ClientHello 在握手期間協商 TLS 版本失敗
[英]ClientHello Fails to negotiate TLS Version During handshake
問題描述
我正在嘗試使用 java 郵件發送郵件。 我的郵件服務器只接受 TLSv1.2。 我嘗試在我的客戶端請求中配置 TLSv1.2。 但是,在 TLS 握手期間,我的 clientHello 始終使用 TLSv1。 我試圖調試下面的握手,
[22:10:45:099]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384| [22:10:45:100]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256| [22:10:45:101]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: %% No cached client session| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: *** ClientHello, TLSv1| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: RandomCookie: | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: GMT: 1546533645 | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: bytes = { | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 85| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 83| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 155| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 171| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 182| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 72| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 149| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 172| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 46| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 116| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 34| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 18| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 6| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 97| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 139| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 142| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 6| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 223| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 139| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 14| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 72| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 51| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 129| [22:10:45:102]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 210| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 76| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 177| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 254| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , | [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 144| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: }| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Session ID: | [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: {}| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Compression Methods: { | [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: 0| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: }| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Extension ec_point_formats, formats: [uncompressed]| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: Extension server_name, server_name: [type=host_name (0), value=mail.someserver.com]| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: ***| [22:10:45:103]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: http-nio-8095-exec-3, WRITE: TLSv1 Handshake, length = 175| [22:10:45:227]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: http-nio-8095-exec-3, received EOFException: error| [22:10:45:227]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: http-nio-8095-exec-3, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake| [22:10:45:228]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: http-nio-8095-exec-3| [22:10:45:228]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: , SEND TLSv1.2 ALERT: | [22:10:45:228]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: fatal, | [22:10:45:228]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: description = handshake_failure| [22:10:45:228]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: http-nio-8095-exec-3, WRITE: TLSv1.2 Alert, length = 2| [22:10:45:228]|[01-03-2019]|[SYSOUT]|[INFO]|[56]: http-nio-8095-exec-3, called closeSocket()| [22:10:45:231]|[01-03-2019]|[SYSERR]|[INFO]|[56]: java.lang.Exception: Error in connecting to SMTP host.|
我在客戶端進行了以下配置以繼續與 TLSv1.2 的連接,
-Dhttps.protocols=TLSv1.2
-Dmail.smtp.ssl.protocols="TLSv1.2"
-Djdk.tls.client.protocols=TLSv1.2
我的郵件服務器日志中拋出的錯誤是
- SSL 錯誤 0x80090331 客戶端和服務器無法通信,因為它們沒有通用算法。
我不明白為什么 clientHello 總是選擇 TLSv1 而不是 TLSv1.2 。 請幫我解決一下這個。
public static void sendMail(JSONObject mailProps, JSONObject serverProps) throws Exception {
boolean var2 = true;
String mailPort;
try {
String mailServer = serverProps.getString("SERVER_NAME");
mailPort = serverProps.getString("PORT");
String mailAuthenUser = serverProps.has("USER_NAME") ? serverProps.getString("USER_NAME") : "";
String mailAuthenPwd = serverProps.has("PASSWORD") ? serverProps.getString("PASSWORD") : "";
String securityType = serverProps.has("CONNECTION_SECURITY") ? serverProps.getString("CONNECTION_SECURITY") : "";
boolean isHtmlFormat = false;
if (mailProps.has("ENABLE_HTML_FORMAT") && mailProps.getBoolean("ENABLE_HTML_FORMAT") || serverProps.has("ENABLE_HTML_FORMAT") && serverProps.getBoolean("ENABLE_HTML_FORMAT")) {
isHtmlFormat = true;
}
String fromAddress = mailProps.has("FROM_MAIL_ID") ? mailProps.getString("FROM_MAIL_ID") : serverProps.getString("FROM_MAIL_ID");
String toAddress = mailProps.has("TO_ADDRESSES") ? mailProps.getString("TO_ADDRESSES") : serverProps.getString("ADMIN_MAIL_ID");
String subject = mailProps.getString("SUBJECT");
String message = mailProps.getString("MESSAGE");
Properties systemProps = System.getProperties();
Properties properties = (Properties)systemProps.clone();
properties.put("mail.smtp.host", mailServer);
properties.put("mail.smtp.port", mailPort);
properties.put("mail.smtp.sendpartial", "true");
Session session = null;
boolean authRequired = false;
properties.put("mail.smtp.auth", "false");
if (mailAuthenUser != null && mailAuthenPwd != null && (!mailAuthenUser.equals("") || !mailAuthenPwd.equals(""))) {
properties.put("mail.smtp.auth", "true");
authRequired = true;
}
if ("SSL".equalsIgnoreCase(securityType)) {
properties.put("mail.smtp.socketFactory.port", mailPort);
properties.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
properties.put("mail.smtp.socketFactory.fallback", "false");
} else if ("TLS".equalsIgnoreCase(securityType)) {
properties.put("mail.smtp.starttls.enable", "true");
properties.put("mail.smtp.starttls.required", "true");
}
if (authRequired) {
Authenticator auth = new MailAction.SMTPAuthenticator(mailAuthenUser, mailAuthenPwd);
session = Session.getInstance(properties, auth);
} else {
session = Session.getInstance(properties);
}
session.setDebug(false);
MimeMessage mess = new MimeMessage(session);
if (toAddress != null) {
String[] to = toAddress.split(",");
InternetAddress[] toInternetAddress = new InternetAddress[to.length];
for(int i = 0; i < to.length; ++i) {
toInternetAddress[i] = new InternetAddress(to[i].trim());
}
mess.setRecipients(RecipientType.TO, toInternetAddress);
}
if (fromAddress != null && !fromAddress.equals("")) {
mess.setFrom(new InternetAddress(fromAddress));
}
String type;
if (mailProps.has("PRIORITY")) {
type = mailProps.get("PRIORITY").toString();
if (type.equalsIgnoreCase("High") || type.equalsIgnoreCase("Low")) {
mess.setHeader("Importance", type);
mess.setHeader("X-Priority", type);
}
}
type = isHtmlFormat ? "text/html;charset=UTF-8" : "text/plain;charset=UTF-8";
mess.setContent(message, type);
if (mailProps.has("CC_ADDRESS")) {
String[] cc = (String[])((String[])mailProps.get("CC_ADDRESS"));
InternetAddress[] ccInternetAddress = new InternetAddress[cc.length];
for(int i = 0; i < cc.length; ++i) {
ccInternetAddress[i] = new InternetAddress(cc[i].trim());
}
mess.setRecipients(RecipientType.CC, ccInternetAddress);
}
mess.setSentDate(new Date());
mess.setSubject(subject, "UTF-8");
Thread.currentThread().setContextClassLoader(mess.getClass().getClassLoader());
Transport.send(mess);
} catch (Exception var29) {
out.log(Level.INFO, " ", var29);
}
}
1 個解決方案
解決方案1
0 2021-05-28 07:21:20
這是 JavaMail 1.5.3 之前的硬編碼默認值,因此升級應該可以解決問題(請記住 JavaMail 已被Jakarta Mail取代)。
作為一種解決方法,您可以將所需的協議設置為空格分隔列表(如 Ajinkya 所建議的)
properties.put("mail.smtp.ssl.protocols", "TLSv1.2 TLSv1.1");
在什么情況下服務器會在 TLS 握手期間發送空的 session id?
[英]In what cases will server send empty session id during TLS handshake?
通過 Istio 入口網關的 TLS 握手失敗(tlsMode=passthrough)
[英]TLS handshake through Istio ingress gateway fails (tlsMode=passthrough)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.