java SSLHandshakeException:没有共同的密码套件 - 喷雾罐 SSL 配置
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31281571/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSLHandshakeException: No cipher suites in common - spray-can SSL configuration
提问by Upio
I'm trying to install my SSL certificate I acquired for my domain from Comodo but am getting a
我正在尝试安装我从 Comodo 为我的域获得的 SSL 证书,但我收到了
SSLHandshakeException: No cipher suites in common
SSLHandshakeException:没有共同的密码套件
I've read through the multiple questions on this topic but none of the proposed answers have helped me yet.
我已经通读了关于这个主题的多个问题,但没有一个建议的答案对我有帮助。
Comodo provided four certificates:
Comodo 提供了四个证书:
- AddTrustExternalCARoot.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
- STAR_example_com.crt
- 添加TrustExternalCARoot.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
- STAR_example_com.crt
I'm setting up the server in a Dockerfile to isolate the problem from my local development environment:
我正在 Dockerfile 中设置服务器以将问题与本地开发环境隔离:
from google/debian:wheezy
# Server binary and certificates are copied in before this
RUN apt-get update && apt-get install -y openjdk-7-jre
ADD UnlimitedJCEPolicyJDK7.zip /
RUN unzip UnlimitedJCEPolicyJDK7.zip && cp UnlimitedJCEPolicy/*.jar /usr/lib/jvm/java-1.7.0-openjdk-amd64/jre/lib/security/
RUN keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore /example.com.jks -storepass changeit -noprompt
RUN keytool -import -trustcacerts -alias int-1 -file COMODORSAAddTrustCA.crt -keystore /example.com.jks -storepass changeit -noprompt
RUN keytool -import -trustcacerts -alias int-2 -file COMODORSADomainValidationSecureServerCA.crt -keystore /example.com.jks -storepass changeit -noprompt
RUN keytool -import -trustcacerts -alias mykey -file STAR_example_com.crt -keystore /example.com.jks -storepass changeit -noprompt
Output from keytool commands in Docker:
Docker 中 keytool 命令的输出:
Step 10 : RUN keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore /example.com.jks -storepass changeit -noprompt
---> Running in 949afa47c891
Certificate was added to keystore
---> 1df5ff85c32a
Removing intermediate container 949afa47c891
Step 11 : RUN keytool -import -trustcacerts -alias int-1 -file COMODORSAAddTrustCA.crt -keystore /example.com.jks -storepass changeit -noprompt
---> Running in 6cc802ee61f9
Certificate was added to keystore
---> f6eee577e7d5
Removing intermediate container 6cc802ee61f9
Step 12 : RUN keytool -import -trustcacerts -alias int-2 -file COMODORSADomainValidationSecureServerCA.crt -keystore /example.com.jks -storepass changeit -noprompt
---> Running in 22e6bc1e70a6
Certificate was added to keystore
---> d7a0472a9e1f
Removing intermediate container 22e6bc1e70a6
Step 13 : RUN keytool -import -trustcacerts -alias mykey -file STAR_example_com.crt -keystore /example.com.jks -storepass changeit -noprompt
---> Running in 9a812b1182ca
Certificate was added to keystore
Comodos instructionssay that this last 'Certificate was added to keystore' message should be 'Certificate reply was installed in keystore'. What should I do differently when installing the domain certificate?
Comodos 说明说最后一条“证书已添加到密钥库”消息应该是“证书回复已安装在密钥库中”。安装域证书时我应该怎么做?
The SSL configuration in Spray looks like so:
Spray 中的 SSL 配置如下所示:
trait SslConfiguration {
implicit def sslContext: SSLContext = {
val password = "changeit"
val keyStoreResource = "/example.com.jks"
val keyStore = KeyStore.getInstance("jks")
keyStore.load(new FileInputStream(keyStoreResource), password.toCharArray)
val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
keyManagerFactory.init(keyStore, password.toCharArray)
val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
trustManagerFactory.init(keyStore)
val context = SSLContext.getInstance("TLS")
context.init(keyManagerFactory.getKeyManagers, null, new SecureRandom)
context
}
implicit def sslEngineProvider: ServerSSLEngineProvider = {
ServerSSLEngineProvider { engine =>
engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_256_CBC_SHA"))
engine.setEnabledProtocols(Array("SSLv3", "TLSv1"))
engine
}
}
}
Server Boot:
服务器启动:
object Server extends SimpleRoutingApp with SprayJsonSupport with SslConfiguration {
def apply(config: Configuration, router: ActorRef)(implicit actorSystem: ActorSystem) = {
val settings = ServerSettings(actorSystem).copy(sslEncryption = true)
startServer("0.0.0.0", config.notifyPort, serviceActorName = "notify-server", settings = Some(settings)) {
path("ping") {
complete("OK")
}
}
}
}
Handshake Debug output:
握手调试输出:
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv2Hello
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
[Raw read]: length = 5
0000: 16 03 01 00 BF .....
[Raw read]: length = 191
0000: 01 00 00 BB 03 03 55 9C 69 B9 0E 94 CA 61 A4 3C ......U.i....a.<
0010: 95 0B A5 81 B6 BA D4 90 3D 4B 8C 4E BB 35 17 8F ........=K.N.5..
0020: 19 9E B6 D0 2E BB 00 00 5E 00 FF C0 24 C0 23 C0 ........^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<.
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9...............
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost...
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03 ...............
notify-server-akka.actor.default-dispatcher-6, READ: TLSv1 Handshake, length = 191
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1419536569 bytes = { 14, 148, 202, 97, 164, 60, 149, 11, 165, 129, 182, 186, 212, 144, 61, 75, 140, 78, 187, 53, 23, 143, 25, 158, 182, 208, 46, 187 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_AES_256_CBC_SHA384, TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_256_CBC_SHA, TLS_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_RC4_128_SHA, TLS_PSK_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_NULL_SHA384, TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256]
Compression Methods: { 0 }
Extension server_name, server_name: [host_name: localhost]
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA384withRSA, SHA256withRSA, SHA1withRSA, SHA256withECDSA, SHA1withECDSA
***
[read] MD5 and SHA1 hashes: len = 191
0000: 01 00 00 BB 03 03 55 9C 69 B9 0E 94 CA 61 A4 3C ......U.i....a.<
0010: 95 0B A5 81 B6 BA D4 90 3D 4B 8C 4E BB 35 17 8F ........=K.N.5..
0020: 19 9E B6 D0 2E BB 00 00 5E 00 FF C0 24 C0 23 C0 ........^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<.
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9...............
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost...
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03 ...............
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
notify-server-akka.actor.default-dispatcher-6, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
notify-server-akka.actor.default-dispatcher-6, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
notify-server-akka.actor.default-dispatcher-6, WRITE: TLSv1.2 Alert, length = 2
notify-server-akka.actor.default-dispatcher-6, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
[ERROR] [07/08/2015 00:07:22.230] [notify-server-akka.actor.default-dispatcher-6] [akka://notify-server/user/IO-HTTP/listener-0/0] Aborting encrypted connection to 10.0.2.2/10.0.2.2:50790 due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
I've followed Comodos instructionsto a tee EXCEPT for the alias setting. I'm not 100% sure if I should be setting the domain alias to 'mykey' or something else. Could this be the problem?
我已经按照Comodos 的说明使用了一个 T 恤,除了别名设置。我不是 100% 确定是否应该将域别名设置为“mykey”或其他内容。这可能是问题吗?
Any help with this problem would be greatly appreciated!
对这个问题的任何帮助将不胜感激!
采纳答案by Upio
The problem was resolved when I followed these instructionsto install the certificate and private key in the keystore. I was following instructions that assumed this step had already been done.
当我按照这些说明在密钥库中安装证书和私钥时,问题得到了解决。我正在遵循假设这一步已经完成的说明。
回答by mericano1
I had the exact same issue and it was due to the Java Cryptography Extension missing. You can download and install it from here http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
我遇到了完全相同的问题,这是由于缺少 Java Cryptography Extension。您可以从这里下载并安装它http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Normally the JDK (not the JRE) comes with some libraries already installed.
通常 JDK(不是 JRE)带有一些已经安装的库。
回答by Zds
For me this was caused by wrong keystore being in use.
对我来说,这是由于使用了错误的密钥库引起的。
I had two modules in the same application, and another one initialized javax.net.ssl to its liking and the part throwing the Exception listed above got turn only after that.
我在同一个应用程序中有两个模块,另一个模块根据自己的喜好初始化了 javax.net.ssl,然后才轮到上面列出的抛出异常的部分。
And once the javax.net.ssl has initialized once, changing the key- and truststore system properties no longer affect anything.
一旦 javax.net.ssl 初始化一次,更改密钥和信任库系统属性就不再影响任何事情。
I figured this out by putting -Djavax.net.debug=ssl to the original application server command line call, to make sure the option was set before anyone else got their turn. Then you can see on STDOUT who initializes the stores and with what.
我通过将 -Djavax.net.debug=ssl 放到原始应用程序服务器命令行调用中来解决这个问题,以确保在其他人轮到他们之前设置了该选项。然后你可以在 STDOUT 上看到谁初始化了商店以及用什么。
