我们有两个服务,客户端是Rails应用程序,服务器是使用Play框架构建的REST API。 我们在 Rails 中使用 HTTParty 客户端。
我们在这两个服务之间收到间歇性 SSL 握手错误。 在播放时,我们收到以下错误:
Jan 09 14:37:47 graph-dev graph: org.jboss.netty.handler.ssl.SslHandler - SSLEngine.closeInbound() raised an exception after a handshake failure.
Jan 09 14:37:47 graph-dev javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
Jan 09 14:37:47 graph-dev at: sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
Jan 09 14:37:47 graph-dev at: sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1619)
Jan 09 14:37:47 graph-dev at: sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1587)
Jan 09 14:37:47 graph-dev at: sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1517)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1407)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1293)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:913)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:109)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:312)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:90)
Jan 09 14:37:47 graph-dev at: org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
Jan 09 14:37:47 graph-dev at: java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
Jan 09 14:37:47 graph-dev at: java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
Jan 09 14:37:47 graph-dev at: java.lang.Thread.run(Thread.java:744)
在 Rails 上,相应的错误:
Error: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure
/app/vendor/ruby-2.0.0/lib/ruby/2.0.0/net/http.rb:918:in `connect'
/app/vendor/ruby-2.0.0/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
/app/vendor/ruby-2.0.0/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
/app/vendor/ruby-2.0.0/lib/ruby/2.0.0/net/http.rb:918:in `connect'
/app/vendor/ruby-2.0.0/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
/app/vendor/ruby-2.0.0/lib/ruby/2.0.0/net/http.rb:851:in `start'
/app/vendor/ruby-2.0.0/lib/ruby/2.0.0/net/http.rb:1367:in `request'
我们的SSL证书由RapidSSL颁发。 在Play上,我们包含一个由Equifax签名的跨根证书,用于验证GeoTrust。
几天来,我们一直在试图弄清楚这一点,但我们真的很茫然。
在播放邮件列表中提供了答案。 我们在$JAVA_HOME/jre/lib/security/java.security中jdk.tls.disabledAlgorithms的默认值末尾添加了DiffieHellman,这解决了它。
这份名单上的功劳归于威尔·萨金特。
https://groups.google.com/forum/#!topic/play-framework/ECee_w2wlrU