尝试安全连接到服务器时,Java“没有共同的密码套件”问题
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3662837/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java "no cipher suites in common" issue when trying to securely connect to server
提问by Ben
I have an issue when a client (not mine) connects to my server securely.
当客户端(不是我的)安全连接到我的服务器时,我遇到了问题。
It seems that the connection is being refused on the basis of mismatching ciphers, but I have verified that the server indeed shares some of the ciphers with the client.
似乎由于密码不匹配而拒绝连接,但我已经验证服务器确实与客户端共享了一些密码。
Could it be an issue with the unknown cipher (Unknown 0x0:0x60)? If so, what must I do to fix it?
未知密码(未知 0x0:0x60)会不会有问题?如果是这样,我必须做些什么来修复它?
Java SSL logs are shown below:
Java SSL 日志如下所示:
Listener-https, setSoTimeout(30000) called
Worker-30, READ: SSLv3 Handshake, length = 63
*** ClientHello, SSLv3
RandomCookie: GMT: 1267050437 bytes = { 23, 244, 228, 68, 161, 225, 218, 222, 207, 128, 228, 138, 127, 141, 159, 63, 232, 48, 242, 240, 26, 76, 58, 158, 179, 0, 192, 140 }
Session ID: {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, Unknown 0x0:0x60, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
Compression Methods: { 0 }
***
Worker-30, SEND SSLv3 ALERT: fatal, description = handshake_failure
Worker-30, WRITE: SSLv3 Alert, length = 2
Worker-30, called closeSocket()
Worker-30, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
Worker-30, called close()
Worker-30, called closeInternal(true)
Worker-30, called close()
Worker-30, called closeInternal(true)
Thanks, -Ben
谢谢,-本
回答by Vineet Reynolds
Adding to erickson's answer, if your certificate does not use a RSA key-pair, and instead turns out to use a DSA key-pair, then no amount of RSA cipher suite "stuffing" will aid in resolving this issue. You'll need to enable the DSA related cipher suites (they're usually indicated by the DSS keyword in them), and also have the client utilize the same cipher suites.
补充 erickson 的答案,如果您的证书不使用 RSA 密钥对,而是使用 DSA 密钥对,那么再多的 RSA 密码套件“填充”都无助于解决此问题。您需要启用与 DSA 相关的密码套件(它们通常由其中的 DSS 关键字指示),并且还需要客户端使用相同的密码套件。
The reason this edge case might turn out to be your problem is due to the default behavior of the keytool utility when generating secret keypairs - DSA and not RSA is the default algorithm.
这种边缘情况可能会成为您的问题的原因是 keytool 实用程序在生成密钥对时的默认行为 - DSA 而不是 RSA 是默认算法。
回答by erickson
You say that some of the client's requested ciphers are enabled on your server. Have you successfully connected with one of them? For example, try OpenSSL's s_clientutility with the -cipheroption specifying only that cipher suite.
您说您的服务器上启用了某些客户端请求的密码。您是否已成功连接到其中之一?例如,尝试s_client使用-cipher仅指定该密码套件的选项的OpenSSL实用程序。
Perhaps the provider doesn't support all the ciphers you think you have enabled, or perhaps the unlimited strength jurisdiction files are not correctly installed on your server.
也许提供商不支持您认为已启用的所有密码,或者您的服务器上没有正确安装无限强度管辖文件。
