扩展server_name(SNI扩展)不与jdk1.8.0一起发送,而是与jdk1.7.0一起发送 [英] Extended server_name (SNI Extension) not sent with jdk1.8.0 but send with jdk1.7.0
问题描述
我已经使用ApacheCXF(v3.0.4)实现了一个JAX-WS客户端,一切都运行成功,但问题出现在我想使用java 8(jdk1.8.0_25)的安全连接(SSL / TLS)时。
I have implemented a JAX-WS client by using ApacheCXF (v3.0.4) and everything works successfully but the problem comes when I want to use a secure connection (SSL/TLS) with java 8 (jdk1.8.0_25).
我在日志中看到以下异常(-Djavax.net.debug = all):
I see the following exception in log (-Djavax.net.debug=all):
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1.2 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error
在对依赖者进行分析之后,我发现问题是由于Java 8没有发送server_name(SNI)但是使用Java 7发送它并且Web服务调用成功运行。
After a depeer analysis I have observed the problem is caused because the with Java 8 the server_name (SNI) is not sent but with Java 7 it is sent and the web service invocation works successfully.
Java 8日志(-Djavax.net.debug = all):缺少Extension server_name
Java 8 log (-Djavax.net.debug=all): Missing "Extension server_name"
[...]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
[...]
Java 7日志(-Djavax.net.debug = all)(正常):扩展服务器名称已设置
Java 7 log (-Djavax.net.debug=all) (works): "Extension server_name" is set
[...]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: testeo.hostname.es]
***
[...]
在Java 7中观察到扩展服务器名称,server_name :[host_name:testeo.hostname.es] 已设置,然后Web服务调用成功。
It is observed that with Java 7 the Extension server_name, server_name: [host_name: testeo.hostname.es] is set and then the web service invocation works successfully.
为什么Java 8没有将server_name设置为Java 7做了什么?它是Java配置问题吗?
Why didn't Java 8 set the server_name as Java 7 did? Is it a Java configuration issue?
推荐答案
如前所述,原因与使用setHostnameVerifier()打破SNI的JDK错误有关(扩展服务器名称)。
https://bugs.openjdk.java.net/browse/JDK-8144566
As mentioned, the cause is related to the JDK bug where using setHostnameVerifier() breaks SNI (Extension server_name). https://bugs.openjdk.java.net/browse/JDK-8144566
我们的解决方法:
经过测试,我们发现将连接的SSLSocketFactory设置为默认的任何东西似乎都可以解决问题。
Our workaround: After testing we found that setting a connection's SSLSocketFactory to just about anything from the default seems to fix the issue.
这不起作用:
HttpsURLConnection.setSSLSocketFactory((SSLSocketFactory)SSLSocketFactory.getDefault());
这确实有效:
HttpsURLConnection.setSSLSocketFactory(new SSLSocketFactoryFacade());
因此,要为JAX-WS客户端修复它,您可以执行以下操作:
bindingProvider.getRequestContext()。put(com。 sun.xml.internal.ws.transport.https.client.SSLSocketFactory,new SSLSocketFactoryFacade());
So, to fix it for a JAX-WS client, you could do something like this:
bindingProvider.getRequestContext().put("com.sun.xml.internal.ws.transport.https.client.SSLSocketFactory", new SSLSocketFactoryFacade());
我们的SSLSocketFactory门面:(请注意,它确实没有做任何事情)
Our SSLSocketFactory facade: (Note that it really doesn't do anything)
public class SSLSocketFactoryFacade extends SSLSocketFactory {
SSLSocketFactory sslsf;
public SSLSocketFactoryFacade() {
sslsf = (SSLSocketFactory) SSLSocketFactory.getDefault();;
}
@Override
public String[] getDefaultCipherSuites() {
return sslsf.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return sslsf.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket socket, String s, int i, boolean b) throws IOException {
return sslsf.createSocket(socket, s, i, b);
}
@Override
public Socket createSocket(String s, int i) throws IOException, UnknownHostException {
return sslsf.createSocket(s, i);
}
@Override
public Socket createSocket(String s, int i, InetAddress inetAddress, int i1) throws IOException, UnknownHostException {
return sslsf.createSocket(s, i, inetAddress, i1);
}
@Override
public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
return createSocket(inetAddress, i);
}
@Override
public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress1, int i1) throws IOException {
return createSocket(inetAddress, i, inetAddress1, i1);
}
}
这篇关于扩展server_name(SNI扩展)不与jdk1.8.0一起发送,而是与jdk1.7.0一起发送的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!