当使用 Apache HttpClient 的 Java 8 客户端代码调用 https 服务器时,我们看到以下错误。
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1002)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:573)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:557)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:414)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at HttpClient.main(HttpClient.java:64)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
... 14 more
发现服务器具有RC4-MD5密码,由于Java 8不支持该密码,因此发生了此错误。 这是在目标https服务器上运行"openssl s_client -tls1 -connect :443"后的结果。
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
所以我在JVM的"java.secuity"文件中编辑了jdk.tls.disabledAlgorithms属性。我从此条目中删除了选项"3DES_EDE_CBC"。
旧房产价值:
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024,
EC keySize < 224, DES40_CBC_40, 3DES_EDE_CBC
编辑的属性值:
jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 1024,
EC keySize < 224, DES40_CBC_40
编辑java.security文件后,Java HTTPS调用工作了。
问题:从禁用的算法中删除"3DES_EDE_CBC"算法如何允许此HTTPS调用工作?我怎样才能更好地理解这一点?谢谢。
通常,服务器支持多个密码套件。服务器很可能至少支持 RC4 和 3DES,因此在客户端中启用 3DES 足以找到通用密码。