Java 8 javax.net.ssl.SSLPeerUnverifiedException:peer未经过身份验证,但不是Java 7 [英] Java 8 javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated, but not Java 7
问题描述
将应用程序从Java 7切换到Java 8时出现问题。更改JDK后,我开始收到此SSLPeerUnverified异常。回到Java7,没有例外。
我发现了这个问题: Java 7的SSL连接失败,这意味着这可能与服务器端问题有关。我们的服务器确实在Ubuntu机器上运行,但它也运行Java8(sun Java8)
不确定还有什么对发布有帮助。如果需要/有用,我可以提供代码示例。我现在没有把它们包括在内,因为好像代码不是问题。
编辑 - 链接到我的SSLSocketFactory扩展名: http://pastebin.com/2j6HDHE7
Edit2 - Http客户端代码:
private HttpClient getHttpClient()抛出GeneralSecurityException,IOException {
final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType() );
trustStore.load(CommandChannel.class.getResourceAsStream(myKeystore),myPassword.toCharArray());
final SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory(trustStore);
final SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme(http,80,PlainSocketFactory.getSocketFactory()));
registry.register(new Scheme(https,443,sslSocketFactory));
final HttpParams params = new BasicHttpParams();
HttpProtocolParamBean paramsBean = new HttpProtocolParamBean(params);
paramsBean.setVersion(HttpVersion.HTTP_1_1);
paramsBean.setContentCharset(UTF_8);
final ClientConnectionManager ccm = new BasicClientConnectionManager(registry);
final DefaultHttpClient httpClient = new DefaultHttpClient(ccm,params);
返回httpClient;
}
包括来自java8& ;;的SSL调试信息。 java7 SSL调试跟踪:
%%没有缓存的客户端会话
*** ClientHello,TLSv1.2
RandomCookie:GMT:1389745002 bytes = {220,201,110,4,38,166,25,166,235,253,71, 242,226,124,22,149,28,207,242,25,201,123,218,56,207,67,195,17}
会话ID:{}
密码套件: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH _RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
压缩方法:{0}
分机elliptic_curves ,曲线名称:{secp256r1,sect163k1,sect163r2,secp192r1,secp224r1,sect233k1,sect233r1,sect283k1,sect283r1,secp384r1,sect409k1,sect409r1,secp521r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,sect163r1,secp192k1,sect193r1,sect193r2,secp224k1 ,sect239k1,secp256k1}
扩展ec_point_formats,格式:[unc ompressed]
扩展signature_algorithms,signature_algorithms:SHA512withECDSA,SHA512withRSA,SHA384withECDSA,SHA384withRSA,SHA256withECDSA,SHA256withRSA,SHA224withECDSA,SHA224withRSA,SHA1withECDSA,SHA1withRSA,SHA1withDSA,MD5withRSA
***
JavaFX应用程序线程,WRITE :TLSv1.2握手,长度= 207
JavaFX应用程序线程,收到EOFException:错误
JavaFX应用程序线程,处理异常:javax.net.ssl.SSLHandshakeException:握手期间远程主机关闭连接
JavaFX应用程序线程,发送TLSv1.2警告:致命,描述= handshake_failure
JavaFX应用程序线程,写:TLSv1.2警报,长度= 2
JavaFX应用程序线程,名为closeSocket()
JavaFX应用程序Thread,IOException in getSession():javax.net.ssl.SSLHandshakeException:握手期间远程主机关闭连接
JavaFX应用程序线程,名为close()
JavaFX应用程序线程,名为closeInternal(true)
JavaFX应用程序线程,名为close()
JavaFX应用程序线程,名为closeInternal(true)
18:49:14,951错误[logger] [LoginController]登录时出错:javax.net.ssl.SSLPeerUnverifiedException: peer未经过身份验证
com.limebrokerage.portal.communication.command.CommandChannelException:javax.net.ssl.SSLPeerUnverifiedException:peer not authenticated
Java 7相同位代码的SSL调试跟踪:
%%没有缓存客户端session
*** ClientHello,TLSv1
RandomCookie:GMT:1389746267 bytes = {91,88,192,29,58,48,211,105,40,40,138,204,154,113 ,233,213,120,99,3,223,26,233,123,150,251,245,186,246}
会话ID:{}
密码套件:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_ SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
压缩方法:{0}
分机elliptic_curves,曲线名称: {secp256r1,sect163k1,sect163r2,secp192r1,secp224r1,sect233k1,sect233r1,sect283k1,sect283r1,secp384r1,sect409k1,sect409r1,secp521r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,sect163r1,secp192k1,sect193r1,sect193r2,secp224k1,sect239k1,secp256k1 }
扩展ec_point_formats,格式:[未压缩]
***
JavaFX应用程序线程,WRITE:TLSv1握手,长度= 149
JavaFX应用程序线程,READ: TLSv1握手,长度= 74
*** ServerHello,TLSv1
RandomCookie:GMT:1389746267 bytes = {179,44,184,192,189,56,33,48,248,204,248, 129,1,214,77,185,206,200,3,148,58,49,98,42,213,229,106,218}
会话ID:{83,214,216,91, 179,44,184,192,189,56,33,48,248,204,248,129,1,214,77,185,206,200,3,148,58,49,98,42,213, 229,106,218}
密码套件:TLS_RSA_WITH_AES_128_CBC_SHA
压缩方法:0
***
警告:ServerHello中没有重新协商指示扩展
%%已初始化:[ Session-1,TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
JavaFX应用程序线程,READ:TLSv1握手,长度= 1522
***证书链
chain [0] = [
[
版本:V3
不肯定是一个答案,但评论时间太长了。
你真正的问题是服务器断开你好并导致 SS LHandshakeException ; SSLPeerUnverifiedException 是附带损害,因为握手未到达身份验证阶段。明显的区别是Java 8正在发送TLSv1.2 ClientHello,其中Java 7发送了TLSv1。
Java 7实现了1.1和1.2,但默认情况下没有启用它们在客户端上; 8,请参阅 https://bugs.openjdk.java.net/browse/JDK-7093640 。正确编写的不支持1.2 的服务器堆栈应该协商下降到1.1或1(.0),但是您的未识别服务器显然没有,或者可能是防火墙之间的某些东西正在搞乱你的联系。如果您拥有或获得OpenSSL,命令行 openssl s_client 将让您轻松尝试不同版本(以及密码和一些选项)以查看哪些功能有效,哪些功能无效。或者你可以 https://www.ssllabs.com/ssltest/ 做他们的罐装但相当彻底测试。
错误条目说你可以设置sysprop jdk.tls.client.protocols 这对我有用在8u05的最小SSLSocket(非HTTP)应用程序中。或者,由于您已经在修改 SSLSocketFactory ,我希望您可以在您创建的套接字上执行 setEnabledProtocols 。 / p>
FWIW,当2012年3月OpenSSL 1.0.1发布时,默默地启用协议1.1和1.2(它在发行说明中很突出,但大约没有人读取发行说明) ,支持列表得到了很多投诉,我猜这些服务器突然开始出现故障,崩溃或挂起,直到客户端恢复到1.0。 OpenSSL最终实现了一种解决方法,可以人为地减少或增加ClientHello中的一些数据,以避免最挑衅的大小;我不知道JSSE是否可以做类似的事情。
I have an issue when switching my application from Java 7 to Java 8. After changing the JDK I start getting this SSLPeerUnverified Exception. Changing back to Java7, there is no exception.
I found this question: SSL connection failing for Java 7 which implies that this may be related to a server side issue. Our server is indeed running on an Ubuntu machine, but it is running Java8 as well (sun Java8)
Not sure what else would be helpful to post. I can provide code samples if needed/useful. I didn't incude them now because it appears as though the code is not the issue.
Edit - link to my extension of SSLSocketFactory: http://pastebin.com/2j6HDHE7
Edit2 - Http client code:
private HttpClient getHttpClient() throws GeneralSecurityException, IOException {
final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(CommandChannel.class.getResourceAsStream("myKeystore"), "myPassword".toCharArray());
final SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory(trustStore);
final SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));
registry.register(new Scheme("https", 443, sslSocketFactory));
final HttpParams params = new BasicHttpParams();
HttpProtocolParamBean paramsBean = new HttpProtocolParamBean(params);
paramsBean.setVersion(HttpVersion.HTTP_1_1);
paramsBean.setContentCharset("UTF_8");
final ClientConnectionManager ccm = new BasicClientConnectionManager(registry);
final DefaultHttpClient httpClient = new DefaultHttpClient(ccm, params);
return httpClient;
}
Including the SSL-debug information from java8 & java7 below.
Java 8 SSL debug trace:
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1389745002 bytes = { 220, 201, 110, 4, 38, 166, 25, 166, 235, 253, 71, 242, 226, 124, 22, 149, 28, 207, 242, 25, 201, 123, 218, 56, 207, 67, 195, 17 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
JavaFX Application Thread, WRITE: TLSv1.2 Handshake, length = 207
JavaFX Application Thread, received EOFException: error
JavaFX Application Thread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JavaFX Application Thread, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
JavaFX Application Thread, WRITE: TLSv1.2 Alert, length = 2
JavaFX Application Thread, called closeSocket()
JavaFX Application Thread, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JavaFX Application Thread, called close()
JavaFX Application Thread, called closeInternal(true)
JavaFX Application Thread, called close()
JavaFX Application Thread, called closeInternal(true)
18:49:14,951 ERROR [logger] [LoginController] Error logging in due to: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
com.limebrokerage.portal.communication.command.CommandChannelException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Java 7 SSL debug trace of the same bit of code:
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1389746267 bytes = { 91, 88, 192, 29, 58, 48, 211, 105, 40, 40, 138, 204, 154, 113, 233, 213, 120, 99, 3, 223, 26, 233, 123, 150, 251, 245, 186, 246 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
JavaFX Application Thread, WRITE: TLSv1 Handshake, length = 149
JavaFX Application Thread, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1389746267 bytes = { 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218 }
Session ID: {83, 214, 216, 91, 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
JavaFX Application Thread, READ: TLSv1 Handshake, length = 1522
*** Certificate chain
chain [0] = [
[
Version: V3
Not for sure an answer, but too long for a comment.
Your real problem is the server disconnect on hello and resulting SSLHandshakeException; SSLPeerUnverifiedException is collateral damage because the handshake didn't reach the authentication stage. The obvious difference is that Java 8 is sending TLSv1.2 ClientHello where Java 7 sent TLSv1.
Java 7 implemented 1.1 and 1.2, but didn't enable them on client by default; 8 does, see https://bugs.openjdk.java.net/browse/JDK-7093640 . A correctly written server stack that doesn't support 1.2 should negotiate down to 1.1 or 1(.0), but your unidentified server apparently doesn't, or possibly something in-between like a firewall is messing up your connection. If you have or get OpenSSL, commandline openssl s_client will let you easily try different versions (and ciphers and some options) to see what does and does not work. Or you could have https://www.ssllabs.com/ssltest/ do their canned but fairly thorough tests.
The bug entry says you can set sysprop jdk.tls.client.protocols and that works for me in a minimal SSLSocket (not HTTP) app on 8u05. Or since you're already doing a modified SSLSocketFactory, I expect you could do setEnabledProtocols on the sockets you create.
FWIW, when OpenSSL release 1.0.1 in March 2012 "silently" turned on protocols 1.1 and 1.2 (it was prominent in the release notes, but approximately nobody reads release notes), the support list got lots of complaints, I'd guess over a hundred total, of servers that suddenly started failing, crashing, or hanging until clients reverted to 1.0. OpenSSL ended up implementing a workaround that can artificially decrease or increase some data in the ClientHello to avoid the most "provocative" sizes; I don't know if JSSE does or can do something similar.
这篇关于Java 8 javax.net.ssl.SSLPeerUnverifiedException:peer未经过身份验证,但不是Java 7的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
