将应用程序从Java 7切换到Java 8时出现问题.更改JDK后,我开始收到此SSLPeerUnverified异常.改回Java7,也不例外.
我发现了这个问题:Java 7的SSL连接失败,这意味着这可能与服务器端问题有关.我们的服务器确实在Ubuntu机器上运行,但它也在运行Java8(sun Java8)
不确定发布还有什么其他内容.如果需要/有用,我可以提供代码示例.我现在没有把它们包括在内,因为好像代码不是问题.
编辑 - 链接到我的SSLSocketFactory扩展:http://pastebin.com/2j6HDHE7
Edit2 - Http客户端代码:
private HttpClient getHttpClient() throws GeneralSecurityException, IOException {
final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(CommandChannel.class.getResourceAsStream("myKeystore"), "myPassword".toCharArray());
final SSLSocketFactory sslSocketFactory = new TrustingSSLSocketFactory(trustStore);
final SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));
registry.register(new Scheme("https", 443, sslSocketFactory));
final HttpParams params = new BasicHttpParams();
HttpProtocolParamBean paramsBean = new HttpProtocolParamBean(params);
paramsBean.setVersion(HttpVersion.HTTP_1_1);
paramsBean.setContentCharset("UTF_8");
final ClientConnectionManager ccm = new BasicClientConnectionManager(registry);
final DefaultHttpClient httpClient = new DefaultHttpClient(ccm, params);
return httpClient;
}
包括来自java8和java7的SSL调试信息.
Java 8 SSL调试跟踪:
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1389745002 bytes = { 220, 201, 110, 4, 38, 166, 25, 166, 235, 253, 71, 242, 226, 124, 22, 149, 28, 207, 242, 25, 201, 123, 218, 56, 207, 67, 195, 17 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
JavaFX Application Thread, WRITE: TLSv1.2 Handshake, length = 207
JavaFX Application Thread, received EOFException: error
JavaFX Application Thread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JavaFX Application Thread, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
JavaFX Application Thread, WRITE: TLSv1.2 Alert, length = 2
JavaFX Application Thread, called closeSocket()
JavaFX Application Thread, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
JavaFX Application Thread, called close()
JavaFX Application Thread, called closeInternal(true)
JavaFX Application Thread, called close()
JavaFX Application Thread, called closeInternal(true)
18:49:14,951 ERROR [logger] [LoginController] Error logging in due to: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
com.limebrokerage.portal.communication.command.CommandChannelException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Java 7 SSL调试跟踪相同位代码:
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1389746267 bytes = { 91, 88, 192, 29, 58, 48, 211, 105, 40, 40, 138, 204, 154, 113, 233, 213, 120, 99, 3, 223, 26, 233, 123, 150, 251, 245, 186, 246 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
JavaFX Application Thread, WRITE: TLSv1 Handshake, length = 149
JavaFX Application Thread, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1389746267 bytes = { 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218 }
Session ID: {83, 214, 216, 91, 179, 44, 184, 192, 189, 56, 33, 48, 248, 204, 248, 129, 1, 214, 77, 185, 206, 200, 3, 148, 58, 49, 98, 42, 213, 229, 106, 218}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
JavaFX Application Thread, READ: TLSv1 Handshake, length = 1522
*** Certificate chain
chain [0] = [
[
Version: V3
不确定答案,但评论太久了.
你真正的问题是hello上的服务器断开连接SSLHandshakeException; SSLPeerUnverifiedException是附带损害,因为握手没有达到认证阶段.明显的区别是Java 8正在发送TLSv1.2 ClientHello,其中Java 7发送了TLSv1.
Java 7实现了1.1和1.2,但默认情况下没有在客户端上启用它们; 8确实如此,请参阅https://bugs.openjdk.java.net/browse/JDK-7093640.正确编写的不支持1.2的服务器堆栈应该协商下降到1.1或1(.0),但是您的未识别服务器显然没有,或者可能是防火墙之间的某些东西搞乱了您的连接.如果您拥有或获得OpenSSL,命令openssl s_client行将让您轻松尝试不同的版本(以及密码和一些选项),以查看哪些功能有效,哪些功能无效.或者您可以通过https://www.ssllabs.com/ssltest/进行罐装但相当彻底的测试.
错误条目说你可以设置sysprop jdk.tls.client.protocols,这对我来说在8u05 的最小SSLSocket(非HTTP)应用程序中.或者既然你已经做了修改SSLSocketFactory,我希望你可以setEnabledProtocols在你创建的套接字上做.
FWIW,当2012年3月OpenSSL 1.0.1版"默默地"启用协议1.1和1.2时(它在发行说明中很突出,但大约没有人读取发行说明),支持列表得到了很多抱怨,我猜一百个服务器突然开始出现故障,崩溃或挂起,直到客户端恢复到1.0.OpenSSL最终实现了一种解决方法,可以人为地减少或增加ClientHello中的一些数据,以避免最"挑衅"的大小; 我不知道JSSE是否可以做类似的事情.