[英]Java 8 javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated, but not Java 7
將應用程序從Java 7切換到Java 8時出現問題。更改JDK后,我開始收到此SSLPeerUnverified異常。 改回Java7,也不例外。
我發現了這個問題: Java 7的SSL連接失敗,這意味着這可能與服務器端問題有關。 我們的服務器確實在Ubuntu機器上運行,但它也在運行Java8(sun Java8)
不確定發布還有什么其他內容。 如果需要/有用,我可以提供代碼示例。 我現在沒有把它們包括在內,因為好像代碼不是問題。
編輯 - 鏈接到我的SSLSocketFactory擴展: http : //pastebin.com/2j6HDHE7
Edit2 - Http客戶端代碼:
private HttpClient getHttpClient() throws GeneralSecurityException, IOException {
final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(CommandChannel.class.getResourceAsStream("myKeystore"), "myPassword".toCharArray());
final SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory(trustStore);
final SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));
registry.register(new Scheme("https", 443, sslSocketFactory));
final HttpParams params = new BasicHttpParams();
HttpProtocolParamBean paramsBean = new HttpProtocolParamBean(params);
paramsBean.setVersion(HttpVersion.HTTP_1_1);
paramsBean.setContentCharset("UTF_8");
final ClientConnectionManager ccm = new BasicClientConnectionManager(registry);
final DefaultHttpClient httpClient = new DefaultHttpClient(ccm, params);
return httpClient;
}
包括來自java8和java7的SSL調試信息。
Java 8 SSL調試跟蹤:
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1389745002 bytes = { 220, 201, 110, 4, 38, 166, 25, 166, 235, 253, 71, 242, 226, 124, 22, 149, 28, 207, 242, 25, 201, 123, 218, 56, 207, 67, 195, 17 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
JavaFX Application Thread, WRITE: TLSv1.2 Handshake, length = 207
JavaFX Application Thread, received EOFException: error
JavaFX Application Thread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JavaFX Application Thread, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
JavaFX Application Thread, WRITE: TLSv1.2 Alert, length = 2
JavaFX Application Thread, called closeSocket()
JavaFX Application Thread, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JavaFX Application Thread, called close()
JavaFX Application Thread, called closeInternal(true)
JavaFX Application Thread, called close()
JavaFX Application Thread, called closeInternal(true)
18:49:14,951 ERROR [logger] [LoginController] Error logging in due to: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
com.limebrokerage.portal.communication.command.CommandChannelException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Java 7 SSL調試跟蹤相同位代碼:
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1389746267 bytes = { 91, 88, 192, 29, 58, 48, 211, 105, 40, 40, 138, 204, 154, 113, 233, 213, 120, 99, 3, 223, 26, 233, 123, 150, 251, 245, 186, 246 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
JavaFX Application Thread, WRITE: TLSv1 Handshake, length = 149
JavaFX Application Thread, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1389746267 bytes = { 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218 }
Session ID: {83, 214, 216, 91, 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
JavaFX Application Thread, READ: TLSv1 Handshake, length = 1522
*** Certificate chain
chain [0] = [
[
Version: V3
不確定答案,但評論太久了。
你真正的問題是hello上的服務器斷開連接以及產生的SSLHandshakeException ; SSLPeerUnverifiedException是附帶損害,因為握手未到達身份驗證階段。 明顯的區別是Java 8正在發送TLSv1.2 ClientHello,其中Java 7發送了TLSv1。
Java 7實現了1.1和1.2,但默認情況下沒有在客戶端上啟用它們; 8確實如此,請參閱https://bugs.openjdk.java.net/browse/JDK-7093640 。 正確編寫的不支持1.2的服務器堆棧應該協商下降到1.1或1(.0),但是您的未識別服務器顯然沒有,或者可能是防火牆之間的某些東西搞亂了您的連接。 如果您擁有或獲得OpenSSL,命令行openssl s_client將讓您輕松嘗試不同的版本(以及密碼和一些選項),以查看哪些功能有效,哪些功能無效。 或者您可以通過https://www.ssllabs.com/ssltest/進行罐裝但相當徹底的測試。
錯誤條目說你可以設置sysprop jdk.tls.client.protocols ,這對我來說適用於8u05上的最小SSLSocket(非HTTP)應用程序。 或者既然您已經在修改了SSLSocketFactory ,我希望您可以在您創建的套接字上執行setEnabledProtocols 。
FWIW,當2012年3月OpenSSL 1.0.1版“默默地”啟用協議1.1和1.2時(它在發行說明中很突出,但大約沒有人讀取發行說明),支持列表得到了很多抱怨,我猜一百個服務器突然開始出現故障,崩潰或掛起,直到客戶端恢復到1.0。 OpenSSL最終實現了一種解決方法,可以人為地減少或增加ClientHello中的一些數據,以避免最“挑釁”的大小; 我不知道JSSE是否可以做類似的事情。
Java - javax.net.ssl.SSLPeerUnverifiedException:peer未經過身份驗證
[英]Java - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
如何使用Java解決Rally Rest api中的javax.net.ssl.SSLPeerUnverifiedException:對等體未通過身份驗證的異常?
[英]How to solve javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Exception in Rally Rest api using java?
Apache HttpClient錯誤:javax.net.ssl.SSLPeerUnverifiedException:對等方未通過身份驗證
[英]Apache HttpClient Error: javax.net.ssl.SSLPeerUnverifiedException: Peer Not Authenticated
javax.net.ssl.SSLPeerUnverifiedException:未在Tomcat中使用Apache HttpClient對等體進行身份驗證
[英]javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated in Tomcat with Apache HttpClient
javax.net.ssl.SSLPeerUnverifiedException:在netbeans中未對等身份驗證
[英]javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated in netbeans
JDK 11. javax.net.ssl.SSLPeerUnverifiedException:對等方未通過身份驗證
[英]JDK 11. javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
異常:javax.net.ssl.SSLPeerUnverifiedException:對等端未經過身份驗證
[英]Exception : javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException:僅在生產服務器上未對等身份驗證
[英]javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated only on production server
javax.net.ssl.SSLPeerUnverifiedException:對等方未在jdk7中進行身份驗證,但未在jdk8中進行身份驗證
[英]javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated in jdk7 but not in jdk8
javax.net.ssl.SSLPeerUnverifiedException: 升級 Spring 從 2.1.0 到 2.2.0.M3 后未通過身份驗證
[英]javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated after upgrading Spring Boot from 2.1.0 to 2.2.0.M3
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.