“收到的致命警报:handshake_failure"在链接的JRE中 [英] "Received fatal alert: handshake_failure" in jlinked JRE

问题描述

我的Java程序通过java.net.http.HttpClient(Java 11)发送请求.

My Java program sends requests by java.net.http.HttpClient (Java 11).

当我在OpenJDK 11的JRE上的Eclipse中运行它时，它就可以工作.

It works when I am running it in Eclipse on OpenJDK 11's JRE.

在自定义链接JRE上，出现错误:

On custom jlinked JRE, I get an error:

java.io.IOException: Received fatal alert: handshake_failure

我想问题在于我的自定义JRE.

I suppose the problem is with my custom JRE.

推荐答案

TL;没有jdk.crypto.ec的DR jlink无法与具有椭圆曲线证书的服务器通信.尝试与运行此服务器的服务器通信时，出现handshake_failure错误.

TL;DR jlink without jdk.crypto.ec cannot talk to a server that has an elliptic curve certificate. You get a handshake_failure error when trying to talk to a server running with this.

在构建可部署的jre时，如果不包括jdk.crypto.ec模块，则它将无法与仅具有椭圆曲线证书的服务器通信.我用以下方法模拟了一个:

When you build a deployable jre, if you do not include the jdk.crypto.ec module, then it will be unable to talk to servers that only have an elliptic curve certificate. I mocked up one using:

out_dom=localhost
subj="/C=IE/CN=localhost"
openssl ecparam -name secp384r1 -genkey \
    -out $out_dom.key
openssl req -new \
    -subj "$subj" \
    -key $out_dom.key \
    -out $out_dom.csr
openssl req -x509 -nodes \
    -days 365 \
    -key $out_dom.key \
    -in $out_dom.csr \
    -out $out_dom.crt

当我使用标准JRE与该服务器通信时，出现关于PKIX path building failed的错误-即cert不在cacerts文件中.

When I talk to this server with the standard JRE, I get the error about PKIX path building failed - i.e. the cert isn't in the cacerts file.

当我使用以下方法创建jlink jre时:

When I created a jlink jre using:

jlink --module-path . --add-modules java.base --output jlinked

并使用测试的TLS应用运行:jlinked/bin/java，我得到了错误:Received fatal alert: handshake_failure，这与OP的问题相同.

and ran: jlinked/bin/java with a test TLS app, I got the error: Received fatal alert: handshake_failure, which is the same as the OP's problem.

添加时:

jlink --module-path . \
    --add-modules java.base \
    --add-modules jdk.crypto.ec \
    --output jlinked

然后重新运行，我遇到了PKIX path building failed错误，表明它工作正常.

and re-ran, I experienced the PKIX path building failed error, which indicates that it's working properly.

这篇关于“收到的致命警报:handshake_failure"在链接的JRE中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！