SSL + Java 8 + OpenJDK + SNI + HTTPClient =握手失败

Question

I have some code that's been working for a long time that gets data from webapps over HTTP. It uses Apache HTTPClient (v. 4.5.2) and works great for sites with and without SSL.

Recently, I've tried to use if for another site that happens to use SNI. Everything works great on my Windows machine, but if I try to run it on an AWS EC2 Linux instance, I get a handshake failure (because of the SNI).

Here's what I'm running:

Windows Java

• java version "1.8.0_101"
• Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
• Java HotSpot(TM) Client VM (build 25.101-b13, mixed mode, sharing)

AWS Linux Java

• openjdk version "1.8.0_91"
• OpenJDK Runtime Environment (build 1.8.0_91-b14)
• OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

I'm not sure which component is ultimately responsible for the failure (Java 8, the runtime environment, HTTPClient).

I have seen this ( https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension ), but I'm not sure how to adapt this for HTTPClient. And besides, if I had to make code changes, why would it work on Windows?

Anyone have any idea what I should do?

Edit : As suggested, I looked into the jsse.enableSNIExtension property. This seemed wrong because it looks like it's a way to turn SSL off which isn't what I want.

I tried it turned on/off on Windows, and things only worked with it on. On Linux, when it was turned on I continue to get a handshake failure.

Here's the output:

Windows - System.setProperty("jsse.enableSNIExtension", "false");
=================================================================

pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 189
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, internal_error
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error


Windows - System.setProperty("jsse.enableSNIExtension", "true");
================================================================

pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 215
pool-1-thread-1, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2


Linux - System.setProperty("jsse.enableSNIExtension", "true");
==============================================================

pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 143
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Answer 1

In our case the root cause was that the (Java) client and the server could not agree on a sufficently strong cipher suite. The solution was to install "Unlimited Strength JCE" from https://www.oracle.com/technetwork/java/javase/downloads/jce-all-download-5170447.html

This should not be a problem for Java version >= 1.8.0_161

Answer 2

我有同样的问题，不确定你是否被允许这样做，或者如果你在文档中注意到这一点，但我添加了选项-Djsse.enableSNIExtension=false ，它对我-Djsse.enableSNIExtension=false 。