java SSLv2Hello - javax.net.ssl.SSLException:收到致命警报:unexpected_message
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/30165487/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSLv2Hello - javax.net.ssl.SSLException: Received fatal alert: unexpected_message
提问by Daniel Szalay
I am trying to call an SSL protected web service running on JDK7 / WildFly 8.2 with a Java 6 (update 31) based client.
我正在尝试使用基于 Java 6(更新 31)的客户端调用在 JDK7/WildFly 8.2 上运行的受 SSL 保护的 Web 服务。
The first problem I encountered on the client was:
我在客户端遇到的第一个问题是:
javax.net.ssl.SSLException: Received fatal alert: unexpected_message
javax.net.ssl.SSLException:收到致命警报:unexpected_message
By setting javax.net.debugto allon both sides, I got the following hint on the server side:
通过在两侧设置javax.net.debug为all,我在服务器端得到以下提示:
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
javax.net.ssl.SSLHandshakeException: SSLv2Hello 被禁用
Quick research showsthat,
快速研究表明,
SSLv2Hello disabled by default on the client: In Java SE 7, SSLv2Hello is removed from the default enabled protocol list on the client.
客户端默认禁用 SSLv2Hello:在 Java SE 7 中,SSLv2Hello 已从客户端默认启用的协议列表中删除。
So I have tried to enable SSLv2Helloon WildFly in standalone.xml:
所以我试图SSLv2Hello在 WildFly上启用standalone.xml:
<https-listener name="https"
socket-binding="https"
security-realm="UndertowRealm"
enabled-protocols="SSLv2, SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2"
/>
And the result on the server is:
服务器上的结果是:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
javax.net.ssl.SSLHandshakeException:没有合适的协议(协议被禁用或密码套件不合适)
So I realize, I should be trying to force TLS on the clientinstead of enabling SSLv2Helloon the server. I have tried to set System.setProperty("https.protocols", "TLSv1");before my web service call with no effect.
所以我意识到,我应该尝试在客户端上强制使用 TLS,而不是在服务器上启用SSLv2Hello。我试图在我的网络服务调用之前进行设置,但没有任何效果。System.setProperty("https.protocols", "TLSv1");
What should I configure and how, to get the handshake working?
我应该配置什么以及如何配置才能使握手正常工作?
I have printed the supported cipher suites from the default SSLSocketFactoryon the server:
我已经从SSLSocketFactory服务器上的默认值打印了支持的密码套件:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
回答by user207421
You don't need to enable SSLv2 at the server. You need to disablethe SSLv2Hello pseudo-protocol at the client, by removing SSLv2Hellofrom the enabled TLS protocols and leaving the others:
您不需要在服务器上启用 SSLv2。您需要在客户端禁用SSLv2Hello伪协议,方法是从启用的 TLS 协议中删除并保留其他协议:SSLv2Hello
System.setProperty("https.protocols", "TLSv1,TLSV1.1,TLSV1.2");
and maybe SSLv3if that makes it happy: it won't for much longer, so try not to have to do that.
也许SSLv3如果这让它高兴:它不会持续太久,所以尽量不要这样做。
Note that it is a pseudo-protocol. It is not SSLv2, it is a compatibility measure to allow certain arguably broken servers to accept the hello. The session however operates at SSLv3 or above. It is also obsolete.
请注意,它是一个伪协议。它不是 SSLv2,它是一种兼容性措施,允许某些可能已损坏的服务器接受 hello。然而,会话在 SSLv3 或更高版本上运行。它也已经过时了。
回答by aled
You could probably enable the SSLv2 protocol at the JVM but that is extremely inadvisable because that is a serious security risk.
您可能可以在 JVM 上启用 SSLv2 协议,但这是非常不可取的,因为这是一个严重的安全风险。
The clients are using an outdated and insecure protocol and should be updated to TLSv1.1 or TLSv.1.2. That will require at least Java 7 but Java 8 would be better as Robert mentioned.
客户端使用过时且不安全的协议,应更新为 TLSv1.1 或 TLSv.1.2。这至少需要 Java 7,但正如 Robert 所说,Java 8 会更好。
More info could be found at https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_httpsincluding a table of support TLS protocols by version.
更多信息可以在https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https上找到,包括按版本支持的 TLS 协议表。
