Java SSL SSLHandshakeException handshake_failure [英] Java SSL SSLHandshakeException handshake_failure

问题描述

我正在使用java 8并使用SSLSocket请求此网址：
https://www.flixbus.de/sites/default/files/6_jetzt_buchen_button_tiny.png

I am using java 8 and requesting with SSLSocket this url: https://www.flixbus.de/sites/default/files/6_jetzt_buchen_button_tiny.png

我总是遇到握手错误。
socket.setEnabledProtocols（）强制使用特定协议没有帮助。

I always get a handshake error. socket.setEnabledProtocols() to force use of a specific protocol didn't help.

顺便说一句，所有其他Web服务器都可以正常工作。所以它可能与我的代码无关。

Btw, all other web servers work fine. So it's probably not related to my code.

在没有任何ssl / tls协议限制的情况下也会发生此错误。

This error also occurs without any ssl/tls protocol restriction.

任何想法？

选项javax.net.debug = all的输出如下：

The output with option "javax.net.debug=all" is as follows:

DEBG getSecureScocket: Supported protocols:
- SSLv2Hello
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
DEBG getSecureScocket: Enabled protocols:
- TLSv1.2
Http Client, setSoTimeout(120000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false

%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1426330417 bytes = { 229, 161, 185, 11, 136, 85, 35, 88, 166, 144, 191, 126, 10, 196, 215, 241, 43, 190, 221, 246, 240,
217, 82, 29, 180, 106, 35, 253 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_
AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH
_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_A
ES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WIT
H_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WIT
H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_12
8_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1,
secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r
2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA25
6withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
[write] MD5 and SHA1 hashes:  len = 193
[Raw write]: length = 198
[Raw read]: length = 5
[Raw read]: length = 2
Http Client, READ: TLSv1.2 Alert, length = 2
Http Client, RECV TLSv1.2 ALERT:  fatal, handshake_failure
Http Client, called closeSocket()
Http Client, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Http Client, called close()
Http Client, called closeInternal(true)
Http Client, called close()
Http Client, called closeInternal(true)

Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
        at sun.security.ssl.AppOutputStream.write(Unknown Source)
        at java.io.OutputStream.write(Unknown Source)
        [...]

推荐答案

该网站需要 SNI（服务器名称指示），即没有SNI，握手将失败。所有现代浏览器都支持SNI，但并非编程语言中的所有SSL堆栈都支持SNI或默认使用它。请参见 http：//www.vimino .com / 2014/01 / jep-114-tls-sni-extension-sunjsse-behavior-changes / 如何在Java 8中使用SNI。

The site requires SNI (server name indication), that is without SNI the handshake will fail. All modern browsers support SNI, but not all SSL stacks in programming languages support SNI or use it by default. See http://www.vimino.com/2014/01/jep-114-tls-sni-extension-sunjsse-behavior-changes/ for how to use SNI with Java 8.

您可以使用 openssl s_client 检查此类行为：

You can check for this kind of behavior with openssl s_client:

# without SNI
$ openssl s_client -connect www.flixbus.de:443
CONNECTED(00000003)
140612985652896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:
....
New, (NONE), Cipher is (NONE)

# with SNI
$ openssl s_client -connect www.flixbus.de:443  -servername 'www.flixbus.de'
CONNECTED(00000003)
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

或者您可以使用 analyze.pl ：

$ perl analyze-ssl.pl  www.flixbus.de
-- www.flixbus.de port 443
 * maximum SSL version  : TLSv1_2 (SSLv23)
 ...
 * SNI supported        : SSL upgrade fails without SNI

这篇关于Java SSL SSLHandshakeException handshake_failure的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！