javax.net.ssl.SSLException: 從 Apache Z8F72E28063C30C7468FB6AF4653F54F9CZ 9 發送請求時收到 close_notify 握手錯誤。

Question

I have moved my website from a very old server to a new server that supports SSL, and upgraded from Apache Tomcat 6 to Apache Tomcat 9.0.54. 現在，當我的服務器上運行的代碼嘗試使用此代碼向 trustspot 服務器（受信任的評論站點）發送請求時

    try
    {
        HttpClient httpclient = new DefaultHttpClient();
    
        this.order=order;
        String dataForHmac      = MERCHANT_ID + order.getOrderId() + order.getCustomerEmail();
        String calculatedHmac   = base64sha256(dataForHmac, SECRET_KEY);
        order.setHmac(calculatedHmac);
        order.setKey(API_KEY);
    
        Gson gson = new GsonBuilder().setFieldNamingPolicy(FieldNamingPolicy.LOWER_CASE_WITH_UNDERSCORES).setPrettyPrinting().create();
        System.out.println(gson.toJson(order));
    
        String jsonData = gson.toJson(order);
    
        url = new URL("https://trustspot.io/api/pub/new_order_product");
        httpMethod = new HttpPost(url.toExternalForm());
        httpMethod.addHeader("Content-Type", "application/json");
        StringEntity se = new StringEntity(jsonData);
        httpMethod.setEntity(se);
        HttpResponse httpResponse = httpclient.execute(httpMethod);
        InputStreamReader is = new InputStreamReader(httpResponse.getEntity().getContent());
        BufferedReader rd;
        rd = new BufferedReader(is);
    
        String line = "";
        while ((line = rd.readLine()) != null)
        {
            System.out.println(line);
        }
    }
    catch(Exception ex)
    {
        StringWriter messageBody = new StringWriter();
        PrintWriter pw = new PrintWriter(messageBody);
        ex.printStackTrace(pw);
        Email.sendAlert("Unable to send trustpot review request:"+ order.getCustomerEmail(), messageBody.toString());
    }

我明白了

javax.net.ssl.SSLException: Received close_notify during handshake 

我該如何解決這個問題？

    javax.net.ssl.SSLException: Received close_notify during handshake
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1911)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2012)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:553)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
        at com.jthink.store.trustspot.TrustSpotProductRequest.sendRequest(TrustSpotProductRequest.java:68)
        at com.jthink.store.googleprocess.AbstractCreateAndSendLicense.requestReview(AbstractCreateAndSendLicense.java:306)
        at com.jthink.store.googleprocess.CreateAndSendSongKongLicense.createAndSendLicense(CreateAndSendSongKongLicense.java:120)
        at com.jthink.store.action.VerifyPaymentEJunkie.processEachItem(VerifyPaymentEJunkie.java:169)
        at com.jthink.store.action.VerifyPaymentEJunkie.handleRequest(VerifyPaymentEJunkie.java:82)
        at com.jthink.store.JThinkStoreServlet.doGet(JThinkStoreServlet.java:45)
        at com.jthink.store.JThinkStoreServlet.doPost(JThinkStoreServlet.java:32)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:681)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)

我正在使用 Java 1.8.0_161-b12

在設置-Dhttps.protocols=TLSv1和-Dhttps.protocols=TLSv1.1, TLSv1.2但沒有區別

更新在 class 中添加了一個 main()，所以現在我可以在 tomcat 之外的機器上運行測試，它以完全相同的方式失敗

java -classpath classes:lib/*  com.jthink.store.trustspot.TrustSpotProductRequest -Dhttps.protocols=TLSv1

給出同樣的例外

javax.net.ssl.SSLException: Received close_notify during handshake

在我的 PC 上運行完全相同的代碼可以正常工作。

更新 2

使用-Djavax.net.debug=ssl:handshake

trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1621095199 bytes = { 214, 189, 173, 184, 228, 255, 156, 82, 153, 122, 143, 245, 185, 144, 166, 172, 32, 10, 144, 123, 158, 248, 38, 4, 84, 67, 13, 79 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=trustspot.io]
***
main, WRITE: TLSv1.2 Handshake, length = 146
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  warning, close_notify
main, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received close_notify during handshake
main, called close()
main, called closeInternal(true)

在我的電腦上，我可以看到的區別是它也有 Extension elliptic_curves和 Extension ec_point_formats ，我需要它們嗎？

握手的長度也不同。

Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=trustspot.io]
***
main, WRITE: TLSv1.2 Handshake, length = 214
main, READ: TLSv1.2 Handshake, length = 91

Answer 1

問題是我的 Java 版本，（答案來自@dave_thompson_085 評論，我不完全理解細節，如果沒有完全正確解釋，請見諒）

I was using Java 1.8.0_161-b12 on a linux centos machine, turns out this version doesnt support elliptic curve suites for TLS 1.2, but the server I was connecting to only supports ECHDE and this requires use of elliptic curve algorithm so therefore would not工作。

更新到 jdk1.8.0_202 現在可以工作了

Answer 2

通常 SSL 問題與證書問題有關，您確定您的舊證書仍然有效且配置正確，如果不是我建議先將其添加到服務器中