SSL 握手失败 - Java 1.8
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33048172/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSL Handshake Failed - Java 1.8
提问by James
Just letting folks know about an issue I had that many seemed to have had after upgrading to Java 1.8. Not all of the solutions are the same hence posting how I resolved this.
只是让人们知道我在升级到 Java 1.8 后似乎遇到的一个问题。并非所有解决方案都相同,因此发布我如何解决此问题。
But first... This is not a solution worthy of production systems since security is being effectively downgraded. However, if you are blocked testing etc. it is probably quite suitable.
但首先……这不是一个值得生产系统使用的解决方案,因为安全性正在被有效降级。但是,如果您被阻止测试等,它可能非常合适。
My issue was that no matter what I did... enabled SSLv3 etc. I always received
我的问题是,无论我做什么...启用 SSLv3 等。我总是收到
"javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure".
Here are the steps I took to 'solve' this.
以下是我为“解决”这个问题而采取的步骤。
First, I discovered which cipher the server was using. I did this via openssl.
首先,我发现了服务器使用的密码。我是通过 openssl 做到的。
openssl s_client -host yourproblemhost.com -port 443
This yields (at the end...)
这产生(最后......)
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-MD5
Now.. what do we use 'Java-wise' to enable that cipher?
现在.. 我们如何使用“Java-wise”来启用该密码?
In that link, it has the names and their Java counterpart. So for RC4-MD5, we have SSL_RSA_WITH_RC4_128_MD5.
在该链接中,它具有名称及其对应的 Java 版本。所以对于 RC4-MD5,我们有 SSL_RSA_WITH_RC4_128_MD5。
ok good. Now I added a System property.
好的。现在我添加了一个 System 属性。
-Dhttps.cipherSuites=SSL_RSA_WITH_RC4_128_MD5
And in my code...
在我的代码中...
Security.setProperty("jdk.tls.disabledAlgorithms", "" /*disabledAlgorithms */ );
Again.. this is an absolute last resort 'fix'... But if you're hitting your head aganst a wall to get it running (for testing), I hope it comes in useful.
再次..这绝对是最后的“修复”手段......但是如果你撞墙让它运行(用于测试),我希望它有用。
回答by Jigar Joshi
With JDK 1.8.0_51 releaseRC4 is no longer supported from Java as client (also as server) to negotiate SSL handshake, RC4 is considered weak (and compromised ) cipher and that is the reason for removal
在JDK 1.8.0_51 版本中,Java 不再支持 RC4 作为客户端(也作为服务器)来协商 SSL 握手,RC4 被认为是弱(和受损)密码,这就是删除的原因
http://bugs.java.com/view_bug.do?bug_id=8076221
http://bugs.java.com/view_bug.do?bug_id=8076221
You can still however enable it by removing RC4 from jdk.tls.disabledAlgorithmsfrom your Java security config or progamatically enabling them using setEnabledCipherSuites()method
但是,您仍然可以通过jdk.tls.disabledAlgorithms从 Java 安全配置中删除 RC4或使用setEnabledCipherSuites()方法以编程方式启用它们来启用它
However better solution would be to update the server configuration (if it is under your control) to upgrade to stronger Ciphers
但是更好的解决方案是更新服务器配置(如果它在您的控制之下)以升级到更强大的密码
RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by
SSLEngine.setEnabledCipherSuites()andSSLSocket.setEnabledCipherSuites()methods.
RC4 现在被认为是一种被破坏的密码。RC4 密码套件已从 Oracle JSSE 实现中的客户端和服务器默认启用的密码套件列表中删除。这些密码套件仍然可以通过
SSLEngine.setEnabledCipherSuites()和SSLSocket.setEnabledCipherSuites()方法启用。
As to your approach on setting it by using Security.setProperty(), it is not reliable way because the fields which hold disabled algorithms are static and final, So if that class gets loaded first you don't have controll over it, you could alternatively try by creating a properties file
至于您通过 using 设置它的方法Security.setProperty(),它不是可靠的方法,因为包含禁用算法的字段是 static 和 final,因此,如果该类首先加载,您无法控制它,您也可以尝试创建一个属性文件
like this
像这样
## override it to remove RC4, in disabledcipher.properties
jdk.tls.disabledAlgorithms=DHE
and in your JVM, you could refer it as system property like this
在您的 JVM 中,您可以像这样将其称为系统属性
java -Djava.security.properties=disabledcipher.properties blah...
回答by Andrew Henle
RC4 was effectively cracked - 14 years ago.
RC4 有效破解 - 14 年前。
The Fluhrer, Mantin and Shamir (FMS) attack, published in their 2001 paper"Weaknesses in the Key Scheduling Algorithm of RC4", takes advantage of a weakness in the RC4 key scheduling algorithm to reconstruct the key from encrypted messages.
Fluhrer、Mantin 和 Shamir (FMS) 攻击发表在他们2001 年的论文“RC4 密钥调度算法的弱点”中,利用 RC4 密钥调度算法的弱点从加密消息中重建密钥。
The problem isn't in Java 8.
问题不在于 Java 8。
The problem is your server is using RC4.
问题是您的服务器正在使用 RC4。
回答by user3079604
Thanks alton for sharing such a life saver information. Only one thing I'd like to change since
感谢奥尔顿分享这样一个救生员的信息。只有一件事我想改变,因为
openssl s_client -host yourproblemhost.com -port 443
returned ->
Protocol : TLSv1.2
Cipher : 0000
openssl s_client -connect X.X.X.X:993 -prexit -tls1
returned -> the expected response as
Protocol : TLSv1
Cipher : RC4-MD5
