SSLHandshakeException:握手期间远程主机关闭连接 [英] SSLHandshakeException : Remote host closed connection during handshake

问题描述

论坛上满是这个问题，但我找不到解决方案.我尝试连接 WS，但没有成功.我尝试更新 cacerts 文件但没有效果.

The forums are full with this question but I can't find a solution. I try to connect a WS but without any success. I tried to update cacerts file with no effect.

日志是:

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1507108654 bytes = { 133, 135, 81, 148, 186, 186, 146, 23, 28, 240, 158, 152, 139, 167, 209, 225, 54, 253, 112, 118, 61, 112, 140, 214, 149, 198, 197, 219 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 75
0000: 01 00 00 47 03 01 5A D5   A7 2E 85 87 51 94 BA BA  ...G..Z.....Q...
0010: 92 17 1C F0 9E 98 8B A7   D1 E1 36 FD 70 76 3D 70  ..........6.pv=p
0020: 8C D6 95 C6 C5 DB 00 00   20 00 04 00 05 00 2F 00  ........ ...../.
0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
0040: 03 00 08 00 14 00 11 00   FF 01 00                 ...........
http-8080-1, WRITE: TLSv1 Handshake, length = 75
[Raw write]: length = 80
0000: 16 03 01 00 4B 01 00 00   47 03 01 5A D5 A7 2E 85  ....K...G..Z....
0010: 87 51 94 BA BA 92 17 1C   F0 9E 98 8B A7 D1 E1 36  .Q.............6
0020: FD 70 76 3D 70 8C D6 95   C6 C5 DB 00 00 20 00 04  .pv=p........ ..
0030: 00 05 00 2F 00 33 00 32   00 0A 00 16 00 13 00 09  .../.3.2........
0040: 00 15 00 12 00 03 00 08   00 14 00 11 00 FF 01 00  ................
http-8080-1, received EOFException: error
http-8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
http-8080-1, SEND TLSv1 ALERT:  fatal, description = handshake_failure
http-8080-1, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28                               ......(
http-8080-1, called closeSocket()
http-8080-1, called close()
http-8080-1, called closeInternal(true)

谢谢你的帮助

推荐答案

很可能服务器已禁用 TLS 1.0(并且您正在谈论 TLS 1.0，如序列字节 47 03 01strong> 5A)，或者它正在等待不存在的 SNI 扩展.

Most probably the server has disabled TLS 1.0 (and you're talking TLS 1.0 as seen in the sequence bytes 47 03 01 5A), or it is waiting for the SNI extension which is absent.

关于 Java 6，只有 6u111 将允许比 TLS 1.0 更好的任何东西(TLS 1.1)，而 6u121 将允许 TLS 1.2.查看参考.由于 TLS 版本不容忍问题，它仍然不够充分，只有系统属性才能永久启用它，如 发行说明 :

About Java 6, only 6u111 will allow anything better (TLS 1.1) than TLS 1.0, and 6u121 will allow TLS 1.2. Have a look at the Reference. Because of the TLS version intolerance problem, it's still unsufficient, and only a system property will enable it for good, as explained in the Release Notes :

TLS v1.2 现在是此版本的 TLS 协议选项.默认情况下，TLSv1.0 将保留客户端套接字上默认启用的协议.

TLS v1.2 is now a TLS protocol option with this release. By default, TLSv1.0 will remain the default enabled protocol on client sockets.

出于这个原因，可以尝试几个系统属性:

For this reason, a couple of system properties to try :

• -Djdk.tls.client.protocols="TLSv1.2"(先决条件:6u121/7u95)
• -Dhttps.protocols="TLSv1.2" 如果您的代码使用 HttpsURLConnection

• -Djdk.tls.client.protocols="TLSv1.2" (prerequisite : 6u121 / 7u95)
• -Dhttps.protocols="TLSv1.2" if your code is using HttpsURLConnection

您的 ClientHello 格式正确，但不包含任何扩展名(尤其是 SNI).这就是为什么它看起来这么短(bytes = 80).SNI 默认从 6u121 开始启用(如果我是对的).我看到的这两个原因都应该通过足够的 Java 版本来解决.

Your ClientHello is correctly formatted but it doesn't contain any extension (particularly the SNI). This is why it looks so short (bytes = 80). The SNI is enabled by default starting with 6u121 (if I'm right). Both causes that I see should be solved with the adequate Java version.

这篇关于SSLHandshakeException:握手期间远程主机关闭连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！