【发布时间】:2016-07-04 16:04:36
【问题描述】:
我有一个 jboss 版本 6.3.0.GA ,使用 java 版本 1.7.0_71 我的同事远程服务器更改允许 TLS 协议从 1.1 到 1.2,现在我必须更新我的客户端(部署在 jboss 中)。 问题是,在此更改之后,我收到:
faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
在 ssl 调试中我看到:
5:22:43,921 INFO [stdout] (http-/0.0.0.0:8080-1) *** ClientHello, TLSv1
15:22:43,923 INFO [stdout] (http-/0.0.0.0:8080-1) RandomCookie: GMT: 1467638563 bytes = { 250, 245, 94, 108, 232, 16, 43, 124, 53, 95, 38, 104, 249, 96, 71, 207, 230, 7, 84, 183, 41, 224, 63, 213, 186, 7, 179, 255 }
15:22:43,923 INFO [stdout] (http-/0.0.0.0:8080-1) Session ID: {}
15:22:43,923 INFO [stdout] (http-/0.0.0.0:8080-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
15:22:43,924 INFO [stdout] (http-/0.0.0.0:8080-1) Compression Methods: { 0 }
15:22:43,924 INFO [stdout] (http-/0.0.0.0:8080-1) Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
15:22:43,924 INFO [stdout] (http-/0.0.0.0:8080-1) Extension ec_point_formats, formats: [uncompressed]
15:22:43,925 INFO [stdout] (http-/0.0.0.0:8080-1) Extension server_name, server_name: [host_name: cxg7d.test.centurylink.com]
15:22:43,925 INFO [stdout] (http-/0.0.0.0:8080-1) ***
15:22:43,925 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, WRITE: TLSv1 Handshake, length = 184
15:22:43,958 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, READ: TLSv1.2 Alert, length = 2
15:22:43,959 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, RECV TLSv1 ALERT: fatal, handshake_failure
15:22:43,959 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, called closeSocket()
15:22:43,960 INFO [stdout] (http-/0.0.0.0:8080-1) http-/0.0.0.0:8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
15:22:43,963 ERROR [stderr] (http-/0.0.0.0:8080-1) AxisFault
15:22:43,964 ERROR [stderr] (http-/0.0.0.0:8080-1) faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
15:22:43,964 ERROR [stderr] (http-/0.0.0.0:8080-1) faultSubcode:
15:22:43,964 ERROR [stderr] (http-/0.0.0.0:8080-1) faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
即使应用了以下更改
1 - 使用以下值更新了“standalone.xml”
<system-properties>
<property name="https.protocols" value="TLSv1.2"/>
</system-properties>
2 - 在服务器启动的 JAVA 选项下方添加:
-Djavax.net.debug=all -Ddeployment.security.TLSv1.2=true -Ddeployment.security.TLSv1.2=true -Ddeployment.security.TLSv1=false -Dhttps.protocols=TLSv1.2
3 - 以图形方式更改 Java 控制台中的协议 JDK control panel
但没有握手仍然存在。 我想错误出现在仍然使用 TLSv1 而不是 1.2 的“Client Hello”上。 你有什么建议来强制这个值吗? S.
【问题讨论】: