ddr*_*ian 1 encryption ssl bouncycastle java-7 aes-gcm
我正在尝试使用任何 AES GCM 变体进行 TLS 连接,根据我在文档中的理解,这应该是可能的,但我收到此错误:
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1989)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1096)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1369)
问题是我尝试连接的服务器只接受这些密码:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
我无法在此处发布我尝试连接的服务器,但我尝试在 github 存储库上复制该问题。我找不到只接受这些密码套件的服务器,这就是为什么我的 repo 因另一个错误而失败。
git clone https://github.com/andreicristianpetcu/gcm_with_bc_onjdk17
cd gcm_with_bc_onjdk17
JAVA_HOME="/usr/lib/jvm/java-7-openjdk-amd64/jre" mvn clean install
基本上这是来自 GitHub 的代码
package com.github.gcm_with_bc_onjdk17;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.net.ssl.SSLContext;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
public class GcmWithBouncyCasteleOnJDK17 {
public SSLConnectionSocketFactory getSslConnectionSocketFactory() throws NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException, KeyManagementException, IOException {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
System.out.println(cipher);
SSLContext sslContext = SSLContexts.custom()
.build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(sslConnectionSocketFactory)
.build();
HttpGet out = new HttpGet("https://cloudflare.com/");
CloseableHttpResponse execute = httpClient.execute(out);
return sslConnectionSocketFactory;
}
}
谢谢
一位同事发现了这个问题:)这里是修复:
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
Security.removeProvider(BouncyCastleJsseProvider.PROVIDER_NAME);
Security.insertProviderAt(new BouncyCastleProvider(), 0);
Security.insertProviderAt(new BouncyCastleJsseProvider(), 1);
JDK7 似乎支持 TLS 1.2 但不支持 AES GCM 密码。由于加密提供程序是一个列表,JDK 提供程序以某种方式被选中,因为它支持 TLS 1.2,即使它不支持所需的密码。将 Bouncy Castle 在列表中稍微高一点就解决了这个问题。
我不知道为什么我的问题被否决了:(我不知道我违反了什么规则所以它被否决了,我什至提供了源代码。
无论如何......非常高兴我找到了修复,即使它在 Stack Overflow 之外。留给子孙后代吧。
| 归档时间: |
|
| 查看次数: |
2242 次 |
| 最近记录: |