Java“共同的无密码套件”尝试安全地连接到服务器时出现问题 [英] Java "no cipher suites in common" issue when trying to securely connect to server

问题描述

当客户端（而不是我）连接到我的服务器时，我有一个问题。

I have an issue when a client (not mine) connects to my server securely.

似乎根据不匹配的密码拒绝连接，但是我已经验证了服务器确实与客户端共享一些密码。

It seems that the connection is being refused on the basis of mismatching ciphers, but I have verified that the server indeed shares some of the ciphers with the client.

可能是未知密码的问题（未知0x0：0x60）？如果是这样，我该怎么办来解决呢？

Could it be an issue with the unknown cipher (Unknown 0x0:0x60)? If so, what must I do to fix it?

Java SSL日志如下所示：

Java SSL logs are shown below:

Listener-https, setSoTimeout(30000) called
Worker-30, READ: SSLv3 Handshake, length = 63
*** ClientHello, SSLv3
RandomCookie:  GMT: 1267050437 bytes = { 23, 244, 228, 68, 161, 225, 218, 222, 207, 128, 228, 138, 127, 141, 159, 63, 232, 48, 242, 240, 26, 76, 58, 158, 179, 0, 192, 140 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, Unknown 0x0:0x60, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
Compression Methods:  { 0 }
***
Worker-30, SEND SSLv3 ALERT:  fatal, description = handshake_failure
Worker-30, WRITE: SSLv3 Alert, length = 2
Worker-30, called closeSocket()
Worker-30, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
Worker-30, called close()
Worker-30, called closeInternal(true)
Worker-30, called close()
Worker-30, called closeInternal(true)

谢谢，
-Ben

Thanks, -Ben

推荐答案

添加到erickson的答案中，如果您的证书不使用RSA密钥对，而改为使用DSA密钥对，则无数量的RSA密码套件填充将有助于解决这个问题。您需要启用与DSA相关的密码套件（它们通常由DSS关键字指示），并且客户端使用相同的密码套件。

Adding to erickson's answer, if your certificate does not use a RSA key-pair, and instead turns out to use a DSA key-pair, then no amount of RSA cipher suite "stuffing" will aid in resolving this issue. You'll need to enable the DSA related cipher suites (they're usually indicated by the DSS keyword in them), and also have the client utilize the same cipher suites.

这个边缘案例可能是您的问题的原因是由于密钥工具实用程序在生成密钥密钥对时的默认行为 - DSA而不是RSA是默认算法。

The reason this edge case might turn out to be your problem is due to the default behavior of the keytool utility when generating secret keypairs - DSA and not RSA is the default algorithm.

这篇关于Java“共同的无密码套件”尝试安全地连接到服务器时出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！