我正在尝试连接到外部站点的响应
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975)
... 56 more
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
我代码:
CloseableHttpClient httpClient2 = null;
try {
httpClient2 = (CloseableHttpClient) getTLS();
} catch (KeyManagementException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (UnrecoverableKeyException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (NoSuchAlgorithmException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (KeyStoreException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
public HttpClient getTLS() throws KeyManagementException,
UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
SSLContext sSLContext = SSLContext.getInstance("TLS");
sSLContext.init(null, null, null);
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sSLContext,
new String[] { "TLS" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
return httpClient;
}
我有添加了.pem certificte keystore
myserverURL.pem /usr/local/openjdk-8/jre/lib/security
我试着检查下面的命令,看到TLSv1.3正在被使用。
curl --insecure -vvI https://myserverURL.com 2>&1 | awk 'BEGIN { cert=0 } /^* SSL connection/ { cert=1 } /^*/ { if (cert) print }'
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
客户有:
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
这是工作正常早些时候。我猜协议已经在服务器端更改为TLSv1.3。是否可以从1.2连接到1.3
如果服务器被标记为-tls1_3
,那么它将"只谈论tlsv1.3"。服务器需要将其删除,以便与客户端兼容TLSv1.2
。但是,对于服务器来说,使用TLSv1.3
可能是一种安全架构设计。在ssl.com上看到这篇文章:TLS 1.3将继续存在
说明如下:TLS 1.3放弃了向后兼容性,支持适当的安全设计。它从头开始设计,提供与TLS 1.2类似(但不兼容)的功能,但在性能、隐私和安全性方面有显著改进。">
不同版本的OpenJDK 8对TLS 1.3的反向移植支持,参见下面的一些示例:
风味 | 释放 | AdoptOpenJDK | 8 u272 |
---|---|
Azul Zulu JDK | 8u262/8u272/8u292 |
8 u261 | |
8 u272 | |
OpenJDK Red Hat build | 8u292 |