那些遇到过的问题

所有信任的HostnameVerifier都会导致HttpURLConnection出现SSL错误

Jon*_*han 5 java ssl https httpurlconnection

我正在使用HttpURLConnection连接到SSL站点.有时这些使用自签名证书/其他表现不佳的SSL,所以我有一个访问这些证书的模式.我正在使用在线推荐的许多地方的典型代码:

        // Create a trust manager that does not validate certificate chains
        TrustManager[] trustAllCerts = new TrustManager[]{
            new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
                public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
                public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
            }
        };

        // Install the all-trusting trust manager
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, new java.security.SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());


        // Don't verify host names
        HostnameVerifier hv = new HostnameVerifier() {
            public boolean verify(String urlHostName, SSLSession session) {
                return true;
            }
        };
        HttpsURLConnection.setDefaultHostnameVerifier(hv);
Run Code Online (Sandbox Code Playgroud)

问题是这会导致许多站点出现SSL错误,例如:

https://cong-shalom.org/ 原因:

javax.net.ssl.SSLException: Received fatal alert: internal_error
Run Code Online (Sandbox Code Playgroud)

当javax.net.debug = all enabled时输出:

    [java] Thread-8, READ: TLSv1.2 Alert, length = 2
    [java] Thread-8, RECV TLSv1.2 ALERT:  fatal, internal_error
    [java] Thread-8, called closeSocket()
Run Code Online (Sandbox Code Playgroud)

https://www.territrespicio.com 原因:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Run Code Online (Sandbox Code Playgroud)

当javax.net.debug = all enabled时输出:

         [java] Thread-13, READ: TLSv1.2 Alert, length = 2
         [java] Thread-13, RECV TLSv1.2 ALERT:  fatal, handshake_failure
         [java] Thread-13, called closeSocket()
Run Code Online (Sandbox Code Playgroud)

这些问题都不与TrustManager相关,注释掉HostnameVerifier部分始终允许连接正常工作.

笔记:

  • Java版本:1.8.0_111
  • 不幸的是我无法切换到apache httpclient(围绕HttpURLConnection建立了很多代码)

ped*_*ofb 6

您的问题是由于JDK中的错误自定义HostnameVerifier禁用SNI扩展.你也可以在这个线程中看到扩展server_name(SNI扩展)没有用jdk1.8.0发送但是用jdk1.7.0发送

从jdk 8u66开始,使用自定义HostnameVerifier不会Extended server_name在握手期间发送扩展名.此错误将在版本8u152中修复.

这是https://www.territrespicio.com与您的代码一起调用的握手的痕迹

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1467981635 bytes = { 253, 197, 8, 192, 170, 180, 230, 6, 212, 233, 219, 201, 182, 39, 204, 176, 49, 215, 43, 41, 112, 204, 188, 29, 115, 235, 191, 74 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 233
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Run Code Online (Sandbox Code Playgroud)

这是跟踪(工作)删除

HttpsURLConnection.setDefaultHostnameVerifier(hv);
Run Code Online (Sandbox Code Playgroud) 
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1467981305 bytes = { 187, 36, 131, 239, 148, 148, 198, 107, 89, 74, 67, 33, 127, 76, 24, 17, 108, 254, 79, 104, 242, 239, 51, 36, 180, 244, 181, 45 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.territrespicio.com]
***
main, WRITE: TLSv1.2 Handshake, length = 264
main, READ: TLSv1.2 Handshake, length = 89
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -2137263708 bytes = { 105, 47, 249, 171, 64, 55, 195, 235, 198, 159, 46, 193, 42, 65, 156, 243, 134, 177, 35, 221, 75, 16, 222, 103, 42, 55, 103, 231 }
Session ID:  {42, 151, 108, 66, 43, 195, 53, 201, 234, 24, 245, 14, 183, 242, 185, 128, 66, 115, 60, 35, 167, 159, 178, 238, 93, 155, 20, 195, 95, 155, 11, 79}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
Run Code Online (Sandbox Code Playgroud)

您可以看到在ClientHello中添加了所需的扩展名

Extension server_name, server_name: [type=host_name (0), value=www.territrespicio.com]
Run Code Online (Sandbox Code Playgroud)

没有记录的解决方法.因此,请考虑使用JDK版本<8u66或> = 8u152

更新 - 解决方法

使用Java8查看SNI客户端谜中@Dawuid的答案

如果您使用自定义SSLSocketFactory而不覆盖createSocket()(没有参数的方法),则使用完全参数化的createSocket,并且所有都按预期工作(使用客户端sni扩展).

您可以在此处找到类似的解决方法.我尝试过只是一个包装器,它的工作原理.

HttpsURLConnection.setDefaultSSLSocketFactory(
   new SSLSocketFactoryWrapper(sc.getSocketFactory()));
Run Code Online (Sandbox Code Playgroud)

SSLSocketFactoryWrapper(完整代码)

package test;

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;

import javax.net.ssl.SSLSocketFactory;

public class SSLSocketFactoryWrapper extends SSLSocketFactory {

    private SSLSocketFactory factory;

    public   SSLSocketFactoryWrapper(SSLSocketFactory factory){
        this.factory = factory;
    }

    /* 
    @Override
    public Socket createSocket() throws IOException {
        return  factory.createSocket();
    }
    */

    @Override
    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {         
        return factory.createSocket(s, host, port, autoClose);
    }

    @Override
    public String[] getDefaultCipherSuites() {
        return factory.getDefaultCipherSuites();
    }

    @Override
    public String[] getSupportedCipherSuites() {
        return factory.getSupportedCipherSuites();
    }

    @Override
    public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
        return factory.createSocket(host, port);
    }

    @Override
    public Socket createSocket(InetAddress host, int port) throws IOException {
        return factory.createSocket(host, port);
    }

    @Override
    public Socket createSocket(String host, int port, InetAddress localHost, int localPort)
            throws IOException, UnknownHostException {
        return factory.createSocket(host, port, localHost, localPort);
    }

    @Override
    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
        return factory.createSocket(address, port, localAddress, localPort);
    }

}
Run Code Online (Sandbox Code Playgroud)

归档时间:

查看次数:

2595 次

最近记录:

8 年,7 月 前
扩展server_name(SNI扩展)不与jdk1.8.0一起发送,而是与jdk1.7.0一起发送 19
使用Java8的SNI客户端之谜 11
更多相关链接
相关归档
IntelliJ检查给出"无法解析符号"但仍编译代码 521
将文件加载为InputStream的不同方法 210
SSL握手期间与远程服务器出错 101
Java的System.exit()如何与try/catch/finally块一起使用? 74
Java获得可用内存 65
JavaMail mail.smtp.ssl.enable is not working 11
Nginx ssl_verify_client和proxy_pass 7
SSLHandshakeException:SSL 握手中止:ssl=0xbe6af938:系统调用期间发生 I/O 错误,连接由对等方重置 7
TLS是否确保RESTful Java企业中的数据传输的消息完整性和机密性 6
在iOS 5.0/5.0.1上,使用SSL的ASIHTTPRequest失败 4
难疑归档
如何检查jQuery中是否选中了复选框? 4390
忽略已提交到Git存储库的文件 2429
如何使用CSS为文本或图像提供透明背景? 2211
PHP'foreach'如何实际工作? 1926
如何在Linux中一步更改文件夹及其所有子文件夹和文件的权限? 1711
在PostgreSQL中显示表格 1703
重命名pandas中的列 1601
循环遍历Bash中的文件内容 1242
将先前的提交分解为多个提交 1113
什么是"Linting"? 1044