[英]SSLHandshakeException trying to connect to a server over SSL
I'm trying to make a GET request from a Java/Spring 4 Application to a resource on a remote server over SSL. 我正在尝试通过SSL向远程服务器上的Java / Spring 4应用程序发出GET请求。 Say the resource is:
说资源是:
https://remote-app/foo.pdf HTTPS://remote-app/foo.pdf
my application uses https://github.com/square/okhttp as an HTTP client to do the operation. 我的应用程序使用https://github.com/square/okhttp作为HTTP客户端来执行操作。
Unfortuanatelly it is throwing an exception on this resources; 不幸的是,这是对这些资源的例外; but surprisingly succeeds on other resources that are exposed over SSL on other servers.
但令人惊讶的是,在其他服务器上通过SSL公开的其他资源上取得了成功。
Here is the exception that I'm getting: 这是我得到的例外:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_51]
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) ~[na:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) ~[na:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_51]
at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:103) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.Connection.connect(Connection.java:143) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:185) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.Call.getResponse(Call.java:273) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:230) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:201) ~[okhttp-2.4.0.jar!/:na]
at com.squareup.okhttp.Call.execute(Call.java:81) ~[okhttp-2.4.0.jar!/:na]
at com.org.package.util.Utils.getUrlResponse(MyUtils.java:54) ~[app-0.0.1-SNAPSHOT.jar!/:na]
at com.org.package.service.impl.MyApp.uploadUrl(MyApp.java:303) [app.jar!/:na]
at com.org.package.service.impl.MyApp.uploadResource(MyApp.java:135) [app.jar!/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_51]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_51]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_51]
at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_51]
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) [spring-tx-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281) [spring-tx-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) [spring-tx-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at com.sun.proxy.$Proxy155.uploadR(Unknown Source) [na:na]
at com.org.myprocess.receiveRequest(Processor.java:42) [app.jar!/:na]
at com.org.myprocess$$FastClassBySpringCGLIB$$e05dc31.invoke(<generated>) [spring-core-4.1.7.RELEASE.jar!/:na]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) [spring-core-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:717) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) [spring-tx-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281) [spring-tx-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) [spring-tx-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:653) [spring-aop-4.1.7.RELEASE.jar!/:4.1.7.RELEASE]
at com.org.myprocess$$EnhancerBySpringCGLIB$$d16a8116.receiveRequest(<generated>) [spring-core-4.1.7.RELEASE.jar!/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_51]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_51]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_51]
at java.lang.reflect.Method.invoke(Method.java:497) ~[na:1.8.0_51]
at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:185) [spring-messaging-4.1.6.RELEASE.jar!/:4.1.6.RELEASE]
at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:104) [spring-messaging-4.1.6.RELEASE.jar!/:4.1.6.RELEASE]
at org.springframework.messaging.handler.invocation.AbstractMethodMessageHandler.handleMatch(AbstractMethodMessageHandler.java:447) [spring-messaging-4.1.6.RELEASE.jar!/:4.1.6.RELEASE]
at org.springframework.messaging.handler.invocation.AbstractMethodMessageHandler.handleMessageInternal(AbstractMethodMessageHandler.java:408) [spring-messaging-4.1.6.RELEASE.jar!/:4.1.6.RELEASE]
at org.springframework.messaging.handler.invocation.AbstractMethodMessageHandler.handleMessage(AbstractMethodMessageHandler.java:346) [spring-messaging-4.1.6.RELEASE.jar!/:4.1.6.RELEASE]
at org.springframework.cloud.aws.messaging.listener.SimpleMessageListenerContainer.executeMessage(SimpleMessageListenerContainer.java:160) [spring-cloud-aws-messaging-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
at org.springframework.cloud.aws.messaging.listener.SimpleMessageListenerContainer$MessageExecutor.run(SimpleMessageListenerContainer.java:226) [spring-cloud-aws-messaging-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
at org.springframework.cloud.aws.messaging.listener.SimpleMessageListenerContainer$SignalExecutingRunnable.run(SimpleMessageListenerContainer.java:250) [spring-cloud-aws-messaging-1.0.3.RELEASE.jar!/:1.0.3.RELEASE]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_51]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_51]
Suppressed: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
... 60 common frames omitted
I tried curl from the machine on which my app is deployed: 我从部署了我的应用程序的机器上尝试了curl:
curl -v https://www.remote-app/foo.pdf
Response>>> 响应>>>
Trying 121.1.102.15...
* Connected to www.remote-app (121.1.102.15) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
But then I tried passing the cipher algorithm to use and it works: 但后来我尝试传递密码算法使用它的工作原理:
curl -v --cipher ecdhe_rsa_aes_128_gcm_sha_256 https://www.remote-app/foo.pdf
Response>>> 响应>>>
Trying 121.1.102.15...
200 OK...
Content...
Content...
Now my question is how can I make my app connect to different SSL servers that might have different ssl configuration. 现在我的问题是如何让我的应用程序连接到可能具有不同ssl配置的不同SSL服务器。 Because the app connects to most resources over ssl but not all.
因为应用程序通过ssl连接到大多数资源,但不是全部。
Or how can I support more cipher suites that could be used by different server? 或者我如何支持更多可供不同服务器使用的密码套件? (assuming that's the right issue)
(假设这是正确的问题)
Yay, so I got the solution. 是的,所以我得到了解决方案。 Java comes with certain ciphers that are disabled by default and some enabled.
Java附带某些默认禁用的密码,其中一些启用了。 Here: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html Surprisingly all the 4 ciphers that I mentioned above are in the "enabled-by-default" table.
这里: https : //docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html令人惊讶的是,我上面提到的所有4个密码都在“默认启用”表中。 But below the list of ciphers they mentioned:
但是在他们提到的密码列表下面:
Cipher suites that use Elliptic Curve Cryptography (ECDSA, ECDH, ECDHE, ECDH_anon) require a JCE cryptographic provider that meets the following requirements: a... b... c...
使用椭圆曲线密码术(ECDSA,ECDH,ECDHE,ECDH_anon)的密码套件需要符合以下要求的JCE加密提供程序:a ... b ... c ...
Searching for JAVA JCE provider will lead you to http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html 搜索JAVA JCE提供商将引导您访问http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Download the zip file and you'll get two jar files inside local_policy.jar us_export_policy.jar 下载zip文件,你将在local_policy.jar中获得两个jar文件us_export_policy.jar
place those two jar files in the security folder inside ur jre jdk1.8.jdk/Contents/Home/jre/lib/security/ 将这两个jar文件放在ur jre jdk1.8.jdk / Contents / Home / jre / lib / security /中的security文件夹中
Cheers! 干杯!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.