java SSLHandshakeException:握手期间远程主机关闭连接
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/49872723/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSLHandshakeException : Remote host closed connection during handshake
提问by Rydermark
The forums are full with this question but I can't find a solution. I try to connect a WS but without any success. I tried to update cacerts file with no effect.
论坛上满是这个问题,但我找不到解决方案。我尝试连接 WS,但没有成功。我试图更新 cacerts 文件但没有效果。
The log are :
日志是:
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1507108654 bytes = { 133, 135, 81, 148, 186, 186, 146, 23, 28, 240, 158, 152, 139, 167, 209, 225, 54, 253, 112, 118, 61, 112, 140, 214, 149, 198, 197, 219 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 75
0000: 01 00 00 47 03 01 5A D5 A7 2E 85 87 51 94 BA BA ...G..Z.....Q...
0010: 92 17 1C F0 9E 98 8B A7 D1 E1 36 FD 70 76 3D 70 ..........6.pv=p
0020: 8C D6 95 C6 C5 DB 00 00 20 00 04 00 05 00 2F 00 ........ ...../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 00 FF 01 00 ...........
http-8080-1, WRITE: TLSv1 Handshake, length = 75
[Raw write]: length = 80
0000: 16 03 01 00 4B 01 00 00 47 03 01 5A D5 A7 2E 85 ....K...G..Z....
0010: 87 51 94 BA BA 92 17 1C F0 9E 98 8B A7 D1 E1 36 .Q.............6
0020: FD 70 76 3D 70 8C D6 95 C6 C5 DB 00 00 20 00 04 .pv=p........ ..
0030: 00 05 00 2F 00 33 00 32 00 0A 00 16 00 13 00 09 .../.3.2........
0040: 00 15 00 12 00 03 00 08 00 14 00 11 00 FF 01 00 ................
http-8080-1, received EOFException: error
http-8080-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
http-8080-1, SEND TLSv1 ALERT: fatal, description = handshake_failure
http-8080-1, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28 ......(
http-8080-1, called closeSocket()
http-8080-1, called close()
http-8080-1, called closeInternal(true)
Thanks for you help
谢谢你的帮助
回答by Eugène Adell
Most probably the server has disabled TLS 1.0 (and you're talking TLS 1.0 as seen in the sequence bytes 47 03 015A), or it is waiting for the SNI extension which is absent.
很可能服务器已禁用 TLS 1.0(并且您正在谈论 TLS 1.0,如序列字节47 03 015A 中所示),或者它正在等待不存在的 SNI 扩展。
About Java 6, only 6u111 will allow anything better (TLS 1.1) than TLS 1.0, and 6u121 will allow TLS 1.2. Have a look at the Reference. Because of the TLS version intoleranceproblem, it's still unsufficient, and only a system property will enable it for good, as explained in the Release Notes:
关于 Java 6,只有 6u111 将允许比 TLS 1.0 更好的任何东西(TLS 1.1),而 6u121 将允许 TLS 1.2。看看参考。由于TLS 版本不容忍问题,它仍然不够充分,只有系统属性才能永久启用它,如发行说明中所述:
TLS v1.2 is now a TLS protocol option with this release. By default, TLSv1.0 will remain the default enabled protocol on client sockets.
TLS v1.2 现在是此版本的 TLS 协议选项。默认情况下,TLSv1.0 将保持客户端套接字上默认启用的协议。
For this reason, a couple of system properties to try :
出于这个原因,要尝试几个系统属性:
-Djdk.tls.client.protocols="TLSv1.2"(prerequisite : 6u121 / 7u95)-Dhttps.protocols="TLSv1.2"if your code is using HttpsURLConnection
-Djdk.tls.client.protocols="TLSv1.2"(先决条件:6u121 / 7u95)-Dhttps.protocols="TLSv1.2"如果您的代码使用 HttpsURLConnection
Your ClientHellois correctly formatted but it doesn't contain any extension (particularly the SNI). This is why it looks so short (bytes = 80). The SNI is enabled by default starting with 6u121 (if I'm right). Both causes that I see should be solved with the adequate Java version.
您的ClientHello格式正确,但不包含任何扩展名(尤其是 SNI)。这就是它看起来如此短的原因(bytes = 80)。SNI 默认从 6u121 开始启用(如果我是对的)。我看到的这两个原因都应该通过足够的 Java 版本来解决。
