SSLv2Hello - javax.net.ssl.SSLException:收到致命警报:unexpected_message [英] SSLv2Hello - javax.net.ssl.SSLException: Received fatal alert: unexpected_message
问题描述
我正在尝试使用基于Java 6(更新31)的客户端调用在JDK7 / WildFly 8.2上运行的受SSL保护的Web服务。
I am trying to call an SSL protected web service running on JDK7 / WildFly 8.2 with a Java 6 (update 31) based client.
我遇到的第一个问题客户端是:
The first problem I encountered on the client was:
javax.net.ssl.SSLException:收到致命警报:unexpected_message
javax.net.ssl.SSLException: Received fatal alert: unexpected_message
通过将 javax.net.debug
设置为所有
另外,我在服务器端得到以下提示:
By setting javax.net.debug
to all
on both sides, I got the following hint on the server side:
javax.net.ssl.SSLHandshakeException:SSLv2Hello被禁用
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
快速研究显示,
客户端默认禁用SSLv2Hello:在Java SE 7中,SSLv2Hello将从客户端上的默认启用协议列表中删除。
SSLv2Hello disabled by default on the client: In Java SE 7, SSLv2Hello is removed from the default enabled protocol list on the client.
所以我尝试启用 SSLv2Hello
在WildFly上在 standalone.xml
:
So I have tried to enable SSLv2Hello
on WildFly in standalone.xml
:
<https-listener name="https"
socket-binding="https"
security-realm="UndertowRealm"
enabled-protocols="SSLv2, SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2"
/>
服务器上的结果是:
javax.net.ssl.SSLHandshakeException:没有合适的协议(协议被禁用或密码套件不合适)
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
所以我意识到,我应该尝试在客户端上强制使用TLS,而不是在服务器上启用 SSLv2Hello 。我试图在我的网络服务调用之前设置 System.setProperty(https.protocols,TLSv1);
,但没有效果。
So I realize, I should be trying to force TLS on the client instead of enabling SSLv2Hello on the server. I have tried to set System.setProperty("https.protocols", "TLSv1");
before my web service call with no effect.
我应该配置什么以及如何使握手工作?
What should I configure and how, to get the handshake working?
我从默认 SSLSocketFactory的
在服务器上:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
推荐答案
您无需在服务器上启用SSLv2。您需要在客户端 禁用 SSLv2Hello 伪协议,方法是删除 SSLv2Hello
从已启用的TLS协议并离开其他:
You don't need to enable SSLv2 at the server. You need to disable the SSLv2Hello pseudo-protocol at the client, by removing SSLv2Hello
from the enabled TLS protocols and leaving the others:
System.setProperty("https.protocols", "TLSv1,TLSV1.1,TLSV1.2");
并且可能 SSLv3
如果这让它开心:它不会持续太久,所以尽量不要这样做。
and maybe SSLv3
if that makes it happy: it won't for much longer, so try not to have to do that.
请注意,它是伪协议。它不是SSLv2,它是允许某些可以说是破坏的服务器接受hello的兼容性措施。然而,该会话在SSLv3或更高版本上运行。它也已经过时了。
Note that it is a pseudo-protocol. It is not SSLv2, it is a compatibility measure to allow certain arguably broken servers to accept the hello. The session however operates at SSLv3 or above. It is also obsolete.
这篇关于SSLv2Hello - javax.net.ssl.SSLException:收到致命警报:unexpected_message的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!