[英]Handshake Failure with TLS 1.3 under JDK 11
在 JDK 11 下使用 TLS 1.3 原則上是可行的。 但是,一旦在兩個並發線程中建立連接,兩個線程的初始握手就會失敗。
這顯然是一個已知問題,據稱已修復:
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
public class Main {
public static void main(String[] args) throws Exception {
Thread t1 = new Thread(Main::createAndUseSslSocket);
Thread t2 = new Thread(Main::createAndUseSslSocket);
t1.start();
t2.start();
do {
Thread.sleep(100);
} while (t1.isAlive() || t2.isAlive());
}
private static void createAndUseSslSocket() {
try (SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket("www.verisign.com", 443)) {
socket.startHandshake();
} catch (Exception e) {
System.err.println(e.getClass().getName() + " " + e.getMessage());
}
}
}
使用 OpenJDK 11.0.9.11-hotspot ,這應該是固定的:
"C:\Program Files\AdoptOpenJDK\jdk-11.0.9.11-hotspot/bin/javac" Main.java
"C:\Program Files\AdoptOpenJDK\jdk-11.0.9.11-hotspot/bin/java" -Djdk.tls.client.protocols="TLSv1.3" Main
甚至 OpenJDK 15.0.1.9-hotspot (這是AdaptOpenJDK.net上迄今為止可用的“最新”選項):
"C:\Program Files\AdoptOpenJDK\jdk-15.0.1.9-hotspot/bin/javac" Main.java
"C:\Program Files\AdoptOpenJDK\jdk-15.0.1.9-hotspot/bin/java" -Djdk.tls.client.protocols="TLSv1.3" Main
javax.net.ssl.SSLHandshakeException Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException Received fatal alert: handshake_failure
這是官方修復的,但我似乎無法讓它工作。
這里發生了什么?
有一種解決方法,但從長遠來看這是不可接受的:
使用以下 JVM 屬性禁用 TLS 1.3:
-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"
*編輯:包含-Djavax.net.debug=all時的輸出結束(對於 StackOverflow 而言,包括所有 140k 個字符太多了。
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:44.793 CET|SSLContextImpl.java:993|keyStore is :
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:44.793 CET|SSLContextImpl.java:994|keyStore type is : pkcs12
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:44.793 CET|SSLContextImpl.java:996|keyStore provider is :
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:44.793 CET|SSLContextImpl.java:1031|init keystore
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:44.793 CET|SSLContextImpl.java:1054|init keymanager of type SunX509
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:44.793 CET|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:44.793 CET|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:44.850 CET|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:44.850 CET|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:44.862 CET|SSLConfiguration.java:458|System property jdk.tls.client.SignatureSchemes is set to 'null'
javax.net.ssl|WARNING|0F|Thread-1|2020-10-30 15:16:44.863 CET|SignatureScheme.java:282|Signature algorithm, ed25519, not supported by JSSE
javax.net.ssl|WARNING|0F|Thread-1|2020-10-30 15:16:44.863 CET|SignatureScheme.java:282|Signature algorithm, ed448, not supported by JSSE
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: ed25519
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: ed25519
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: ed448
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: ed448
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.189 CET|SignatureScheme.java:418|Ignore inactive signature scheme: dsa_sha256
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.189 CET|SignatureScheme.java:418|Ignore inactive signature scheme: dsa_sha256
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: ecdsa_sha224
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: ecdsa_sha224
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: rsa_sha224
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: rsa_sha224
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: dsa_sha224
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.189 CET|SignatureScheme.java:394|Ignore unsupported signature scheme: dsa_sha224
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.194 CET|SignatureScheme.java:418|Ignore inactive signature scheme: dsa_sha1
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.194 CET|SignatureScheme.java:418|Ignore inactive signature scheme: rsa_md5
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.194 CET|SignatureScheme.java:418|Ignore inactive signature scheme: dsa_sha1
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.194 CET|SignatureScheme.java:418|Ignore inactive signature scheme: rsa_md5
javax.net.ssl|INFO|0E|Thread-0|2020-10-30 15:16:45.194 CET|AlpnExtension.java:165|No available application protocols
javax.net.ssl|INFO|0F|Thread-1|2020-10-30 15:16:45.194 CET|AlpnExtension.java:165|No available application protocols
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.194 CET|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.194 CET|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.195 CET|SSLExtensions.java:260|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.195 CET|SSLExtensions.java:260|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.210 CET|PreSharedKeyExtension.java:660|No session to resume.
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.210 CET|PreSharedKeyExtension.java:660|No session to resume.
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.210 CET|SSLExtensions.java:260|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.210 CET|SSLExtensions.java:260|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.210 CET|ClientHello.java:652|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "D0 1B 63 ED D3 4E 05 5E 98 E1 6B 9D F8 32 81 14 43 D3 45 F7 0D D3 D6 20 98 35 DF 67 85 C9 A9 65",
"session id" : "44 52 47 AB 32 A6 FC C1 CA 78 A7 DE 32 AC F8 95 6C DF 68 07 0C C5 35 D4 44 ED 29 7A 2F C9 BE 1E",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=www.verisign.com
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"supported_versions (43)": {
"versions": [TLSv1.3]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: 4C 31 CF 53 D6 2D 6D 30 19 D3 7E 4E CD B6 6A E2 L1.S.-m0...N..j.
0010: 3A 49 0F C4 14 C2 53 FD 53 89 0D 7D 8F 4C AE 46 :I....S.S....L.F
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.210 CET|ClientHello.java:652|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "3C 06 CA 04 F8 0F E4 E6 94 93 1F 48 A4 C0 84 27 76 7E D6 22 BB 62 B2 C6 CF FA A4 61 BE 02 04 E2",
"session id" : "C1 C4 8D 99 B0 57 69 D7 63 DC 78 26 7B 15 0B B1 F5 2E B9 50 52 22 F0 32 FB 63 C4 AA E4 FC E6 72",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=www.verisign.com
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"supported_versions (43)": {
"versions": [TLSv1.3]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: DF DF 74 F2 A7 A9 B5 EB 74 E4 26 DE F6 2B 82 27 ..t.....t.&..+.'
0010: C1 4E D8 16 91 CA CB F6 0B 91 EE C9 69 C6 4F 03 .N..........i.O.
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.213 CET|SSLSocketOutputRecord.java:258|WRITE: TLS13 handshake, length = 266
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.213 CET|SSLSocketOutputRecord.java:258|WRITE: TLS13 handshake, length = 266
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.213 CET|SSLSocketOutputRecord.java:272|Raw write (
0000: 16 03 03 01 0A 01 00 01 06 03 03 3C 06 CA 04 F8 ...........<....
0010: 0F E4 E6 94 93 1F 48 A4 C0 84 27 76 7E D6 22 BB ......H...'v..".
0020: 62 B2 C6 CF FA A4 61 BE 02 04 E2 20 C1 C4 8D 99 b.....a.... ....
0030: B0 57 69 D7 63 DC 78 26 7B 15 0B B1 F5 2E B9 50 .Wi.c.x&.......P
0040: 52 22 F0 32 FB 63 C4 AA E4 FC E6 72 00 06 13 02 R".2.c.....r....
0050: 13 01 13 03 01 00 00 B7 00 00 00 15 00 13 00 00 ................
0060: 10 77 77 77 2E 76 65 72 69 73 69 67 6E 2E 63 6F .www.verisign.co
0070: 6D 00 05 00 05 01 00 00 00 00 00 0A 00 16 00 14 m...............
0080: 00 1D 00 17 00 18 00 19 00 1E 01 00 01 01 01 02 ................
0090: 01 03 01 04 00 0D 00 1E 00 1C 04 03 05 03 06 03 ................
00A0: 08 04 08 05 08 06 08 09 08 0A 08 0B 04 01 05 01 ................
00B0: 06 01 02 03 02 01 00 32 00 1E 00 1C 04 03 05 03 .......2........
00C0: 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B 04 01 ................
00D0: 05 01 06 01 02 03 02 01 00 2B 00 03 02 03 04 00 .........+......
00E0: 2D 00 02 01 01 00 33 00 26 00 24 00 1D 00 20 DF -.....3.&.$... .
00F0: DF 74 F2 A7 A9 B5 EB 74 E4 26 DE F6 2B 82 27 C1 .t.....t.&..+.'.
0100: 4E D8 16 91 CA CB F6 0B 91 EE C9 69 C6 4F 03 N..........i.O.
)
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.213 CET|SSLSocketOutputRecord.java:272|Raw write (
0000: 16 03 03 01 0A 01 00 01 06 03 03 D0 1B 63 ED D3 .............c..
0010: 4E 05 5E 98 E1 6B 9D F8 32 81 14 43 D3 45 F7 0D N.^..k..2..C.E..
0020: D3 D6 20 98 35 DF 67 85 C9 A9 65 20 44 52 47 AB .. .5.g...e DRG.
0030: 32 A6 FC C1 CA 78 A7 DE 32 AC F8 95 6C DF 68 07 2....x..2...l.h.
0040: 0C C5 35 D4 44 ED 29 7A 2F C9 BE 1E 00 06 13 02 ..5.D.)z/.......
0050: 13 01 13 03 01 00 00 B7 00 00 00 15 00 13 00 00 ................
0060: 10 77 77 77 2E 76 65 72 69 73 69 67 6E 2E 63 6F .www.verisign.co
0070: 6D 00 05 00 05 01 00 00 00 00 00 0A 00 16 00 14 m...............
0080: 00 1D 00 17 00 18 00 19 00 1E 01 00 01 01 01 02 ................
0090: 01 03 01 04 00 0D 00 1E 00 1C 04 03 05 03 06 03 ................
00A0: 08 04 08 05 08 06 08 09 08 0A 08 0B 04 01 05 01 ................
00B0: 06 01 02 03 02 01 00 32 00 1E 00 1C 04 03 05 03 .......2........
00C0: 06 03 08 04 08 05 08 06 08 09 08 0A 08 0B 04 01 ................
00D0: 05 01 06 01 02 03 02 01 00 2B 00 03 02 03 04 00 .........+......
00E0: 2D 00 02 01 01 00 33 00 26 00 24 00 1D 00 20 4C -.....3.&.$... L
00F0: 31 CF 53 D6 2D 6D 30 19 D3 7E 4E CD B6 6A E2 3A 1.S.-m0...N..j.:
0100: 49 0F C4 14 C2 53 FD 53 89 0D 7D 8F 4C AE 46 I....S.S....L.F
)
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.372 CET|SSLSocketInputRecord.java:488|Raw read (
0000: 15 03 03 00 02 .....
)
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.372 CET|SSLSocketInputRecord.java:214|READ: TLSv1.2 alert, length = 2
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.372 CET|SSLSocketInputRecord.java:488|Raw read (
0000: 02 28 .(
)
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.372 CET|SSLSocketInputRecord.java:247|READ: TLSv1.2 alert, length = 2
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.372 CET|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.372 CET|SSLSocketInputRecord.java:488|Raw read (
0000: 15 03 03 00 02 .....
)
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.372 CET|SSLSocketInputRecord.java:214|READ: TLSv1.2 alert, length = 2
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.372 CET|SSLSocketInputRecord.java:488|Raw read (
0000: 02 28 .(
)
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.372 CET|SSLSocketInputRecord.java:247|READ: TLSv1.2 alert, length = 2
javax.net.ssl|ERROR|0E|Thread-0|2020-10-30 15:16:45.372 CET|TransportContext.java:361|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:202)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1488)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1394)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412)
at Main.createAndUseSslSocket(Main.java:23)
at java.base/java.lang.Thread.run(Thread.java:832)}
)
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.372 CET|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ALL|0E|Thread-0|2020-10-30 15:16:45.372 CET|SSLSessionImpl.java:1224|Invalidated session: Session(1604067404870|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|ERROR|0F|Thread-1|2020-10-30 15:16:45.372 CET|TransportContext.java:361|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:202)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1488)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1394)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412)
at Main.createAndUseSslSocket(Main.java:23)
at java.base/java.lang.Thread.run(Thread.java:832)}
)
javax.net.ssl|ALL|0F|Thread-1|2020-10-30 15:16:45.372 CET|SSLSessionImpl.java:1224|Invalidated session: Session(1604067404870|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.372 CET|SSLSocketImpl.java:1727|close the underlying socket
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.372 CET|SSLSocketImpl.java:1727|close the underlying socket
javax.net.ssl|DEBUG|0E|Thread-0|2020-10-30 15:16:45.372 CET|SSLSocketImpl.java:1746|close the SSL connection (initiative)
javax.net.ssl|DEBUG|0F|Thread-1|2020-10-30 15:16:45.372 CET|SSLSocketImpl.java:1746|close the SSL connection (initiative)
這不是你的錯(JDK11 也不是)。
我在我有問題的評論中說得太早了,如果我提供-Djdk.tls.client.protocols="TLSv1.3" ,它在本地與您的失敗相同。
查看調試輸出,拒絕握手的是服務器:
javax.net.ssl|DEBUG|0D|Thread-1|2020-10-30 15:30:52.829 CET|SSLSocketInputRecord.java:477|Raw read (
0000: 02 28 .(
)
如果您使用openssl並強制使用TLS1.3 ,它將失敗並顯示相同的錯誤:
openssl s_client -connect www.verisign.com:443 -tls1_3
CONNECTED(00000003)
139777244485440:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
注意alert number 40 ,它對應於在 java 的調試輸出中看到的十六進制28 。
所以是www.verisign.com有 TLS1.3 的問題
如果你嘗試例如。 www.google.com它工作得很好
更新
我只是使用SSL Labs對www.verisign.com進行在線測試,結果證實:
實現 Java JDK 11 中可用的 TLS 1.3 的 session 恢復
[英]Implement session resumption for TLS 1.3 available in Java JDK 11
使用 OpenJDK 14 java 模塊運行時時 TLS 1.3 握手失敗
[英]TLS 1.3 handshake failure when using OpenJDK 14 java module runtime
Java 11 和 12 SSL 套接字在啟用 TLSv1.3 的情況下因 handshake_failure 錯誤而失敗
[英]Java 11 and 12 SSL sockets fail on a handshake_failure error with TLSv1.3 enabled
帶有 Java 11 和自簽名證書的 TLS 1.3 服務器套接字
[英]TLS 1.3 server socket with Java 11 and self-signed certificates
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.