我正在构建一个应用程序,定期检查一些rss feed以获取新内容.其中一些订阅源只能通过https访问,有些则具有自签名或某种方式损坏的证书.我希望能够永远检查它们.
请注意,此应用程序中的安全性不是问题,目标是以最小的努力访问内容.
我正在使用此代码来规避大多数证书问题:
/**
* Sets timeout values and user agent header, and ignores self signed ssl
* certificates to enable maximum coverage
*
* @param con
* @return
*/
public static URLConnection configureConnection(URLConnection con)
{
con.setRequestProperty(
"User-Agent",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11");
con.setConnectTimeout(30000);
con.setReadTimeout(40000);
if (con instanceof HttpsURLConnection)
{
HttpsURLConnection conHttps = (HttpsURLConnection) con;
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager()
{
public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return null;
}
public void …我在尝试了两天的许多选项之后发布了这个问题.以下是我尝试过的选项.
我仍然得到这个问题,提前非常感谢任何帮助.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1296)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.honeywell.sensibo.api.NewMain.main(NewMain.java:73)
I am trying to build a Test Automation Tool for REST API on AWS using rest-assured framework. I just tried with a simple HTTP POST and checking the output JSON body. But when I run that in Eclipse I get SSLHandshakeException. I did try to look into the issue and found it could be something related to server certificate (Received fatal alert: handshake_failure through SSLHandshakeException) but when I test it through POSTMAN it is running fine and …
I've been stuck for a couple of days now, and I've checked several answers already ( this, this, this, this, this, this, this, this ), but I haven't been able to solve my problem. I'm new to SSL, and there does not appear to be anyone else in my organization who has done this.
Background
我们目前在零售商店有一组终端通过SSL连接到服务器.连接包括客户端身份验证.我的组织充当CA并发布了cacert.crt证书,并用它来签署服务器的证书和所有客户终端的一个证书.终端当前可以正常使用服务器,但是我无法从支持环境的人那里获得有关当前连接或配置的详细信息......似乎系统是多年前从供应商的组合中购买的,并且知识已经丢失.我目前正在尝试开发一个可以在现有终端之外与服务器通信的独立客户端.
问题
I've developed a very simple Java SSL client in order to better understand the SSL configuration …
我有一个Weblogic访问HTTPS服务器的问题,我可以访问其他HTTPS网址,如谷歌或微软.尝试连接到URL的代码是:
URL url = new URL("https://myserver.com");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("User-Agent", "Mozilla/5.0");
// fails here
responseCode = connection.getResponseCode();
我得到以下堆栈跟踪:
java.io.IOException: Connection closed, EOF detected
at weblogic.socket.JSSEFilterImpl.handleUnwrapResults(JSSEFilterImpl.java:539)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:456)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:80)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:64)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:59)
at weblogic.socket.JSSEFilterImpl.write(JSSEFilterImpl.java:390)
at weblogic.socket.JSSESocket$JSSEOutputStream.write(JSSESocket.java:78)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:186)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:400)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:1005)
在Weblogic的控制台中,我将以下设置设置为true:环境>服务器> [我的服务器]> SSL>高级>使用JSSE SSL
如果我禁用该属性,我会得到以下堆栈跟踪:
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at …我有一个dropwizard应用程序,可以在标准JRE上正常运行。
我尝试使用jlink创建一个运行时,该运行时小得多:
/Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/jlink --no-header-files --no-man-pages --compress=2 --strip-debug --add-modules java.base,java.compiler,java.desktop,java.instrument,java.logging,java.management,java.naming,java.scripting,java.security.jgss,java.sql,java.xml,jdk.attach,jdk.jdi,jdk.management,jdk.unsupported --output jre
如果我使用创建的jlink运行时来运行它,则会引发连接到redis的错误(它的前面有通道)。
ERROR [2019-03-31 09:12:20,080] com.company.project.core.WorkerThread: Failed to process message.
! javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
! at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
! at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
! at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
! at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source)
! at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
! at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
! at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
! at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
! at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
! at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(Unknown Source)
! at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(Unknown Source)
! at redis.clients.jedis.util.RedisOutputStream.flushBuffer(RedisOutputStream.java:52)
! at redis.clients.jedis.util.RedisOutputStream.flush(RedisOutputStream.java:133)
! at redis.clients.jedis.Connection.flush(Connection.java:300)
! …我有一些代码已经工作了很长时间,通过HTTP从webapps获取数据.它使用Apache HTTPClient(v.4.5.2),适用于有和没有SSL的站点.
最近,我试图使用if用于其他恰好使用SNI的网站.一切都在我的Windows机器上运行良好,但如果我尝试在AWS EC2 Linux实例上运行它,我会得到握手失败(因为SNI).
这是我正在运行的:
我不确定哪个组件最终导致失败(Java 8,运行时环境,HTTPClient).
我已经看过这个(https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SNIExtension),但我不知道如何为HTTPClient调整它.此外,如果我必须更改代码,为什么它可以在Windows上运行?
任何人都知道我应该做什么?
编辑:根据建议,我查看了jsse.enableSNIExtension属性.这似乎是错误的,因为它似乎是一种关闭SSL的方法,这不是我想要的.
我尝试在Windows上打开/关闭它,事情只适用于它.在Linux上,当它打开时,我继续获得握手失败.
这是输出:
Windows - System.setProperty("jsse.enableSNIExtension", "false");
=================================================================
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 189
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT: fatal, internal_error
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLException: Received fatal alert: internal_error
Windows - System.setProperty("jsse.enableSNIExtension", "true");
================================================================
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 215
pool-1-thread-1, READ: TLSv1.2 …我很挣扎,因为我的 Java MVC Web 应用程序在尝试创建具有特定 https 地址的 WebService 时开始抛出异常(https://barramento.caixa.gov.br/sibar/ManutencaoCobrancaBancaria/Boleto/Externo?xsd=xsd0)。
启用 javax.net.debug 后,我发现问题的根本原因似乎是我尝试连接的服务器应用程序的证书链的长度。
一开始,我怀疑是 TLS 版本,但是使用 nmap 我能够找到服务器正在使用的 TLS 版本以及密码,它们不是问题。服务器支持TLS1.1。我已经将我的服务器配置为使用此版本,但它根本没有帮助。
我在整个网络上搜索了一些可以提供帮助的信息,但我无法在 Google 上找到任何指向甚至接近"javax.net.ssl.SSLProtocolException: The certificate chain length" 的任何信息。
她是堆栈跟踪:
javax.net.ssl|FINE|26|http-nio-8080-exec-2|2020-11-06 17:30:36.178 BRT|Logger.java:765|READ: TLSv1.1 handshake, length = 3835
javax.net.ssl|SEVERE|26|http-nio-8080-exec-2|2020-11-06 17:30:36.188 BRT|Logger.java:765|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLProtocolException: The certificate chain length (11) exceeds the maximum allowed length (10)
at sun.security.ssl.CertificateMessage$T12CertificateMessage.<init>(CertificateMessage.java:143)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:363)
Caused by: javax.net.ssl.SSLProtocolException: The certificate chain length (11) exceeds …我正在尝试使用 Keycloak 保护 Java Spring Boot REST 服务。其中一部分涉及服务和 Keycloak 之间的通信以获取众所周知的 OpenID 配置。
当所有内容都未加密(通过 HTTP)时,一切正常。当我将 SSL 证书添加到混合中时(技术上是在两个服务前面的 nginx 服务器上),我收到 SSL 握手错误。
如果我直接使用浏览器访问 REST 服务或 Keycloak,则浏览器不会报告 SSL 错误。使用curl从其余服务器计算机到Keycloak计算机看起来也很好,并且我尝试让nginx强制TLS 1.2或1.3响应。
当实际的 REST 服务尝试访问 Keycloak 服务时出现的错误如下所示:
2022-03-21 19:30:59.526 WARN 27 --- [nio-8080-exec-3] o.keycloak.adapters.KeycloakDeployment : Failed to load URLs from https://.../auth/realms/MyRealm/.well-known/openid-configuration
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
...
我一直在查看很多其他答案,例如这个答案,但我似乎无法让该服务打印实际异常之外的任何调试信息。我试过了:
-Djavax.net.debug=ssl到启动服务器的命令行System.setProperty("javax.net.debug", "ssl");到main()应用程序的功能logging.level.javax=TRACE和添加logging.level.net=TRACE到 application.properties似乎没有什么能带我去任何地方。输出仍然只是服务器启动结束
2022-03-21 19:30:34.219 INFO 27 --- [nio-8080-exec-1] …我们最近更新了一个从Java 6到Java 8的项目,现在我们已经打了一个关于SSL握手的问题.
服务层使用客户端来请求和接收来自第三方应用程序的呼叫.在服务层中,使用初始化密钥库
System.setProperty("javax.net.ssl.trustStore", keyStoreFile);
System.setProperty("javax.net.ssl.trustStorePassword", keyStorePassword);
并通过applicationContext.xml注入:
<property name="keyStoreFile" value="/keystore/keystore.keystore" />
<property name="keyStorePassword" value="password" />
奇怪的是:1.显然,这不是一个完整的文件路径.2.此服务器上没有密钥库(无论Java 6如何都可以使用).
如果出现错误,客户端应该信任所有证书:
/**
* Sets a trust manager that ignores the certificate chains. Use if the
* server has a certificate that can't be verified.
*
*/
private void trustHttpsCertificates() throws Exception {
try {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return …我正在尝试拍摄两种SSL握手机制。我得到一个错误
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
这表明我的密钥库或信任库文件之一没有适当的条目。我知道解决此问题的方法是转到服务器的信任库,执行keytool列表,检查签名授权,然后访问客户端的密钥/信任库并进行验证。
有人可以(使用适当的命令)清楚列出这些步骤吗?谷歌搜索无法带我到任何地方。我只需要列出一个步骤列表:“如何通过Cert Z使用两种方式的SSL确认客户端X可以与服务器Y对话”?