如果服务器不支持 SSLv3,为什么 Java SSL 套接字连接会失败

【问题标题】:Why does the Java SSL socket connection fail hard if server does not support SSLv3如果服务器不支持 SSLv3,为什么 Java SSL 套接字连接会失败
【发布时间】:2015-03-08 18:33:47
【问题描述】:

在提供商禁用 SSLv3 后,我们与 JDK 7 对 www1.ecall.ch 的 CXF 调用开始失败,我不明白为什么。通过设置-Dhttps.protocols=TLSv1 解决了这个问题,但我很惊讶这甚至是必要的。

JDK 7/8 支持所有 SSLv2Hello(2)、SSLv3、TLSv1、TLSv1.1 和 TLSv1.2,我希望

  1. JVM 在握手期间尝试自上而下,即首先从 TLSv1.2 开始,然后
  2. 即使服务器不支持 SSLv3 也能建立连接

这是设置 -Dhttps.protocols=TLSv1 之前 SSL 调试日志的相关部分,即使用 JVM 默认值(我在开头切断了所有证书的列表):

trigger seeding of SecureRandom
done seeding SecureRandom
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(180000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
%% No cached client session
*** ClientHello, SSLv3
RandomCookie:  GMT: 1403944475 bytes = { 12, 68, 193, 229, 85, 79, 86, 211, 209, 34, 251, 218, 184, 7, 51, 93, 180, 144, 114, 70, 105, 252, 31, 61, 151, 188, 165, 177 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: www1.ecall.ch]
***
[write] MD5 and SHA1 hashes:  len = 205
0000: 01 00 00 C9 03 00 54 AE   7E 1B 0C 44 C1 E5 55 4F  ......T....D..UO
0010: 56 D3 D1 22 FB DA B8 07   33 5D B4 90 72 46 69 FC  V.."....3]..rFi.
0020: 1F 3D 97 BC A5 B1 00 00   4C C0 09 C0 13 00 2F C0  .=......L...../.
0030: 04 C0 0E 00 33 00 32 C0   07 C0 11 00 05 C0 02 C0  ....3.2.........
0040: 0C C0 08 C0 12 00 0A C0   03 C0 0D 00 16 00 13 00  ................
0050: 04 00 FF 00 09 00 15 00   12 00 03 00 08 00 14 00  ................
0060: 11 00 20 00 24 00 1F 00   23 00 1E 00 22 00 28 00  .. .$...#...".(.
0070: 2B 00 26 00 29 01 00 00   54 00 0A 00 34 00 32 00  +.&.)...T...4.2.
0080: 17 00 01 00 03 00 13 00   15 00 06 00 07 00 09 00  ................
0090: 0A 00 18 00 0B 00 0C 00   19 00 0D 00 0E 00 0F 00  ................
00A0: 10 00 11 00 02 00 12 00   04 00 05 00 14 00 08 00  ................
00B0: 16 00 0B 00 02 01 00 00   00 00 12 00 10 00 00 0D  ................
00C0: 77 77 77 31 2E 65 63 61   6C 6C 2E 63 68           www1.ecall.ch
main, WRITE: SSLv3 Handshake, length = 205
[write] MD5 and SHA1 hashes:  len = 179
0000: 01 03 00 00 8A 00 00 00   20 00 C0 09 06 00 40 00  ........ .....@.
0010: C0 13 00 00 2F 00 C0 04   01 00 80 00 C0 0E 00 00  ..../...........
0020: 33 00 00 32 00 C0 07 05   00 80 00 C0 11 00 00 05  3..2............
0030: 00 C0 02 00 C0 0C 00 C0   08 00 C0 12 00 00 0A 07  ................
0040: 00 C0 00 C0 03 02 00 80   00 C0 0D 00 00 16 00 00  ................
0050: 13 00 00 04 01 00 80 00   00 FF 00 00 09 06 00 40  ...............@
0060: 00 00 15 00 00 12 00 00   03 02 00 80 00 00 08 00  ................
0070: 00 14 00 00 11 00 00 20   00 00 24 00 00 1F 00 00  ....... ..$.....
0080: 23 00 00 1E 00 00 22 00   00 28 00 00 2B 00 00 26  #....."..(..+..&
0090: 00 00 29 54 AE 7E 1B 0C   44 C1 E5 55 4F 56 D3 D1  ..)T....D..UOV..
00A0: 22 FB DA B8 07 33 5D B4   90 72 46 69 FC 1F 3D 97  "....3]..rFi..=.
00B0: BC A5 B1                                           ...
main, WRITE: SSLv2 client hello message, length = 179
[Raw write]: length = 181
0000: 80 B3 01 03 00 00 8A 00   00 00 20 00 C0 09 06 00  .......... .....
0010: 40 00 C0 13 00 00 2F 00   C0 04 01 00 80 00 C0 0E  @...../.........
0020: 00 00 33 00 00 32 00 C0   07 05 00 80 00 C0 11 00  ..3..2..........
0030: 00 05 00 C0 02 00 C0 0C   00 C0 08 00 C0 12 00 00  ................
0040: 0A 07 00 C0 00 C0 03 02   00 80 00 C0 0D 00 00 16  ................
0050: 00 00 13 00 00 04 01 00   80 00 00 FF 00 00 09 06  ................
0060: 00 40 00 00 15 00 00 12   00 00 03 02 00 80 00 00  .@..............
0070: 08 00 00 14 00 00 11 00   00 20 00 00 24 00 00 1F  ......... ..$...
0080: 00 00 23 00 00 1E 00 00   22 00 00 28 00 00 2B 00  ..#....."..(..+.
0090: 00 26 00 00 29 54 AE 7E   1B 0C 44 C1 E5 55 4F 56  .&..)T....D..UOV
00A0: D3 D1 22 FB DA B8 07 33   5D B4 90 72 46 69 FC 1F  .."....3]..rFi..
00B0: 3D 97 BC A5 B1                                     =....
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Broken pipe
main, called closeSocket()
main, called close()
main, called closeInternal(true)
[...upper part of stacktrace...]
Caused by: java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:196)
    at java.net.SocketInputStream.read(SocketInputStream.java:122)
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
    at sun.security.ssl.InputRecord.read(InputRecord.java:480)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
[...remaining part of stacktrace...]

如果我做对了,JVM 先尝试 SSLv3 Handshake,然后再尝试 SSLv2 client hello message,然后再诉诸 TLSv1。

但是当我启用 TLS 作为它唯一支持的协议时,为什么它在尝试 TLSv1 之后却失败了?服务器 (IIS 8.5) 是否会尝试一些非常规的握手,从而导致套接字连接跳闸?

【问题讨论】:

  • 你能做一个真正的数据包捕获并将它发布到cloudshark.org吗?从调试输出中很难理解发生了什么,但它不可能是 SSLv3 握手,因为有一个 server_name 扩展名,仅支持 TLS1.0+。
  • 此跟踪包含 SSLv2 客户端握手。因此,您没有将 TLS 作为唯一启用的协议。您也或更有可能启用了 SSLv2ClientHello。
  • @EJP,调试日志显示设置-Dhttps.protocols=TLSv1 之前发生了什么。我刚刚更新了问题以避免这种误解。

标签: java sockets ssl


【解决方案1】:

JVM(更准确地说是 JSSE)不尝试自上而下。它遵循 RFCs(包括 SSLv2 ClientHello 的附录)并发送 一个 ClientHello 说明支持的最高版本,服务器可以回复任何小于或等于该版本的版本。如果服务器认为我们的最高值太低,它会直接拒绝握手。如果服务器(暂时)接受我们认为太低的版本(或者想跳过,但这很愚蠢),我们会中止握手。正是浏览器“退回”到较低协议的常见行为导致了 POODLE(请参阅许多关于哪个问题的问题)。

在这种情况下,出现的javax.net.debug 跟踪具有误导性。如果启用了 SSLv2Hello——默认情况下它在 Java6 中但在 Java7 中没有,你是否在某个地方进行了更改? -- JSSE 显然为 SSLv3+(新格式)hello 和 SSLv2(映射的旧格式)hello 显示并说“写”,但实际上它只发送后者,(@Steffen)由openssl s_server 确认。

因此很明显,如果没有 https.protocol 更改,您的客户端正在发送 SSLv2 格式的 hello,而服务器正在拒绝它。这不是绝对必要的:技术上可以使用 SSLv2 format 来协商 TLSv1.0 甚至更高版本,例如 OpenSSL 可以这样做,但这不是一个好主意; SSLv2 protocol 自 2001 年左右就被认为是不安全的,并在 2011 年被 RFC 6176 正式禁止,并且 SSLv2 format hello 不支持包括那些半安全的扩展。 ECC、1.2 中的 sigalgs 和(如@Steffen 所指出的)当今许多网络服务器需要或想要的 SNI。很可能服务器禁止 SSLv3 的配置也有禁止 SSLv2 format 的效果,这将是我的赌注,如果是这样,那是最好的。

另外:您的代码(或者可能是库)中的某些内容似乎启用了所有或几乎所有受支持的密码。这是一个坏主意。 Your hello 提供多年来不安全的单 DES 套件,永远不安全的导出套件,以及在 Internet 上完全没用的 Kerberos 套件,包括无用的 Kerberos 导出套件完全没有安全感。体面的服务器不会同意这些,但如果您碰巧连接到配置错误或不正常的服务器,您将获得明显成功的连接,并且除非您密切监视,否则不会注意到它是不安全的。

【讨论】:

  • 很好的答案,谢谢!同时,我发现了 Oracle 的 Debugging SSL/TLS Connections(这次似乎包含了适合 Google 的关键词),这确实确​​实有帮助。此外,我在 Oracle 的 JSSE Reference Guide->“发送 ClientHello 消息后断开的套接字”中找到了一个关于这个确切案例的小章节,其中还谈到了 SSLv2 format ClientHello。
  • 我还跟进了您关于密码的宝贵意见。我不熟悉我正在维护的旧代码库的 那个 角落,我发现不是最优的 Apache CXF SSL/TLS 配置是造成所有问题的原因。一旦我解决了这个问题,我也可以省略 -Dhttps.protocols JVM 参数。作为记录,这里是 CXF 文档:cxf.apache.org/docs/…
猜你喜欢
  • 2019-04-21
  • 2020-07-23
  • 1970-01-01
  • 2022-07-23
  • 2011-11-28
  • 2018-01-06
  • 2013-10-10
  • 2017-10-28
  • 2015-01-11
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode