【问题标题】:SSLHandshakeException : jetty server does not pick any of cipher to initiate SSL handshakeSSLHandshakeException:码头服务器没有选择任何密码来启动 SSL 握手
【发布时间】:2017-05-30 10:11:22
【问题描述】:

客户端在发送请求时发送密码列表,但 cxf-jetty 服务器 不接受任何给定的密码并关闭会话。 下面是来自服务器端的 SSL 日志。当服务器使用 jdk6 运行但不使用更高版本的 java 时,它可以工作。我尝试设置 https.protocol 但没有任何帮助。我验证了所有密钥库也在 cacerts 中更新。任何线索或帮助将不胜感激? 还使用 org.apache.cxf.jaxws.JaxWsServerFactoryBean 创建服务器

tp1402834900-33,阅读:TLSv1.2 握手,长度 = 227 *** 客户端您好,TLSv1.2 RandomCookie: GMT: 1496138621 字节 = { 96, 63, 100, 252, 232, 36, 198, 68, 124, 190, 117, 1, 205, 237, 23, 156, 66, 68, 27, 72, 46, 44、245、6、67、240、24、181} 会话 ID:{} 密码套件:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA、TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDH_RSA_WITH_AES_128_CBC_SHA、TLS_DHE_RSA_WITH_AES_128_CBC_SHA、 TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA、SSL_RSA_EXPORT_WITH_DES40_CBC_SHA、SSL_DHE_RSA_EXPORT_WITH_DES40 _CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS 压缩方法:{0} 扩展椭圆曲线,曲线名称:{secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1} 扩展 ec_point_formats,格式:[未压缩] 扩展签名算法,签名算法:SHA512withECDSA,SHA512withRSA,SHA384withECDSA,SHA384withRSA,SHA256withECDSA,SHA256withRSA,未知(哈希:0x4,签名:0x2),SHA1withECDSA,SHA1withRSA,SHA1withDSA *** [阅读] MD5 和 SHA1 哈希:len = 227 ... %% 已初始化:[Session-12,SSL_NULL_WITH_NULL_NULL] qtp1402834900-29,调用closeOutbound() qtp1402834900-29,closeOutboundInternal()

来自客户端的日志显示 SSLHandshake 异常

线程 38,写入:TLSv1.2 握手,长度 = 227 线程 38,收到 EOFException:错误 Thread-38,处理异常:javax.net.ssl.SSLHandshakeException: Remote 握手期间主机关闭连接 Thread-38,发送 TLSv1.2 ALERT:致命,描述 = handshake_failure 线程 38,写入:TLSv1.2 警报,长度 = 2 Thread-38,称为 closeSocket Thread-38,称为关闭 Thread-38,称为 closeInternal

【问题讨论】:

    标签: ssl encryption jetty cxf handshake


    【解决方案1】:

    Java 6 已经很老了,被认为是 Oracle 的生命终结。

    当您升级 Java 版本时,您也在快速升级在公共互联网上拥有安全和加密连接的意义。

    例如:

    • SSLv3 已被弃用和禁用。
    • 数百个密码已被弃用和禁用。
    • 引入了 TLS/1.1 和 TLS/1.2

    要想取得成功,您必须有一个客户端,它可以将 TLS/1.2 与现代密码套件进行通信,并且没有已弃用或禁用的密码套件或协议。

    这意味着没有 SHA1、没有 MD5、没有小的 RSA 密钥、没有 SSLv3、没有 RC4 等等......

    完整列表参见 JVM 禁用列表 ...

    $ grep -E "^j.*disabled" $JAVA_HOME/jre/lib/security/java.security
    jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
    jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
    

    对于 Jetty 9.3+,您可以启用服务器启动转储,并查看 SslContextFactory 详细信息,这将显示实际启用了哪些协议和密码。

    $ cd /path/to/mybase && \
     java -jar /path/to/jetty-dist.jar -Djetty.dump.start=true
    
    SslContextFactory@1ed4004b(null,null) trustAll=false
     +- Protocol Selections
     |   +- Enabled (size=3)
     |   |   +- TLSv1
     |   |   +- TLSv1.1
     |   |   +- TLSv1.2
     |   +- Disabled (size=2)
     |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
     |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
     +- Cipher Suite Selections
         +- Enabled (size=15)
         |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
         |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
         |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
         |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
         |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
         |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
         |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
         |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
         |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
         |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
         |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
         |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
         |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
         |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
         |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
         +- Disabled (size=42)
             +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
             +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
             +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
             +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security
    

    为了取得长期成功,您必须使您的 java JVM 保持最新并遵守每个版本的 JVM 到期日期,因为 JVM 上的安全层确实会快速更新(在错误、实现和配置方面)。如果您计划在公共互联网上使用加密或计划支持现代网络浏览器(也遵循协议和密码套件的弃用),则这是一项非可选要求

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2018-10-24
      • 2013-03-10
      • 1970-01-01
      • 1970-01-01
      • 2019-02-12
      • 1970-01-01
      • 1970-01-01
      • 2016-03-02
      相关资源
      最近更新 更多