JDK 1.8，错误为“收到致命警告：handshake_failure”

Question

我对SSLHandshake有问题。 我有一个使用jdk 1.8的应用程序，并且该供应商仅向WSDL服务器提供了对jdk 1.7的支持。

供应商已向我们提供了文件jssecacerts ，其文档的主要内容是Copy the file into %JAVA_HOME%\\jre\\lib\\security 。

实际上，我尝试使用他的方法，并且它是jdk 1.7的工作文件。 但是，我无法通过jdk 1.8和下面的错误信息来解决。

由于供应商的演示文件，我使用HttpClient 3.1 。

这是我的示例代码：

public static void main(String[] args){
    try {
        String sslKeyStorePassword = "changeit";
        String sslKeyStoreType = "JKS"; 
        String sslTrustStore = "/Users/adam/Documents/shanghai-vpn/jssecacerts";
        String sslTrustStorePassword = "changeit";
        System.setProperty("javax.net.ssl.keyStore", sslKeyStorePath);
        System.setProperty("javax.net.ssl.keyStorePassword",
               sslKeyStorePassword);
        System.setProperty("javax.net.ssl.keyStoreType", sslKeyStoreType);
        System.setProperty("javax.net.ssl.trustStore", sslTrustStore);
        System.setProperty("javax.net.ssl.trustStorePassword", sslTrustStorePassword);
        MultiThreadedHttpConnectionManager connectionManager =
                new MultiThreadedHttpConnectionManager();
        HttpClient httpClient = new HttpClient(connectionManager);

        Protocol myhttps = new Protocol("https", new MySSLProtocolSocketFactory(), 443);
        Protocol.registerProtocol("https", myhttps);
        loginVPN(httpClient);

    } catch (Exception e) {
        e.printStackTrace();
    }

public static void loginVPN(HttpClient httpClient)
        throws Exception {
    //STEP1:
    HttpClientParams httparams = new HttpClientParams();
    httparams.setSoTimeout(30000);
    httpClient.setParams(httparams);

    httpClient.getHostConfiguration().setHost("vpn.shanghai-cis.com.cn", 80);

    PostMethod login = new PostMethod(step1URI);
    login.addRequestHeader("Content-Type",
            "application/x-www-form-urlencoded");

    httpClient.executeMethod(login);

    cookies = httpClient.getState().getCookies();
    System.out.println("==========Cookies============");
    int i = 0;
    for (Cookie c : cookies) {
        System.out.println(++i + ":   " + c);
    }
    httpClient.getState().addCookies(cookies);
    login.releaseConnection();


    //STEP2:
    PostMethod login2 = new PostMethod(step2URI);
    login2.addRequestHeader("Content-Type",
            "application/x-www-form-urlencoded");
    login2.addRequestHeader("Refer", step1URI);
    login2.addRequestHeader("Accept", "image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*");


    NameValuePair tgroup = new NameValuePair("tgroup", "");
    NameValuePair next = new NameValuePair("next", "");
    NameValuePair tgcookieset = new NameValuePair("tgcookieset", "");
    NameValuePair Login = new NameValuePair("Login", "登录");
    NameValuePair Email = new NameValuePair("username", username);
    NameValuePair password1 = new NameValuePair("password", password);
    // NameValuePair code = new NameValuePair( "code"
    // ,"????");//��ʱ����Ҫ��֤�룬��ʱδ���

    NameValuePair[] data = { tgroup , next , tgcookieset, Login, Email, password1 };
    login2.setRequestBody(data);

    httpClient.executeMethod(login2);

    cookies = httpClient.getState().getCookies();
    System.out.println("==========Cookies============");
    int j = 0;
    for (Cookie c : cookies) {
        System.out.println(++j + ":   " + c);
    }
    httpClient.getState().addCookies(cookies);
    login2.releaseConnection();
}

和错误异常：

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, setSoTimeout(30000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1481548099 bytes = { 124, 16, 201, 38, 215, 71, 235, 91, 191, 248, 50, 237, 230, 137, 196, 155, 59, 106, 75, 151, 240, 243, 107, 61, 130, 213, 232, 204 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [type=host_name (0), value=vpn.shanghai-cis.com.cn]
***
[write] MD5 and SHA1 hashes:  len = 183
0000: 01 00 00 B3 03 01 58 4F   A1 43 7C 10 C9 26 D7 47  ......XO.C...&.G
0010: EB 5B BF F8 32 ED E6 89   C4 9B 3B 6A 4B 97 F0 F3  .[..2.....;jK...
0020: 6B 3D 82 D5 E8 CC 00 00   2C C0 0A C0 14 00 35 C0  k=......,.....5.
0030: 05 C0 0F 00 39 00 38 C0   09 C0 13 00 2F C0 04 C0  ....9.8...../...
0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........
0050: 16 00 13 00 FF 01 00 00   5E 00 0A 00 34 00 32 00  ........^...4.2.
0060: 17 00 01 00 03 00 13 00   15 00 06 00 07 00 09 00  ................
0070: 0A 00 18 00 0B 00 0C 00   19 00 0D 00 0E 00 0F 00  ................
0080: 10 00 11 00 02 00 12 00   04 00 05 00 14 00 08 00  ................
0090: 16 00 0B 00 02 01 00 00   00 00 1C 00 1A 00 00 17  ................
00A0: 76 70 6E 2E 73 68 61 6E   67 68 61 69 2D 63 69 73  vpn.shanghai-cis
00B0: 2E 63 6F 6D 2E 63 6E                               .com.cn
main, WRITE: TLSv1 Handshake, length = 183
[Raw write]: length = 188
0000: 16 03 01 00 B7 01 00 00   B3 03 01 58 4F A1 43 7C  ...........XO.C.
0010: 10 C9 26 D7 47 EB 5B BF   F8 32 ED E6 89 C4 9B 3B  ..&.G.[..2.....;
0020: 6A 4B 97 F0 F3 6B 3D 82   D5 E8 CC 00 00 2C C0 0A  jK...k=......,..
0030: C0 14 00 35 C0 05 C0 0F   00 39 00 38 C0 09 C0 13  ...5.....9.8....
0040: 00 2F C0 04 C0 0E 00 33   00 32 C0 08 C0 12 00 0A  ./.....3.2......
0050: C0 03 C0 0D 00 16 00 13   00 FF 01 00 00 5E 00 0A  .............^..
0060: 00 34 00 32 00 17 00 01   00 03 00 13 00 15 00 06  .4.2............
0070: 00 07 00 09 00 0A 00 18   00 0B 00 0C 00 19 00 0D  ................
0080: 00 0E 00 0F 00 10 00 11   00 02 00 12 00 04 00 05  ................
0090: 00 14 00 08 00 16 00 0B   00 02 01 00 00 00 00 1C  ................
00A0: 00 1A 00 00 17 76 70 6E   2E 73 68 61 6E 67 68 61  .....vpn.shangha
00B0: 69 2D 63 69 73 2E 63 6F   6D 2E 63 6E              i-cis.com.cn
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
    at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
    at com.umoney.finance.Login.loginVPN(Login.java:69)
    at com.umoney.finance.Login.main(Login.java:292)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)

Answer 1

TLS / SSL是明确指定的协议，因此不应依赖JDK版本。 jssecacerts文件仅应替换受信任证书的列表（问题是-您要这样做吗？我只是将jssecacerts中的证书导入到信任库中）。

现在-请参阅SSL调试：

• 您的客户端发送了SSL客户端请求
• SSL服务器发送了警报响应
• 您的客户收到警报响应（handshake_failure）并引发异常

这意味着服务器拒绝了您的客户端提供的参数。

第一个问题-SSL服务器是否需要客户端X.509身份验证？ （相互SSL）。 然后，客户端需要具有服务器信任的私钥和证书。

您的客户端仅支持协议的有限子集（从安全角度考虑，直到协议安全为止都是可以的）。 检查服务器是否支持至少一个。