Spring RestTemplate:SSL 握手失败
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/34563385/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring RestTemplate: SSL handshake failure
提问by David
I am trying to consume a restful ws with basic auth. I did not import any cert into my keystore. When I use chrome plugin Advance Rest clientto test it (using basic auth with base64 encoded username:pass). I can see the response back. So far so good.
But when I develop Java code to consume this ws, I get SSL handsake failure:
我正在尝试使用具有基本身份验证的宁静 ws。我没有将任何证书导入我的密钥库。当我使用 chrome 插件对其Advance Rest client进行测试时(使用带有 base64 编码的用户名的基本身份验证:pass)。我可以看到回复。到现在为止还挺好。但是当我开发 Java 代码来使用这个 ws 时,我得到了 SSL 握手失败:
org.springframework.web.client.ResourceAccessException: I/O error:
Received fatal alert: handshake_failure; nested exception is
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:453)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:401)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:377)
at test.Rest.main(Rest.java:37) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
My question is: if the problem is because I did not import cert to my keystore, then both Java code and plugin should not work together. Here, plugin works but my code does not. What is the reason? There is somethings wrong with my code?
我的问题是:如果问题是因为我没有将证书导入我的密钥库,那么 Java 代码和插件不应该一起工作。在这里,插件有效,但我的代码无效。是什么原因?我的代码有问题吗?
Bellow is my code
波纹管是我的代码
RestTemplate restTemplate = new RestTemplate();
String plainCreds = "username:pass";
byte[] plainCredsBytes = plainCreds.getBytes(Charset.forName("US-ASCII") );
byte[] base64CredsBytes = Base64.encodeBase64(plainCredsBytes);
String base64Creds = new String(base64CredsBytes);
HttpHeaders headers = new HttpHeaders();
headers.add("Authorization", "Basic " + base64Creds);
ResponseEntity<String> response =
restTemplate.exchange("https://url",HttpMethod.GET,new
HttpEntity(headers),String.class);
Here is the link to log file:(I have replace my server-name by XXXXXX) http://www.filedropper.com/ssllog
这是日志文件的链接:(我已将我的服务器名称替换为 XXXXXX) http://www.filedropper.com/ssllog
After running: openssl s_client -showcerts -tls1 -connect host:port
运行后:openssl s_client -showcerts -tls1 -connect host:port
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
CONNECTED(00000164)
8088:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1452011344
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
and this is the output when i run command openssl s_client -connect server:port
这是我运行命令 openssl s_client -connect server:port 时的输出
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
CONNECTED(00000164)
depth=0 C = US, ST = "XXXXXX", L = XXXXXX, O = XXXXXX, OU = xxxxx, CN = XXXXXXXXX.test.intranet, emailAddress = xxxxx@xxxxx
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = "XXXXXXX ", L = XXXXX, O = XXXXXX, OU = xxxxxx, CN = XXXXXXXXX.test.intranet, emailAddress = xxxxx@xxxxx
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=XXXXXXX /L=XXXXX/O=XXXXXX/OU=XXXXX/CN=XXXXXX.test.intranet/emailAddress=xxxxx@xxxxx
i:/DC=intranet/DC=xxxx/CN=XXXXXX DEV Issuing CA
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX.....
-----END CERTIFICATE-----
subject=/C=US/ST=XXXXXXX /L=XXXXX/O=XXXXXX/OU=XXXXX/CN=XXXXXX.test.intranet/emailAddress=xxxxx@xxxxx
issuer=/DC=intranet/DC=XXX/CN=XXXXX DEV Issuing CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: XXXXX, P-256, 256 bits
---
SSL handshake has read 1895 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 568BF22A5CDBF103155264BBC056B272168AE0777CBC10F055705EB2DD907E5A
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1452012074
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0
回答by Michal Foksa
From javax.net.debuglog I can see that you are using Java 7 and the client resolves to TLSv1. From openssloutput that your server does not support TLSv1.
从javax.net.debug日志中我可以看到您使用的是 Java 7,并且客户端解析为 TLSv1。从openssl您的服务器不支持 TLSv1 的输出来看。
TLS ver. 1.1 and 1.2 are disabled in Java 7 by default.
TLS 版本。默认情况下,Java 7 中禁用 1.1 和 1.2。
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections.
尽管 Java SE 7 发行版中的 SunJSSE 支持 TLS 1.1 和 TLS 1.2,但默认情况下这两个版本都未启用客户端连接。一些服务器没有正确实现前向兼容性并拒绝与 TLS 1.1 或 TLS 1.2 客户端对话。对于互操作性,默认情况下,SunJSSE 不会为客户端连接启用 TLS 1.1 或 TLS 1.2。
Enable TLSv1.1 and TLSv1.2 either by:
通过以下任一方式启用 TLSv1.1 和 TLSv1.2:
JVM argument:
-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1Or set the same property from Java code:
System.setProperty("https.protocols", "TLSv1.2,TLSv1.1,TLSv1");Or install JCE Unlimited Strength policy files for Java 7. I am not 100% sure if this single step would solve the problem although it is always worth to install JCE while it allows JVM to use stronger versions of existing algorithms.
JVM 参数:
-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1或者从 Java 代码设置相同的属性:
System.setProperty("https.protocols", "TLSv1.2,TLSv1.1,TLSv1");或者为 Java 7安装JCE Unlimited Strength 策略文件。我不是 100% 确定这一步是否能解决问题,尽管安装 JCE 总是值得的,同时它允许 JVM 使用现有算法的更强版本。
UPDATE 29/Sep/2016:
2016 年 9 月 29 日更新:
Order of protocols changed from better to worse (TLS ver. 1.2 to 1) in options 1 and 2.
在选项 1 和选项 2 中,协议的顺序从好到坏(TLS 版本 1.2 到 1)。
回答by lmiguelmh
If you happen to be using Java 7 you need to explicitly tell Java to use TLSv1.2 protocol. Here is an example using Spring XML configuration.
如果您碰巧使用 Java 7,则需要明确告诉 Java 使用 TLSv1.2 协议。这是一个使用 Spring XML 配置的示例。
***In any Spring bean (i.e. a controller)***
import org.apache.http.client.HttpClient;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClients;
import javax.net.ssl.SSLContext;
@Bean(name="client")
public HttpClient make() throws NoSuchAlgorithmException, KeyManagementException {
SSLContext sslContext = SSLContexts.custom().build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1.2", "TLSv1.1"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
return HttpClients.custom()
.setSSLSocketFactory(sslConnectionSocketFactory)
.build();
}
***In XML configuration files***
<bean id="factory"
class="org.springframework.http.client.HttpComponentsClientHttpRequestFactory">
<property name="httpClient" ref="client"/>
</bean>
<bean id="restTemplate" class="org.springframework.web.client.RestTemplate">
<property name="requestFactory" ref="factory"/>
</bean>
You could do the same without XML with something like this:
你可以在没有 XML 的情况下做同样的事情:
RestTemplate restTemplate;
public HttpClient getHttpClient() throws NoSuchAlgorithmException, KeyManagementException {
SSLContext sslContext = SSLContexts.custom().build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1.2", "TLSv1.1"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
return HttpClients.custom()
.setSSLSocketFactory(sslConnectionSocketFactory)
.build();
}
public void setUp() throws Exception {
restTemplate = new RestTemplate(
new HttpComponentsClientHttpRequestFactory(
getHttpClient()));
...
}
