和1.2时(它在发行说明中很突出,但大约没有人读取发行说明),支持列表得到了很多抱怨,我猜一百个服务器突然开始出现故障,崩溃或挂起,直到客户端恢复到1.0。 OpenSSL ended up implementing a workaround that can artificially decrease or increase some data in the ClientHello to avoid the most "provocative" sizes;
OpenSSL最终实现了一种解决方法,可以人为地减少或增加ClientHello中的一些数据,以避免最“挑衅”的大小; I don't know if JSSE does or can do something similar.
我不知道JSSE是否可以做类似的事情。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.