Java 8 支持 TLS 1.2,但 Java 7 不支持
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/37806743/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-11-03 02:49:44 来源:igfitidea点击:
TLS 1.2 was supported in Java 8 but not in Java 7
提问by Krishanthy Mohanachandran
When I tried to connect a URL (one of vendors URL which supports TLS 1.2 and worked fine previously with Java 7) by using Java 7, I found bellow Exception:
当我尝试使用 Java 7 连接 URL(支持 TLS 1.2 并且以前在 Java 7 中运行良好的供应商 URL 之一)时,我发现以下异常:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
So that I have enabled -Dhttps.protocols=TLSv1.2, -Djavax.net.ssl.trustStore=<keystoreFilePath>and -Djavax.net.ssl.trustStorePassword=<password>
这样我就启用了-Dhttps.protocols=TLSv1.2,-Djavax.net.ssl.trustStore=<keystoreFilePath>并且-Djavax.net.ssl.trustStorePassword=<password>
After that also I got the same issue. Then I have upgrade the Java version to 8 so it could connect to the URL without any SSL issue.
在那之后,我也遇到了同样的问题。然后我将 Java 版本升级到 8,这样它就可以连接到 URL 而没有任何 SSL 问题。
As per this blog, in Java 8, TLS 1.2 is default and TLS 1.2 can be tuned with the property -Dhttps.protocolsin Java 7. In Java 7, I could be able to access a URL without a problem if I enable above properties through my past experiences.
根据此博客,在 Java 8 中,TLS 1.2 是默认值,TLS 1.2 可以使用-Dhttps.protocolsJava 7 中的属性进行调整。在 Java 7 中,如果我通过过去的经验启用上述属性,我可以毫无问题地访问 URL .
But for the URL, I am requested to upgrade the Java version. What can be vendor side changes caused for the Exception mentioned above in Java 7? And without upgrading Java 8, can't I access the URL?
但是对于URL,我被要求升级Java版本。上面提到的 Java 7 异常可能会导致供应商方面的哪些变化?如果不升级 Java 8,我就不能访问 URL 吗?
When try with -Djavax.net.debug=allI got below log
尝试时-Djavax.net.debug=all我得到了以下日志
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
qtp11284997-17, setSoTimeout(0) called
qtp11284997-18, setSoTimeout(0) called
%% No cached client session
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: *** ClientHello, TLSv1.2
RandomCookie: GMT: 1465902650 bytes = { GMT: 1465902650 bytes = { 113156, , 91, 215, 64, 8, 63, 32, 255, 223, 156, 170, 50, 244, 156, 18, 241, 241, 229, 169, 35, 160, 22, 15, 111, 204, 231, 28, 25, 203, 70, 164, 77, 14, 181, 126, 159, 152, 111, 221, 254, 59 }
Session ID: {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: postprod1.ratetiger.com]
***
[write] MD5 and SHA1 hashes: len = 211
0000: 01 00 00 CF 03 03 57 60 E6 3A 71 D7 40 08 3F FF ......W`.:q.@.?.
0010: 9C 32 9C F1 E5 23 16 6F E7 19 46 A4 4D 0E B5 7E .2...#.o..F.M...
0020: 9F 98 6F DD FE 3B 00 00 2A 00 33 C0 04 00 16 00 ..o..;..*.3.....
0030: 05 C0 03 C0 11 C0 02 C0 07 C0 13 C0 08 C0 0C 00 ................
0040: FF C0 0D C0 0E C0 09 00 2F C0 12 00 04 00 32 00 ......../.....2.
0050: 13 00 0A 01 00 00 7C 00 0A 00 34 00 32 00 17 00 ..........4.2...
0060: 01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ................
0070: 18 00 0B 00 0C 00 19 00 0D 00 0242, E119, 001, 0F19, 00164, 1081, 3, 0063, 176, 255, .42, .23, .252, .164 }
Session ID: .{}
..Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { .0 }
........
0080: 11Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
00Extension ec_point_formats, formats: [uncompressed]
02Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: postprod1.ratetiger.com]
***
[write] MD5 and SHA1 hashes: len = 211
0000: 01 00 00 CF 03 03 57 60 E6 3A 9C 5B 20 DF AA F4 ......W`.:.[ ...
0010: 12 F1 A9 A0 0F CC 1C CB F2 77 01 13 A4 51 03 3F .........w...Q.?
0020: B0 FF 2A 17 FC A4 00 00 2A 00 33 C0 04 00 16 00 ..*.....*.3.....
0030: 05 C0 03 C0 11 C0 02 C0 0700 C0 131 C02 0 008 0 C04 0C 000 0 . 0.5. .0.0 14 00 08 00 16 00 .......................
.0.0.4.0
0090: : 0BF 00F 0 C02 0 01D 0 C00 0 00E 0 C0D 0 009 1A0 000 1 8 2 06F 0 C03 1 062 0 001 0 05 ................
00A0: 03 05 01 04 03 04 01 03 03 03 01 02 03 02 01 02 ................
00B0: 02 01 01 00 00 00 1C 00 1A 00 00 17 70 6F 73 74 ............post
00C0: 70 72 6F 64 31 2E 72 61 74 65 74 69 67 65 72 2E prod1.ratetiger.
00D0: 63 6F 6D com
4 00 32 00 ......../.....2.
0050: 13 00 0A 01 00 00 7C 00 0A 00 34 00 32 00 17 00 ..........4.2...
0060: 01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ................
0070: 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 qtp11284997-17, WRITE: TLSv1.2 Handshake, length = 211
.........[Raw write]: length = 216
......0.0
0000: 168 030 0: 113 0 000 D 023 0 010 0 120 00 040 000 05 00C 14F 0 030 0 083 00 165 007 6.0. .E6. .3.A. .7.1. . ..........
.0.0.9.0.: .W`0.:qB
000 020 011 000 0: D70 4 0D0 00 0 1A8 00 183 06F 03 06F 01F 05 9 C. .3.2. .9.C. . .F.1. .E.5. .2.3
00A0 : 031 056 0 6F1 E 047 0 193 4 046 01 0 3.@ . 03? 0.3.2 01. 02. 0.#3.o 02. 01. F02
0 0.2.0.: .A.4. .4.D. .0.E. .B.5. .7E
9F0 980 6FB 0 D: D02 FE 01 3B01 0000 0000 2A00 001C 3300 1A. M00. 00. 1.7..o .7.;0. .*6.3F
0030 : C07 043 0 740 1.6. .0.0. .0.5. .C.0. .post0
300C0 : 70 C072 6F1 641 3 C0 02 C0 07 C0 13 ................
0040: C0 08 C0 0C 00 FF C0 0D C0 0E C0 09 00 2F C0 12 ............./..
0050: 00 04 00 32 00 13 00 0A 01 00 00 7C 00 0A 00 34 ...2...........4
0060: 00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2..............
0070: 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ................
0080: 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 00 14 ...1. .2...........
0090: 00 08 00 16 00 0B 00 02 01 00 00 0D 00 1A 00 18 ................
00A0: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ............E 72 61 74 65 74 69 67 65 72 2E prod1.ratetiger.
00D0: 63 6F 6D com
qtp11284997-18, WRITE: TLSv1.2 Handshake, length = 211
[Raw write]: length = 216
0000: 16 03 03 00 D3 01 00 00 CF 03 03 57 60 E6 3A 9C ...........W`.:.
0010: 5B 20 DF AA F4 12 F1 A9 A0 0F CC 1C CB F2 77 01 [ ..............
00B0: 02 03 02 01 02 02 01 01 00 00 00 1C 00 1A 00 00 ................
00C0: 17 70 6F 73 74 70 72 6F 64 31 2E 72 61 74 65 74 .postprod1.ratet
00D0: 69 67 65 72 2E 63 6F 6D iger.com
..w.
0020: 13 A4 51 03 3F B0 FF 2A 17 FC A4 00 00 2A 00 33 ..Q.?..*.....*.3
0030: C0 04 00 16 00 05 C0 03 C0 11 C0 02 C0 07 C0 13 ................
0040: C0 08 C0 0C 00 FF C0 0D C0 0E C0 09 00 2F C0 12 ............./..
0050: 00 04 00 32 00 13 00 0A 01 00 00 7C 00 0A 00 34 ...2...........4
0060: 00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2..............
0070: 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ................
0080: 00 0F 00 10 00 11 00 02 00 12 00 04 00 05 00 14 ................
0090: 00 08 00 16 00 0B 00 02 01 00 00 0D 00 1A 00 18 ................
00A0: 06 03 06 01 05 03 05 01 04 03 04 01 03 03 03 01 ................
00B0: 02 03 02 01 02 02 01 01 00 00 00 1C 00 1A 00 00 ................
00C0: 17 70 6F 73 74 70 72 6F 64 31 2E 72 61 74 65 74 .postprod1.ratet
00D0: 69 67 65 72 2E 63 6F 6D iger.com
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
[Raw read]: length = 5
0000: 02000 280 : 15 03 03 00 02 .(
..qtp11284997-17, READ: TLSv1.2 Alert, length = 2
..qtp11284997-17, RECV TLSv1 ALERT: fatal, handshake_failure
.
[Raw read]: length = 2
0000: 02 28qtp11284997-17, called closeSocket()
qtp11284997-17, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
qtp11284997-17, called close()
.(qtp11284997-17, called closeInternal(true)
qtp11284997-18, READ: TLSv1.2 Alert, length = 2
qtp11284997-18, RECV TLSv1 ALERT: fatal, handshake_failure
2016-06-15 10:53:06,722 WARN [ride.intermediate.connect.ratetiger.ConnectRateTiger] -- Exception in InputStream Close--java.lang.NullPointerException
qtp11284997-17, called close()
qtp11284997-17, called closeInternal(true)
qtp11284997-18, called closeSocket()
qtp11284997-18, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
qtp11284997-18, called close()
qtp11284997-18, called closeInternal(true)
回答by Joby Wilson Mathews
Without upgrading to Java 8, you can upgrade your Java 7 version to 1.7.0_131-b31
无需升级到 Java 8,您可以将 Java 7 版本升级到 1.7.0_131-b31
For JRE 1.7.0_131-b31 in Oracle site :
对于 Oracle 站点中的 JRE 1.7.0_131-b31:
TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.
回答by Limetics
If you test the URL with SSLLabs, the website allow 4 ciphers :
如果您使用SSLLabs测试 URL ,则该网站允许使用 4 种密码:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3
But if you read ciphers list for Java 7, no cipher is not supported (can be seen in the debug message also). Even by enabling TLS 1.2 for Java 7, I think it doesn't find any valid ciphers. The site had to change its configuration.
但是,如果您阅读Java 7 的密码列表,则不支持任何密码(也可以在调试消息中看到)。即使为 Java 7 启用 TLS 1.2,我认为它也找不到任何有效的密码。该站点不得不更改其配置。
回答by Vinay
I also faced the similar kind of problem while starting our swing based application. It seems that in some version of java 7, TLS1.2 is not enabled by default. I enabled it and then it worked fine.
在启动我们基于 Swing 的应用程序时,我也遇到了类似的问题。似乎在某些版本的 java 7 中,默认情况下未启用 TLS1.2。我启用了它,然后它工作正常。
You may enable it from Java Control Panel -> Advanced -> Click 'Use TLS 1.2'
您可以从Java 控制面板启用它-> 高级 -> 单击“使用 TLS 1.2”
Hopefully, it should work in your case also.
希望它也适用于您的情况。
