stackoom
  简体   繁体   中英

Error connecting to a site over SSL

 原文  2012-03-23 09:43:43       java/ ssl/ ssl-certificate

Question

Good morning,

I'm trying to connect to a site using SSL and always receive the same exception (javax.net.ssl.SSLException: Received fatal alert: unexpected_message). I create a truststore with the site certificates and load them in runtime. This is the code: 

import java.net.URL;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

public class SSLTest {

public static void main(String [] args) throws Exception {
    System.setProperty("javax.net.debug" , "ssl");
    System.setProperty("javax.net.ssl.trustStorePassword","123456");
    System.setProperty("javax.net.ssl.trustStore","C:\\Projectos\\GapM\\WebServiceTes\\src\\truststore.jks");

    URL url = new URL("https://www.segurnet.pt");
    HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
    conn.setHostnameVerifier(new HostnameVerifier() {
        public boolean verify(String arg0, SSLSession arg1) {
            return true;
        }
    });
    System.out.println(conn.getResponseCode());
    System.out.println(conn.getResponseMessage());

    conn.disconnect();
}

private static class DefaultTrustManager implements X509TrustManager {

    public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}

    public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}

    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

}

}

This is what i get: 

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: C:\Projectos\GapM\WebServiceTest\src\truststore.jks
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=luis gomes, OU=dti, O=acoreana, L=lisboa, ST=Unknown, C=pt
  Issuer:  CN=luis gomes, OU=dti, O=acoreana, L=lisboa, ST=Unknown, C=pt
  Algorithm: RSA; Serial number: 0x181b641e
  Valid from Thu Mar 22 14:42:39 GMT 2012 until Thu Mar 29 15:42:39 BST 2012

adding as trusted cert:
  Subject: CN=www.segurnet.pt, OU=Web Server, OU=Associacao Portuguesa de Seguradores, OU=Corporate, OU=CERTIPOR - RA, O=MULTICERT-CA, C=PT
  Issuer:  CN=MULTICERT-CA 02, O=MULTICERT-CA, C=pt
  Algorithm: RSA; Serial number: 0x426e98cd
  Valid from Fri Mar 16 14:54:03 GMT 2012 until Mon Apr 16 15:45:18 BST 2012

adding as trusted cert:
  Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Issuer:  CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Algorithm: RSA; Serial number: 0x1a5
  Valid from Thu Aug 13 01:29:00 BST 1998 until Tue Aug 14 00:59:00 BST 2018

adding as trusted cert:
  Subject: CN=MULTICERT-CA 02, O=MULTICERT-CA, C=pt
  Issuer:  CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Algorithm: RSA; Serial number: 0x7273ce5
  Valid from Wed Jun 03 14:50:37 BST 2009 until Wed Oct 02 14:49:20 BST 2013

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1332495399 bytes = { 155, 93, 98, 157, 254, 204, 71, 133, 69, 221, 204, 14, 28, 124, 97, 184, 91, 139, 73, 188, 199, 75, 93, 224, 243, 135, 185, 67 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: www.segurnet.pt]
***
main, WRITE: TLSv1 Handshake, length = 173
main, READ: SSLv3 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, unexpected_message
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: unexpected_message

Any help is apreciated.

Thanks in advance, Luis

1 answers

solution1
 4 ACCPTED  2012-03-23 10:23:32

I suspect you need to force it to use SSLv3.

This fails: 

openssl s_client -connect www.segurnet.pt:443

Whereas this works: 

openssl s_client -ssl3 -connect www.segurnet.pt:443

If possible, a better solution is to get the remote end to configure their site correctly. What they currently have is not very secure.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question RSA premaster secret error connecting to Oracle through Websphere over SSL Android Client connecting to the Server over SSL issues in connecting to AD server over SSL? SSL handshake exception while connecting over https Connecting a springboot application with mysql server over ssl MySQL is not connecting over SSL in java REST applications "Invalid encoding for NameConstraintsExtension" when connecting to a web service over SSL Connecting MQ7.X over SSL using java javax.net.ssl.SSLHandshakeException when connecting via Cajo over SSL issue Getting error for JBOSS 7.2.4 connecting to MQ with ssl error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM