SSLHandshakeException:jetty服务器不选择任何密码来启动SSL握手
问题描述:
客户端在发送请求时发送密码列表,但cxf-jetty服务器 不接受任何给定的密码并关闭会话。下面的 是来自服务器端的SSL日志。它在服务器使用jdk6运行时工作,但不与更高版本的java一起运行。我尝试设置https.protocol,但没有任何帮助。我验证了所有密钥库也在cacerts中更新。任何线索或帮助将不胜感激? 也服务器使用org.apache.cxf.jaxws.JaxWsServerFactoryBeanSSLHandshakeException:jetty服务器不选择任何密码来启动SSL握手
tp1402834900-33, READ: TLSv1.2 Handshake, length = 227 *** ClientHello, TLSv1.2 RandomCookie: GMT: 1496138621 bytes = { 96, 63, 100, 252, 232, 36, 198, 68, 124, 190, 117, 1, 205, 237, 23, 156, 66, 68, 27, 72, 46, 44, 245, 6, 67, 240, 24, 181 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA1withECDSA, SHA1withRSA, SHA1withDSA *** [read] MD5 and SHA1 hashes: len = 227 ... %% Initialized: [Session-12, SSL_NULL_WITH_NULL_NULL] qtp1402834900-29, called closeOutbound() qtp1402834900-29, closeOutboundInternal()
和日志从客户端创建显示SSLHandshake例外
Thread-38, WRITE: TLSv1.2 Handshake, length = 227 Thread-38, received EOFException: error Thread-38, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake Thread-38, SEND TLSv1.2 ALERT: fatal, description = handshake_failure Thread-38, WRITE: TLSv1.2 Alert, length = 2 Thread-38, called closeSocket Thread-38, called close Thread-38, called closeInternal
答
Java 6中已经很老了,并认为结束生命与甲骨文。
当您升级Java版本时,您也正在快速升级在公共互联网上具有安全和加密连接的含义。
如:
- SSLv3的被废弃和残疾人。
- 数百个密码被弃用和禁用。
- TLS/1.1和TLS/1.2中引入
让你有成功,你MUST有客户,讨论TLS/1.2与现代密码套件,并没有过时或禁用密码套件或协议。
这意味着没有SHA1,没有MD5,不小的RSA密钥长度,没有SSLv3的,没有RC4等..
有关完整列表,请参阅JVM的伤兵名单...
$ grep -E "^j.*disabled" $JAVA_HOME/jre/lib/security/java.security
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
对于Jetty 9.3+,您可以启用服务器启动转储,然后查看SslContextFactory
的详细信息,这将显示实际启用了哪些协议和密码。
$ cd /path/to/mybase && \
java -jar /path/to/jetty-dist.jar -Djetty.dump.start=true
[email protected](null,null) trustAll=false
+- Protocol Selections
| +- Enabled (size=3)
| | +- TLSv1
| | +- TLSv1.1
| | +- TLSv1.2
| +- Disabled (size=2)
| +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
+- Cipher Suite Selections
+- Enabled (size=15)
| +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| +- TLS_RSA_WITH_AES_128_CBC_SHA256
| +- TLS_RSA_WITH_AES_128_GCM_SHA256
+- Disabled (size=42)
+- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
+- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
+- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
+- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security
对于长期的成功,你必须保持你的java JVM最新的,并兑现了JVM到期日期为每一个版本,因为在JVM上的安全层也迅速更新(在错误的方面,实施和配置)。如果您打算在公共互联网上使用加密或计划支持现代Web浏览器(这也遵循协议和密码套件的弃用),则这是非可选要求