堆栈内存溢出
  繁体   English   中英

SSL handshake_failure in Client Hello

[英]SSL handshake_failure in Client Hello

 原文  2022-04-20 08:23:10       java/ ssl

问题描述

我正在使用 Java (12.0.2) 通过 ssl 调用一些 REST Api。如果我使用 CURL(指定证书和 CA_root)调用 URL,一切都很好。 如果我在 Java 中使用相同的端点,我会得到这个 SSL Client Hello

"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "15 AA 0C B1 62 A6 83 26 1E C3 B6 C3 8D D0 F9 19 DA F7 5A 9D 8B 08 0B 5C ED 96 A6 A7 CF 5A 67 C2",
  "session id"          : "",
  "cipher suites"       : "[TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    }
  ]
}

然后服务器响应

"Alert": {
  "level"      : "fatal",
  "description": "handshake_failure"
}

我必须指出,当与 Curl 连接时,服务器接受此密码 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,它不在 SSL 交换中提供的密码列表中。

1 个解决方案

解决方案1
 -1 已采纳  2022-04-22 09:51:36

发现了问题。 在属性文件配置中,我有这一行

system.com.sun.net.ssl.enableECC=false

那阻止了某些 Chyper 装置的使用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Java SSL handshake_failure 使用jersey-apache-client-1.18的SSL handshake_failure SSL SSLv2客户端问候-握手失败 Java SSL SSLHandshakeException handshake_failure ClientHello期间的SSL handshake_failure java ssl handshake_failure问题 SSL:收到致命警报:handshake_failure 使用客户端身份验证进行Web服务访问:handshake_failure Java Web服务检查SSL握手警报:handshake_failure 使用双向身份验证连接到服务器时 Java 测试客户端中的 SSL Handshake_failure
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM