堆栈内存溢出
  简体   繁体   English

Android TLSv1.2 handshake_failure

[英]Android TLSv1.2 handshake_failure

 原文  2015-07-01 10:36:46       java/ android/ ssl

问题描述

The Android platform is 5.0.2. Android平台是5.0.2。

I am unable to connect from a desktop application to an android app using TLSv1.2, though I am able to do the reverse. 我无法使用TLSv1.2从桌面应用程序连接到android应用程序,尽管我可以做相反的事情。 The application works for desktop <-> desktop, but when it comes to desktop -> android, the handshake fails. 该应用程序适用于桌面<->桌面,但是当涉及到桌面-> android时,握手失败。

When using debug on the desktop application, I see he following debug lines: 在桌面应用程序上使用调试时,我看到他的调试行如下: 

adding as trusted cert:
  Subject: CN=TestRoot
  Issuer:  CN=TestRoot
  Algorithm: RSA;

adding as trusted cert:
  Subject: CN=TestSigner
  Issuer:  CN=TestRoot
  Algorithm: RSA;

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv3
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1418912953 bytes = { 5, 193, 122, 165, 40, 110, 181, 22, 3, 133, 209, 175, 31, 56, 29, 235, 82, 140, 141, 158, 205, 97, 136, 187, 230, 198, 241, 112 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
Thread-46, WRITE: TLSv1.2 Handshake, length = 249
Thread-24, handling exception: java.net.SocketTimeoutException: Read timed out
Thread-46, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 905935073 bytes = { 70, 15, 125, 227, 193, 86, 235, 186, 12, 219, 240, 109, 180, 181, 203, 28, 6, 189, 236, 176, 45, 86, 2, 90, 24, 207, 44, 91 }
Session ID:  {250, 151, 123, 72, 39, 220, 84, 212, 89, 136, 34, 51, 253, 53, 165, 192, 120, 214, 113, 233, 49, 31, 13, 112, 106, 18, 124, 146, 229, 185, 154, 11}
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-8, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256]
** TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Thread-46, READ: TLSv1.2 Handshake, length = 2687
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=test
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: ...
  public exponent: 65537
  Validity: [From: Wed Jul 01 21:02:36 SGT 2015,
               To: Fri Jul 01 21:02:36 SGT 2016]
  Issuer: CN=TestSigner
  SerialNumber: [    093fc5c0 639f34bb]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
  Key_Agreement
]

]
  Algorithm: [SHA256withRSA]
  Signature:
  ...
]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=TestSigner
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 15360 bits
  modulus: ...
  public exponent: 65537
  Validity: [From: Sun Aug 03 22:55:15 SGT 2014,
               To: Fri Aug 03 22:55:15 SGT 2114]
  Issuer: CN=TestRoot
  SerialNumber: [    494777f7 98569fd6]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
  Key_Agreement
  Key_CertSign
  Crl_Sign
]

[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  RFC822Name: test@test.com
]

]
  Algorithm: [SHA256withRSA]
  Signature:
  ...
]
Thread-46, READ: TLSv1.2 Handshake, length = 910
*** Diffie-Hellman ServerKeyExchange
DH Modulus:  { 166, 241, 11, 8, 243, 4, 185, 96, 190, 71, 193, 62, 163, 205, 160, 207, 181, 199, 71, 132, 191, 101, 216, 140, 218, 160, 84, 141, 28, 116, 171, 120, 30, 85, 172, 246, 166, 127, 12, 76, 118, 210, 152, 43, 171, 231, 2, 45, 172, 240, 255, 37, 156, 58, 172, 186, 146, 122, 216, 37, 171, 152, 228, 88, 69, 102, 126, 153, 188, 137, 22, 107, 236, 213, 243, 162, 19, 209, 249, 145, 164, 106, 188, 75, 35, 53, 247, 22, 116, 79, 98, 218, 16, 40, 33, 67, 238, 131, 106, 63, 196, 90, 73, 42, 130, 217, 72, 180, 7, 198, 27, 79, 156, 120, 48, 166, 247, 3, 119, 96, 168, 78, 187, 171, 121, 81, 205, 205 }
DH Base:  { 106, 135, 220, 55, 213, 177, 10, 221, 116, 124, 79, 217, 180, 115, 28, 65, 155, 45, 84, 89, 64, 79, 163, 4, 40, 141, 253, 113, 170, 157, 250, 52, 23, 204, 129, 202, 110, 76, 204, 85, 162, 81, 6, 233, 250, 234, 140, 8, 52, 8, 80, 135, 152, 37, 154, 73, 56, 218, 46, 166, 112, 45, 242, 23, 175, 254, 74, 220, 68, 175, 16, 243, 191, 81, 108, 10, 3, 130, 47, 243, 253, 91, 231, 189, 61, 12, 207, 229, 83, 168, 152, 241, 115, 251, 68, 153, 103, 63, 208, 54, 221, 131, 194, 202, 182, 67, 8, 21, 132, 110, 7, 136, 75, 108, 17, 244, 113, 188, 33, 136, 45, 19, 102, 10, 114, 80, 84, 128 }
Server DH Public Key:  { 105, 32, 79, 179, 156, 35, 191, 64, 76, 243, 253, 64, 144, 103, 176, 207, 202, 131, 230, 244, 70, 233, 209, 197, 136, 48, 104, 125, 175, 230, 189, 158, 207, 57, 154, 32, 243, 130, 180, 140, 139, 244, 121, 37, 47, 204, 216, 194, 112, 132, 31, 236, 181, 65, 106, 32, 13, 94, 146, 146, 100, 203, 201, 242, 246, 134, 235, 95, 157, 28, 253, 94, 116, 144, 17, 8, 20, 65, 24, 161, 30, 132, 138, 221, 252, 42, 106, 53, 246, 46, 107, 204, 200, 8, 145, 126, 86, 114, 187, 203, 195, 223, 194, 246, 244, 90, 174, 138, 41, 219, 122, 99, 153, 62, 128, 44, 4, 86, 97, 241, 240, 154, 217, 237, 16, 10, 56, 51 }
Anonymous
Thread-46, READ: TLSv1.2 Handshake, length = 192
*** CertificateRequest
Cert Types: Fixed DH (RSA sig), Fixed DH (DSS sig), RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=TestRoot>
<CN=TestRoot>
*** ServerHelloDone
ssl: Ignoring alias test2: issuers do not match
*** Certificate chain
ssl: KeyMgr: no matching key found
***
*** ClientKeyExchange, DH
DH Public key:  { 52, 163, 115, 254, 1, 232, 205, 222, 138, 84, 34, 200, 12, 63, 80, 16, 172, 212, 136, 187, 194, 86, 100, 45, 156, 223, 34, 79, 124, 42, 51, 178, 148, 160, 183, 161, 62, 253, 144, 56, 112, 210, 99, 200, 52, 112, 228, 168, 194, 246, 81, 114, 21, 209, 185, 47, 166, 216, 30, 72, 14, 230, 196, 162, 68, 220, 210, 182, 223, 104, 116, 53, 13, 117, 116, 251, 128, 230, 173, 167, 34, 17, 135, 100, 154, 246, 143, 213, 9, 77, 84, 105, 97, 78, 86, 201, 155, 109, 173, 48, 29, 115, 67, 34, 16, 103, 40, 92, 224, 62, 215, 50, 172, 60, 148, 133, 248, 91, 44, 155, 141, 129, 221, 13, 231, 137, 162, 238 }
Thread-46, WRITE: TLSv1.2 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
...
CONNECTION KEYGEN:
Client Nonce:
...
Server Nonce:
...
Master Secret:
...
Client MAC write Secret:
...
Server MAC write Secret:
...
Client write key:
...
Server write key:
...
... no IV derived for this protocol
Thread-46, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 48, 1, 70, 112, 37, 1, 12, 205, 242, 80, 92, 219 }
***
Thread-46, WRITE: TLSv1.2 Handshake, length = 80
Thread-46, READ: TLSv1.2 Alert, length = 2
Thread-46, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-8, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256]
Thread-46, called closeSocket()
Thread-46, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
    sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1104)
    sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
    sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
    sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)

How to fix this? 如何解决这个问题?

1 个解决方案

解决方案1
 0  2015-07-01 10:45:49

Can you set the debug flag 你可以设置调试标志 

-Djavax.net.debug=ssl,handshake,failure

I am guessing that you are likely hitting the key strength issue which is more if you have higher number of bits. 我猜想您可能会遇到关键强度问题,如果您具有更高的位数,则可能会更多。 You need to download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files which enables the key strength of higher bits. 您需要下载Java密码学扩展(JCE)无限强度管辖权策略文件 ,该文件可启用较高位的密钥强度。

Handling and Identifying SSL Handshake failures. 处理和识别SSL握手失败。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 TLSv1.2 PC =&gt; Android 5.0.2 handshake_failure - TLSv1.2 PC => Android 5.0.2 handshake_failure 带有Java 7和Wildlfy 8的TLSv1.2-handshake_failure - TLSv1.2 with Java 7 and Wildlfy 8 - handshake_failure Java 8 RECV TLSv1.2 警报:致命,握手失败 - Java 8 RECV TLSv1.2 ALERT: fatal, handshake_failure Java 7:发送TLSv1.2警报:致命,描述= handshake_failure ule子 - Java 7: SEND TLSv1.2 ALERT: fatal, description = handshake_failure mule 带有TLSv1.2的Java 7连接到LDAPS握手失败 - Java 7 with TLSv1.2 connect to LDAPS handshake failure 带有 TLSv1.2 问题的 Android &lt; 5.0 (Lollipop) 中的套接字握手 - Socket Handshake in Android < 5.0 (Lollipop) with TLSv1.2 problem Jboss-握手失败-使用TLSv1.1而不是TLSv1.2的客户端连接 - Jboss - handshake failure - client connection using TLSv1.1 instead of TLSv1.2 Java 1.8:TLSv1.2 ClientHello握手失败(缺少椭圆曲线扩展?) - Java 1.8: TLSv1.2 ClientHello handshake failure (missing elliptical curve extensions?) Java 1.6 TLS 1.2 handshake_failure - Java 1.6 TLS 1.2 handshake_failure Thread-6,RECV TLSv1 ALERT:致命,handshake_failure - Thread-6, RECV TLSv1 ALERT: fatal, handshake_failure
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM