Java SSL:服务主体名称无效

【问题标题】:Java SSL: Invalid service principal nameJava SSL:服务主体名称无效
【发布时间】:2015-10-16 12:35:15
【问题描述】:

我在游戏的 Java 服务器上运行了“sudo yum update”,现在尝试通过游戏客户端连接时出现以下错误:

[2015-07-26 01:58:12] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-26 01:58:12] [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-07-26 01:58:12] [Thread-2] INFO -    Remote port = 34215
[2015-07-26 01:58:12] [Thread-2] INFO -    Local socket address = /192.168.1.4:59805
[2015-07-26 01:58:12] [Thread-2] INFO -    Local address = /192.168.1.4
[2015-07-26 01:58:12] [Thread-2] INFO -    Local port = 59805
[2015-07-26 01:58:12] [Thread-2] INFO -    Need client authentication = false
[2015-07-26 01:58:17] [Thread-2] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-07-26 01:58:17] [Thread-2] INFO -    Protocol = NONE
[2015-07-26 01:58:17] [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.jayavon.game.client.an.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
    at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
    ... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    ... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
    at sun.security.krb5.Realm.getDefault(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 15 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 19 more

5 天前,这是我从客户端连接到游戏服务器时看到的:

[2015-07-21 00:07:34] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-21 00:07:34] [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-07-21 00:07:34] [Thread-2] INFO -    Remote port = 34215
[2015-07-21 00:07:34] [Thread-2] INFO -    Local socket address = /192.168.1.4:61480
[2015-07-21 00:07:34] [Thread-2] INFO -    Local address = /192.168.1.4
[2015-07-21 00:07:34] [Thread-2] INFO -    Local port = 61480
[2015-07-21 00:07:34] [Thread-2] INFO -    Need client authentication = false
[2015-07-21 00:07:34] [Thread-2] INFO -    Cipher suite = TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-07-21 00:07:34] [Thread-2] INFO -    Protocol = TLSv1.2

我以为是我的 keystore.jks 文件的证书已过期,但我什至尝试使用刚刚用startssl更新的证书进行更新,但无济于事。任何帮助将不胜感激。

理想情况下,我想解决这个问题(这样我就可以继续更新我的 EC2 服务器)。

编辑

我使用以下命令在上次更新列表中找到了以下 java 更新: rpm -qa --last

java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.x86_64 Sun 26 Jul 2015 12:23:17 AM EDT

EDIT2

客户:

[2015-08-04 08:32:16] 15 [main] INFO - java.version: 1.8.0_20
[2015-08-04 08:32:17] 1028 [AWT-EventQueue-0] DEBUG - conf/
[2015-08-04 08:32:17] 1185 [main] INFO - Contacting Download Server...
...
[2015-08-04 08:32:57] 40786 [main] INFO - Finished updating game files!
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_NULL_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Remote port = 34215
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local socket address = /192.168.1.8:56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local address = /192.168.1.8
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local port = 56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Need client authentication = false
[2015-08-04 08:33:12] 55873 [Thread-2] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-08-04 08:33:12] 55873 [Thread-2] INFO -    Protocol = NONE
[2015-08-04 08:33:12] 55889 [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.jayavon.game.client.an.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
    at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
    ... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    ... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
    at sun.security.krb5.Realm.getDefault(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 15 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 19 more

服务器:

65795 [main] DEBUG - handleConnections thread started
65795 [main] DEBUG - Server is running on port 34215
124540 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
124543 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
125142 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
125152 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126102 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
126105 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126107 [connectionHandlerThread] INFO - Server socket class: class sun.security.ssl.SSLServerSocketImpl
126107 [connectionHandlerThread] INFO -    Socket address = 0.0.0.0/0.0.0.0
126107 [connectionHandlerThread] INFO -    Socket port = 34215
126108 [connectionHandlerThread] INFO -    Need client authentication = false
126108 [connectionHandlerThread] INFO -    Want client authentication = false
126108 [connectionHandlerThread] INFO -    Use client mode = false
126108 [connectionHandlerThread] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
126108 [connectionHandlerThread] INFO -    Remote address = /173.54.54.76
126108 [connectionHandlerThread] INFO -    Remote port = 56729
126108 [connectionHandlerThread] INFO -    Local socket address = /172.31.25.254:34215
126108 [connectionHandlerThread] INFO -    Local address = /172.31.25.254
126108 [connectionHandlerThread] INFO -    Local port = 34215
126109 [connectionHandlerThread] INFO -    Need client authentication = false
131889 [connectionHandlerThread] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
131889 [connectionHandlerThread] INFO -    Protocol = NONE
131890 [connectionHandlerThread] FATAL - Socket connection could not be made!!
131890 [connectionHandlerThread] ERROR - client bad connection
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508)
        at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
        at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4770)
        at com.jayavon.game.server.MyServer.access$0(MyServer.java:4739)
        at com.jayavon.game.server.MyServer$1.run(MyServer.java:435)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1098)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
        at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2233)
        at com.jayavon.game.server.MyServer.printSocketInfo(MyServer.java:4725)
        at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4758)
        ... 3 more

【问题讨论】:

  • 也许您证书上的 keyUsage 不好?尝试关注stackoverflow.com/a/12150604/2646526
  • 您使用的是哪个 java 版本? java更新了吗?请注意,错误中未正确列出密码套件。
  • Java 版本 1.7.0_85... 我发现了相同的帖子,但不使用 openssl。我试图记住我是如何创建我的密钥的:X。我的目标是保护我的 mmorpg(Java 客户端/Java 服务器),因此当有人使用我的 java fat 客户端登录他们的帐户时,就不会出现窥探等情况。

标签: java ssl yum openjdk sslexception


【解决方案1】:

最初(即在您通过 rpm 更新系统之前),您使用的密码套件 TLS_DH_anon_WITH_AES_128_CBC_SHA256 没有 Diffie-Hellman 密钥交换身份验证。 (注:容易受到中间人攻击的协议)

根据Red Hat Customer PortalAmazon Linux AMI Security Center)最近发布了一个critical java-1.7.0-openjdk 安全更新。由于此问题,您肯定会遇到上述问题,如下所述:

在 TLS 协议组成 Diffie-Hellman 的方式中发现了一个缺陷 (DH) 密钥交换。中间人攻击者可以利用这个漏洞 在密钥交换期间强制使用弱 512 位出口级密钥, 允许他们解密所有流量。 (CVE-2015-4000)

注意:此更新强制 OpenJDK 中的 TLS/SSL 客户端实现 拒绝 768 位以下的 DH 密钥大小,这会阻止会话 降级为出口级密钥。请参阅 Red Hat Bugzilla 错误 1223211, 链接到参考部分,有关此的更多详细信息 改变。

这至少在一定程度上解释了为什么您现在收到Cipher suite = SSL_NULL_WITH_NULL_NULL,因为您的系统上似乎不再提供原始密码套件(或者它现在已被禁用)。您提供的输出中的 Protocol = NONE 也支持这一点。

Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7”概述文档的默认禁用密码套件列表中也包含您的原始密码套件。所以我认为 OpenJDK 实现确实相应地解决了这个安全问题(参见上面的 URL 参考)。

一般来说,这个针对 Java 的安全修复与所谓的Logjam attack 相关,建议是:

确保您使用的任何 TLS 库都是最新的,您维护的服务器使用 2048 位或更大的素数,并且您维护的客户端拒绝小于 1024 位的 Diffie-Hellman 素数

作为一个解决方案,也许您可​​以更改您的游戏应用程序(客户端和/或服务器)的 SSL/加密设置以使用 -@ 987654332@密码套件?

查看 Oracle 提供的文档中的 Default Enabled Cipher Suites 或查看@dolmen 提供的检测Enabled ciphers on Ubuntu OpenJDK 7 的简单而有效的工具。

编辑 1:

看看这个StackOverflow postanswer by @EJP 它看起来和你的 StackTrace 非常相似 (*hooray!)。看来你比较好……

不要乱用启用的密码套件。取出该代码并重新测试。您已启用匿名套件,通过它在任何方向都没有任何身份验证。

因此,您可以将代码更改为不显式使用setEnabledCipherSuites(..),因为它启用了默认未启用的密码套件(“DH-anon”...)。如果你按照描述的那样取出这些代码行,试着检查结果是什么。

也许选择TLS_ECDH_anon_WITH_AES_128_CBC_SHA 作为密码套件(这里没有经典的 DH 参数)。但是,因此您应该在服务器端更新到 OpenJDK 8 或 Oracle JRE/JDK 8,因为这在 OpenJDK 7 中不可用(请参阅您的服务器调试日志输出)。

希望,它会有所帮助。

【讨论】:

  • 非常感谢您提供的信息!!!这是我的问题:我已经启用了所有受支持的密码套件。我还能做些什么来启用更多功能吗?字符串[] 套件 = sC.getSupportedCipherSuites(); sC.setEnabledCipherSuites(suites);
  • “getSupportedCipherSuites()”的输出是什么?该阵列中有哪些套房?您能否验证您的客户端是否可以使用您的服务器应用程序也支持的 CipherSuite?
  • 我需要稍后回家查看。如果我在客户端和服务器上同时使用 java 1.7,不应该有什么共同点吗?我是否需要下载其他密码套件或其他东西?
  • 我提供了 EDIT2,其中包含用于客户端和服务器的密码套件。在 Notepad++ 中运行比较,我发现共有 34 个套件。如果您需要更多详细信息,请告诉我:D,非常感谢您到目前为止的所有帮助!!!
  • 如果我记得我在没有这些代码行时遇到了问题,这就是添加它们的原因。今晚我会试一试,然后从那里开始。我会根据需要在这里更新。即使我的问题没有解决,我也会奖励你我的赏金,作为对你所有帮助的感谢。我想我被指出了能够解决这个问题的正确方向。有时在我的游戏中摇摆 - 希望服务器会启动:D
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2017-11-24
  • 1970-01-01
  • 1970-01-01
  • 2012-08-06
  • 2021-08-13
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode