小贝子编程

SSLHandShakeException:Jetty Server不会选择任何密码来启动SSL握手



客户端在发送请求时发送密码列表,但是CXF-JETTY服务器 不接受任何给定的密码并关闭会议。 以下是服务器端的SSL日志。当服务器使用JDK6运行时,它可以正常工作,但使用更高版本的Java。我尝试设置https.protocol,但没有任何帮助。我验证了所有密钥库也在Cacerts中更新。任何线索或帮助都将不胜感激吗? 另外,使用org.apache.cxf.jaxws.jaxwswsserverfactorybean

创建服务器 
            TP1402834900-33,阅读:TLSV1.2握手,长度= 227            *** clienthello,tlsv1.2            RandomCookie:GMT:1496138621字节= {96,63,63,100,252,232,36,198,68,124,190,117,117,1,205,205,237,237,23,23,23,66,66,66,68,68,68,72,72,72,72,72,72,72,7244、245、6、67、240、24、181}            会话ID:{}                        压缩方法:{0}            扩展Elliptic_curves,曲线名称:{secp256r1,secp384r1,secp521r1,sect283k1,sect283r1,sect409k1,sect409k1,sect409r1,sect571k1,sect571k1,sect571r1,sect571r1,secp256k1}            扩展EC_POINT_FORMATS,格式:[未压缩]            扩展Signature_algorithms,signature_algorithms:sha512withecdsa,sha512withrsa,sha384withecdsa,sha384withrsa,sha256withecdsa a1withdsa            ***            [读] MD5和SHA1哈希:Len = 227                                          ...            %%初始化:[Session-12,ssl_null_with_null_null]            QTP1402834900-29,称为CloseOutBound((            QTP1402834900-29,CloseOutBoundInternal((

和客户端的日志显示SSLHANDSHAKE例外

   Thread-38,写:TLSV1.2握手,长度= 227   线程38,收到的EofException:错误   Thread-38,处理异常:Javax.net.ssl.sslhandshakeexception:远程   握手期间的主机封闭连接   Thread-38,发送TLSV1.2警报:致命,描述= Handshake_failure   Thread-38,写:TLSV1.2警报,长度= 2   线程-38,称为关闭   线程38,称为关闭   线程38,称为闭合内部

java 6很旧,用oracle被视为寿命。

当您升级Java版本时,您也正在迅速升级在公共Internet上具有安全和加密连接的含义。

eg:

  • SSLV3被弃用和禁用。
  • 数百个密码被弃用和禁用。
  • TLS/1.1和TLS/1.2

让您获得成功必须有一个客户端与现代密码套件谈论TLS/1.2,并且没有弃用或禁用的密码套件或协议。

这意味着没有SHA1,没有MD5,没有小的RSA Keysize,No SSLV3,NO RC4等...

...

有关完整列表,请参见JVM禁用列表... 

$ grep -E "^j.*disabled" $JAVA_HOME/jre/lib/security/java.security
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, 
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768,

对于Jetty 9.3 ,您可以启用服务器启动转储,并查看SslContextFactory详细信息,该详细信息将启用哪些协议和密码实际启用。

$ cd /path/to/mybase && 
 java -jar /path/to/jetty-dist.jar -Djetty.dump.start=true

SslContextFactory@1ed4004b(null,null) trustAll=false
 +- Protocol Selections
 |   +- Enabled (size=3)
 |   |   +- TLSv1
 |   |   +- TLSv1.1
 |   |   +- TLSv1.2
 |   +- Disabled (size=2)
 |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 +- Cipher Suite Selections
     +- Enabled (size=15)
     |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
     |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
     |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
     |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
     |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
     |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
     |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
     |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
     |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
     |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
     |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
     |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
     +- Disabled (size=42)
         +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
         +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
         +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
         +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

要长期成功,您必须将Java JVM保持最新状态,并尊重每个版本的JVM到期日期,因为JVM上的安全层会迅速更新(就错误,实现和配置而言(。如果您打算在公共Internet上使用加密或计划支持现代Web浏览器(这也遵循协议和密码套件的弃用(

,这是一个非挑剔的要求。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium