Thread-6，RECV TLSv1 ALERT：fatal，handshake_failure [英] Thread-6, RECV TLSv1 ALERT: fatal, handshake_failure

问题描述

这个代码有什么问题，它应该信任所有的主机，但它不..

what is wrong with this code, it is supposed to trust all hosts, but it doesn't..

它可以很好地与例如google.com，但不是在我的机器上本地运行API网关服务，为什么？

It works fine with for example google.com but not with an API Gateway service running locally on my machine, why?

SSL DEBUG OUTPUT

SecureRandom的触发播种播种完成忽略的SecureRandom
不支持的加密算法套件：TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ...
忽略不支持的加密算法套件：TLS_RSA_WITH_AES_128_CBC_SHA256
允许不安全的重新协商：假的允许旧的Hello报文：真的是
初始握手：真的是安全的重新谈判：假线程6，
setSoTimeout（0）呼吁%%无缓存的客户端会话
***的ClientHello，使用TLSv1 RandomCookie ：格林尼治标准时间：1434280256字节= {216 ... 40}会话ID：{}密码套件：
[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA，...
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA，SSL_RSA_WITH_RC4_128_MD5，
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]压缩方法：{ 0}
分机elliptic_curves，曲线名称：{secp256r1 .. secp256k1}
分机ec_point_formats，格式：未压缩的]

trigger seeding of SecureRandom done seeding SecureRandom Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ... Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false Thread-6, setSoTimeout(0) called %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1434280256 bytes = { 216 ... 40 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, .... SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1 .. secp256k1} Extension ec_point_formats, formats: [uncompressed]

主题-6，WRITE ：使用TLSv1握手，长度= 163线程6，请阅读：使用TLSv1
警报，长度= 2线程6，RECV的TLSv1警告：致命，
handshake_failure线程6，所谓的则closesocket（）螺纹6，处理
例外：javax.net.ssl.SSLHandshakeException：**

Thread-6, WRITE: TLSv1 Handshake, length = 163 Thread-6, READ: TLSv1 Alert, length = 2 Thread-6, RECV TLSv1 ALERT: fatal, handshake_failure Thread-6, called closeSocket() Thread-6, handling exception: javax.net.ssl.SSLHandshakeException: **

收到致命警报：handshake_failure

Received fatal alert: handshake_failure

**

import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URL;
import java.net.URLConnection;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;

public class ConnectHttps {
  public static void main(String[] args) throws Exception {
    /*
     *  fix for
     *    Exception in thread "main" javax.net.ssl.SSLHandshakeException:
     *       sun.security.validator.ValidatorException:
     *           PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
     *               unable to find valid certification path to requested target
     */
    TrustManager[] trustAllCerts = [
        [ getAcceptedIssuers: { -> null },
          checkClientTrusted: { X509Certificate[] certs, String authType -> },
          checkServerTrusted: { X509Certificate[] certs, String authType -> } ] as X509TrustManager
    ]

    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

    // Create all-trusting host name verifier
    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) {
          return true;
        }
    };
    // Install the all-trusting host verifier
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
    /*
     * end of the fix
     */

    //URL url = new URL("https://google.com"); //WORKS
    URL url = new URL("https://localhost:8090");   // DOES NOT WORK, WHY?
    URLConnection con = url.openConnection();
    Reader reader = new InputStreamReader(con.getInputStream());
    while (true) {
      int ch = reader.read();
      if (ch==-1) {
        break;
      }
      System.out.print((char)ch);
    }
  }
}

运行在这里找到的代码它显示TLSv1.2没有在客户端上启用侧：

Running the code found here it shows that TLSv1.2 is not enabled on the client side:

支持的协议：5

SSLv2Hello

SSLv3

TLSv1

TLSv1.1

TLSv1.2

Supported Protocols: 5
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2

启用协议：2

SSLv3 < br>
TLSv1

Enabled Protocols: 2
SSLv3
TLSv1

推荐答案

.. it is supposed to trust all hosts, but it doesn't..

.. RECV TLSv1 ALERT：fatal，handshake_failure Thread-6

.. RECV TLSv1 ALERT: fatal, handshake_failure Thread-6

服务器的握手失败警报与客户端上服务器证书的验证无关，因此无法通过禁用证书验证来停止。许多事情可能导致这样的故障，如没有通用密码，不支持的协议版本，缺少SNI扩展（仅支持从JDK7开始）。由于错误是由服务器发出的，您可能会在服务器日志消息中找到有关该问题的更多详细信息。

A handshake failure alert from the server is unrelated to the validation of the servers certificate on the client and can thus not stopped by disabling certificate validation. Lots of things can cause such a failure, like no common ciphers, unsupported protocol version, missing SNI extension (only supported starting with JDK7). Since the error is issued by the server you might find more details about the problem in the servers log messages.

编辑：从服务器日志中可以看到问题的原因

from the server logs the cause of the problem is visible:

错误处理连接：SSL协议错误错误：1408A0C1：SSL例程：SSL3_GET_CLIENT_HELLO：没有共享密码

error handling connection: SSL protocol error error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

这意味着客户端和服务器之间没有通用的密码。

This means that there is no common cipher between client and server.

一个典型的原因是在服务器上错误地设置证书。如果未配置任何证书，则服务器可能需要使用ADH密码进行匿名身份验证，这通常不会在客户端上启用。我建议您检查是否可以使用浏览器连接。

A typical cause for this is a wrong setup of the certificates at the server. If you don't configure any certificates the server might require anonymous authentication with ADH ciphers, which are usually not enabled on the client side. I suggest that you check if you could connect with a browser.

另一个常见的配置错误是在服务器上禁用所有SSLv3密码，相信这是必要的禁用SSL3 .0协议（它不是）。这有效地禁用除了用TLS 1.2引入的一些新密码之外的所有密码。现代浏览器仍然能够连接，但是老客户端不能。在这种情况下可以看到这种错误配置（来自注释）：

Another common misconfiguration is disabling all SSLv3 ciphers at the server in the believe that this is necessary to disable the SSL3.0 protocol (it is not). This effectively disables all ciphers except some new ciphers introduced with TLS 1.2. Modern browsers will be still able to connect but older clients not. This misconfiguration can be seen in this case (from the comment):

从服务器日志接口密码：FIPS：！SSLv3：！ aNULL ,,

From server log,, interface ciphers: FIPS:!SSLv3:!aNULL,,

！SSLv3 禁用版本SSL3.0可用的所有密码和更高版本。这实际上仅留下TLS1.2密码，因为没有使用TLS1.0和TLS1.1的新密码。由于客户端似乎只支持TLS1.0，因此不会有共享密码：

!SSLv3 disables all ciphers available for version SSL3.0 and higher. This in effect leaves only the TLS1.2 ciphers because there are no new ciphers with TLS1.0 and TLS1.1. Since the client seems to be only support TLS1.0 there will be no shared ciphers:

... WRITE：TLSv1握手

...WRITE: TLSv1 Handshake

在密码中使用！SSLv3 通常是由于缺乏对协议版本和密码的区别。要禁用SSLv3，您只应相应设置协议，而不要设置密码。

Use of !SSLv3 in the ciphers is usually caused by a lack of understanding of the difference between protocol version and ciphers. To disable SSLv3 you should only set the protocol accordingly but not the ciphers.

这篇关于Thread-6，RECV TLSv1 ALERT：fatal，handshake_failure的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！