Java 8,JCE无限强度策略和TLS上的SSL握手
[英]Java 8 , JCE Unlimited Strength Policy and SSL Handshake over TLS
问题描述
With Java 8, server which only supports TLSv1 , it fails to make secure socket connection from cent OS 
对于仅支持TLSv1 Java 8服务器,它无法从分支OS进行安全套接字连接
Version 版
java version "1.8.0_45"
Java(TM) SE Runtime Environment (build 1.8.0_45-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode)
Source 资源
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
/**
* Created by jigar.joshi on 6/10/15.
*/
public class SSLTester {
public static void main(String[] args) throws Exception {
SSLSocketFactory f =
(SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) f.createSocket("efm.sandbox.vovici.com", 443 );
try {
printSocketInfo(socket);
socket.startHandshake();
System.out.println("----------------------------------SUCCESS----------------------------------");
BufferedReader r = new BufferedReader(
new InputStreamReader(socket.getInputStream()));
String m = null;
while ((m = r.readLine()) != null) {
System.out.println(m);
}
r.close();
socket.close();
} catch (IOException e) {
e.printStackTrace();
System.err.println(e.toString());
}
}
private static void printSocketInfo(SSLSocket s) {
System.out.println("Socket class: " + s.getClass());
System.out.println(" Remote address = "
+ s.getInetAddress().toString());
System.out.println(" Remote port = " + s.getPort());
System.out.println(" Local socket address = "
+ s.getLocalSocketAddress().toString());
System.out.println(" Local address = "
+ s.getLocalAddress().toString());
System.out.println(" Local port = " + s.getLocalPort());
System.out.println(" Need client authentication = "
+ s.getNeedClientAuth());
SSLSession ss = s.getSession();
System.out.println(" Cipher suite = " + ss.getCipherSuite());
System.out.println(" Protocol = " + ss.getProtocol());
}
}
With same version of JVM, it makes handshake successfully on OSX, it fails on centOS, Failure reason is it only tries to use TLSv1.2 (default in JVM 8) and doesn't try lower protocol 使用相同版本的JVM,它在OSX上成功握手,在TLSv1.2上失败,失败的原因是它只尝试使用TLSv1.2 (JVM 8中的默认值)并且不尝试使用较低的协议
debug notes: 调试说明:
-Ddeployment.security.TLSv1.0=true
-Ddeployment.security.TLSv1=true
-Ddeployment.security.TLSv1.1=false
-Ddeployment.security.TLSv1.2=false
-Djavax.net.debug=ssl:handshake:verbose
Question: 题:
Why it is able to choose
TLSv1on OSX and not on CentOS?为什么它能够在OSX上而不是在CentOS上选择TLSv1?How can I tell JVM to use protocols in specific order or if it considers order by the version then how can I tell it to also try with
v1如何告诉JVM按特定顺序使用协议,或者如果它按版本考虑顺序,那么我怎么能告诉它也尝试使用v1
Edit: 编辑:
I have unlimited strength JCE policies installed with JRE that is causing this, it works without that so OSX and CentOS difference is gone, How can I still make it work ? 我有无限强度JCE策略与JRE一起安装,导致这种情况,它没有这个,所以OSX和CentOS差异消失了,我怎么能让它工作?
Edit: 编辑:
Output 产量
Socket class: class sun.security.ssl.SSLSocketImpl
Remote address = efm.sandbox.vovici.com/206.132.29.15
Remote port = 443
Local socket address = /10.10.152.143:50376
Local address = /10.10.152.143
Local port = 50376
Need client authentication = false
Cipher suite = SSL_NULL_WITH_NULL_NULL
Protocol = NONE
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1529)
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1541)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at SSLTester.main(SSLTester.java:24)
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:980)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2225)
at SSLTester.printSocketInfo(SSLTester.java:56)
at SSLTester.main(SSLTester.java:23)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)
... 5 more
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
1 个解决方案
解决方案1
2 已采纳 2015-06-12 02:04:04
Try limiting the protocols to just TLSv1 using: 尝试使用以下方法将协议限制为TLSv1 :
-Djdk.tls.client.protocols=TLSv1
See this page for more details: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2 有关更多详细信息,请参阅此页面: https : //docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2
Hope this helps, 希望这可以帮助,
Yuri 尤里
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.