SSL握手失败 - Java 1.8 [英] SSL Handshake Failed - Java 1.8

问题描述

让人们知道我在升级到Java 1.8后似乎遇到的问题。并非所有的解决方案都是相同的，因此发布了我如何解决这个问题。

Just letting folks know about an issue I had that many seemed to have had after upgrading to Java 1.8. Not all of the solutions are the same hence posting how I resolved this.

但首先......由于安全性有效降级，这不是一个值得生产系统的解决方案。但是，如果你是阻止测试等，它可能是非常合适的。

But first... This is not a solution worthy of production systems since security is being effectively downgraded. However, if you are blocked testing etc. it is probably quite suitable.

我的问题是无论我做了什么...启用SSLv3等我总是收到

My issue was that no matter what I did... enabled SSLv3 etc. I always received

"javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure".

以下是我解决这个问题的步骤。

Here are the steps I took to 'solve' this.

首先，我发现了服务器使用的密码。我通过openssl做到了这一点。

First, I discovered which cipher the server was using. I did this via openssl.

openssl s_client -host yourproblemhost.com -port 443

此收益率（最终......）

This yields (at the end...)

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : RC4-MD5

现在..我们使用'Java-wise'来启用该密码？

Now.. what do we use 'Java-wise' to enable that cipher?

Oracle链接

在该链接中，它有名称和他们的Java对应物。所以对于RC4-MD5，我们有SSL_RSA_WITH_RC4_128_MD5。

In that link, it has the names and their Java counterpart. So for RC4-MD5, we have SSL_RSA_WITH_RC4_128_MD5.

好的。现在我添加了一个System属性。

ok good. Now I added a System property.

-Dhttps.cipherSuites=SSL_RSA_WITH_RC4_128_MD5

在我的代码中......

And in my code...

Security.setProperty("jdk.tls.disabledAlgorithms", "" /*disabledAlgorithms */ );

再次.. 这是绝对的最后手段'修复' ..但是，如果你为了让它运行（进行测试）而撞到你的头上，我希望它有用。

Again.. this is an absolute last resort 'fix'... But if you're hitting your head aganst a wall to get it running (for testing), I hope it comes in useful.

推荐答案

使用 JDK 1.8.0_51发布，RC4是不再支持Java作为客户端（也作为服务器）来协商SSL握手，RC4被认为是弱（和受损）密码，这就是删除的原因

With JDK 1.8.0_51 release RC4 is no longer supported from Java as client (also as server) to negotiate SSL handshake, RC4 is considered weak (and compromised ) cipher and that is the reason for removal

http://bugs.java.com/view_bug.do?bug_id=8076221

但是你仍然可以通过从Java安全配置中删除 jdk.tls.disabledAlgorithms 中的RC4来启用它，或者通过progamatically启用它们使用 setEnabledCipherSuites（）方法

You can still however enable it by removing RC4 from jdk.tls.disabledAlgorithms from your Java security config or progamatically enabling them using setEnabledCipherSuites() method

然而，更好的解决方案是更新服务器配置（如果它在你的控制之下）升级到更强的密码

However better solution would be to update the server configuration (if it is under your control) to upgrade to stronger Ciphers

RC4现在被视为受损密码。已从Oracle JSSE实现中的客户端和服务器默认启用的密码套件列表中删除RC4密码套件。这些密码套件仍然可以通过 SSLEngine.setEnabledCipherSuites（）和 SSLSocket.setEnabledCipherSuites（）方法启用。

关于使用 Security.setProperty（）设置它的方法，它是不可靠的方式，因为保持禁用算法的字段是静态的和最终的，因此如果首先加载该类，则无法控制它，您也可以尝试创建属性文件

As to your approach on setting it by using Security.setProperty(), it is not reliable way because the fields which hold disabled algorithms are static and final, So if that class gets loaded first you don't have controll over it, you could alternatively try by creating a properties file

像这样

## override it to remove RC4, in disabledcipher.properties
jdk.tls.disabledAlgorithms=DHE

在您的JVM中，您可以将其称为系统属性像这样

and in your JVM, you could refer it as system property like this

java -Djava.security.properties=disabledcipher.properties blah...

这篇关于SSL握手失败 - Java 1.8的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！