在Linux上运行的Java应用程序在某些网站上收到SSL握手错误
[英]Java app running on Linux is getting an SSL handshake error on certain websites
问题描述
I have a Java application that's trying to connect over HTTPS to a web application. 
我有一个Java应用程序试图通过HTTPS连接到Web应用程序。 When I run it on my Windows box everything works great, but on an AWS Linux box I get a handshake error. 当我在我的Windows机器上运行它时,一切都很好,但在AWS Linux机器上,我得到握手错误。 Here's the versions of software that I'm using: 这是我正在使用的软件版本:
Windows Java Windows Java
- java version "1.8.0_101" java版“1.8.0_101”
- Java(TM) SE Runtime Environment (build 1.8.0_101-b13) Java(TM)SE运行时环境(版本1.8.0_101-b13)
- Java HotSpot(TM) Client VM (build 25.101-b13, mixed mode, sharing) Java HotSpot(TM)客户端VM(版本25.101-b13,混合模式,共享)
AWS Linux Java AWS Linux Java
- openjdk version "1.8.0_91" openjdk版本“1.8.0_91”
- OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK运行时环境(版本1.8.0_91-b14)
- OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) OpenJDK 64位服务器VM(内置25.91-b14,混合模式)
My initial guess was that the problem was due to SNI since that's how the webapp that I'm connecting to is set up. 我最初的猜测是问题是由于SNI,因为这就是我连接的webapp的设置方式。 However, when I look at the debug log I see that on Linux it's saying: 但是,当我查看调试日志时,我在Linux上看到它说:
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
This makes me think that SNI is being handled properly. 这让我觉得SNI正在得到妥善处理。
I'm beginning to think that the root of the problem is that my client and the server can't agree on a cipher suite which makes the handshake fail. 我开始认为问题的根源在于我的客户端和服务器无法就使密码套件达成一致而导致握手失败。 I see that on Windows TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is being used. 我在Windows上看到正在使用TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256。 I also see that this cipher suite seems to be absent on Linux. 我也看到Linux上似乎没有这个密码套件。
I'm really not sure I fully understand everything that's happening in the debug dump, so hopefully someone can confirm my suspicions and suggest how to fully fix this problem. 我真的不确定我完全理解调试转储中发生的一切,所以希望有人可以证实我的怀疑,并建议如何完全解决这个问题。
Here's what's happening on Linux which fails with a handshake exception 这是Linux上发生的事情,它因握手异常而失败
2016/08/26 22:52:35:882 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:52:35:891 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:52:35:893 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:52:35:907 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.abus eipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:52:35:937 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:52:36:038 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1455489140 bytes = { 189, 42, 2, 83, 215, 159, 170, 114, 166, 145, 86, 76, 205, 19, 222, 103, 15, 89, 159, 24 , 126, 130, 219, 181, 48, 109, 132, 79 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RS A_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_ SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES _256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_R SA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV ]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withE CDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 143
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016/08/26 22:52:36:199 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Shutdown connection
2016/08/26 22:52:36:200 EDT [DEBUG] MainClientExec - -Connection discarded
2016/08/26 22:52:36:200 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Close connection
2016/08/26 22:52:36:200 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection released: [id: 0][route: {s}->https://www.ab useipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
Error: Received fatal alert: handshake_failure
Elapsed Time: 356 ms
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager is shutting down
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager shut down
Here's what happens on Windows that works: 以下是在Windows上运行的情况:
2016/08/26 22:59:27:224 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:59:27:228 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:59:27:228 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipd
b.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:59:27:258 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.ab
useipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:59:27:286 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:59:27:362 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1455489551 bytes = { 69, 36, 118, 201, 252, 93, 212, 32, 99, 181, 94, 8, 249, 138, 165, 81, 11, 108, 104, 8
7, 246, 104, 115, 107, 240, 195, 111, 25 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256
, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DS
S_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_S
HA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_
AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA25
6, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_D
SS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_C
BC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DS
S_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1
, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp
192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256wit
hECDSA, SHA256withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 215
pool-1-thread-1, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie: GMT: -1114532124 bytes = { 84, 54, 245, 62, 187, 242, 188, 165, 192, 49, 29, 203, 96, 228, 212, 99, 190, 50, 149
, 219, 193, 146, 98, 47, 55, 155, 153, 148 }
Session ID: {215, 1, 126, 144, 1, 117, 237, 244, 231, 139, 61, 205, 198, 118, 31, 104, 79, 113, 148, 163, 72, 102, 159, 154, 7
9, 160, 201, 174, 102, 35, 3, 107}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
1 个解决方案
解决方案1
3 已采纳 2016-08-27 20:20:10
According to the SSLLabs report the site requires ECDHE ciphers. 根据SSLLabs的报告,该网站需要ECDHE密码。 Your linux client does not support these ciphers while your windows client does. 您的Linux客户端不支持这些密码,而您的Windows客户端则支持这些密码。
ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine indicates that this might be a problem of OpenJDK vs. Oracle JDK. 在EC2 Linux机器上安装的OpenJDK 8不支持的ECDHE密码套件表明这可能是OpenJDK与Oracle JDK的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Linux中的Java SSL握手失败,但OSX和Windows中没有 - Java SSL handshake failure in Linux but not in OSX and Windows
Java SSL 握手错误 - Tomcat 密钥库 - Java SSL handshake error - Tomcat keystore
使用Java的WebSphere的SSL握手错误 - SSL Handshake Error with WebSphere using Java
tomcat ssl 客户端握手 java 错误 - tomcat ssl client handshake java error
在KAFKA中启用SSL时获取SSL握手错误 - Getting SSL handshake error while Enabling SSL in KAFKA
在我的 Java 应用程序中与贝宝服务器通信时出现 ssl 握手错误 - Getting ssl handshake error while communicating with paypal server in my java application
Java 8 SSL握手失败 - Java 8 SSL Handshake failure
Java SSL握手失败 - Java SSL handshake failure
SSL握手失败Java - SSL Handshake failure Java
Java客户端上的SSL握手 - SSL HandShake on Java Client
相关标签