小贝子编程

TLSv1.3 - java.io.EOFException: SSL peer shut down incorrect



我正在尝试连接到外部站点的响应

at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975)
... 56 more
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

我代码:

CloseableHttpClient httpClient2 = null;
try {
httpClient2 = (CloseableHttpClient) getTLS();
} catch (KeyManagementException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (UnrecoverableKeyException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (NoSuchAlgorithmException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (KeyStoreException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}


public HttpClient getTLS() throws KeyManagementException, 
UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
SSLContext sSLContext = SSLContext.getInstance("TLS");
sSLContext.init(null, null, null);
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sSLContext,
new String[] { "TLS" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();   
return httpClient;
}

我有添加了.pem certificte keystore

myserverURL.pem /usr/local/openjdk-8/jre/lib/security

我试着检查下面的命令,看到TLSv1.3正在被使用。

curl --insecure -vvI https://myserverURL.com 2>&1 | awk 'BEGIN { cert=0 } /^* SSL connection/ { cert=1 } /^*/ { if (cert) print }'
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol

客户有:

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1

这是工作正常早些时候。我猜协议已经在服务器端更改为TLSv1.3。是否可以从1.2连接到1.3

如果服务器被标记为-tls1_3,那么它将"只谈论tlsv1.3"。服务器需要将其删除,以便与客户端兼容TLSv1.2。但是,对于服务器来说,使用TLSv1.3

可能是一种安全架构设计。在ssl.com上看到这篇文章:TLS 1.3将继续存在

说明如下:TLS 1.3放弃了向后兼容性,支持适当的安全设计。它从头开始设计,提供与TLS 1.2类似(但不兼容)的功能,但在性能、隐私和安全性方面有显著改进。">

不同版本的OpenJDK 8对TLS 1.3的反向移植支持,参见下面的一些示例:

tbody> <<tr>Oracle OpenJDK亚马逊Corretto
风味释放
AdoptOpenJDK8 u272
Azul Zulu JDK8u262/8u272/8u292
8 u261
8 u272
OpenJDK Red Hat build8u292

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium