我有一个 Java 应用程序试图通过 HTTPS 连接到一个网络应用程序。当我在我的 Windows 机器上运行它时一切正常,但在 AWS Linux 机器上我收到握手错误。以下是我使用的软件版本:
Windows Java
- Java 版本“1.8.0_101”
- Java(TM) SE 运行时环境(构建 1.8.0_101-b13)
- Java HotSpot(TM) 客户端虚拟机(build 25.101-b13,混合模式,共享)
AWS Linux Java
- openjdk 版本“1.8.0_91”
- OpenJDK 运行时环境(build 1.8.0_91-b14)
- OpenJDK 64 位服务器虚拟机(build 25.91-b14,混合模式)
我最初的猜测是问题是由 SNI 引起的,因为这是我连接到的 Web 应用程序的设置方式。但是,当我查看调试日志时,我在 Linux 上看到它说:
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
这让我觉得 SNI 处理得当。
我开始认为问题的根源是我的客户端和服务器无法就导致握手失败的密码套件达成一致。我看到在 Windows 上正在使用 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256。我还看到这个密码套件在 Linux 上似乎不存在。
我真的不确定我是否完全理解调试转储中发生的一切,所以希望有人能证实我的怀疑并建议如何完全解决这个问题。
这是在 Linux 上因握手异常而失败的情况
2016/08/26 22:52:35:882 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:52:35:891 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:52:35:893 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:52:35:907 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.abus eipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:52:35:937 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:52:36:038 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1455489140 bytes = { 189, 42, 2, 83, 215, 159, 170, 114, 166, 145, 86, 76, 205, 19, 222, 103, 15, 89, 159, 24 , 126, 130, 219, 181, 48, 109, 132, 79 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RS A_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_ SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES _256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_R SA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV ]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withE CDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 143
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016/08/26 22:52:36:199 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Shutdown connection
2016/08/26 22:52:36:200 EDT [DEBUG] MainClientExec - -Connection discarded
2016/08/26 22:52:36:200 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Close connection
2016/08/26 22:52:36:200 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection released: [id: 0][route: {s}->https://www.ab useipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
Error: Received fatal alert: handshake_failure
Elapsed Time: 356 ms
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager is shutting down
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager shut down
以下是在 Windows 上运行的情况:
2016/08/26 22:59:27:224 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:59:27:228 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:59:27:228 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipd
b.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:59:27:258 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.ab
useipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:59:27:286 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:59:27:362 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1455489551 bytes = { 69, 36, 118, 201, 252, 93, 212, 32, 99, 181, 94, 8, 249, 138, 165, 81, 11, 108, 104, 8
7, 246, 104, 115, 107, 240, 195, 111, 25 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256
, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DS
S_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_S
HA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_
AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA25
6, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_D
SS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_C
BC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DS
S_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1
, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp
192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256wit
hECDSA, SHA256withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 215
pool-1-thread-1, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie: GMT: -1114532124 bytes = { 84, 54, 245, 62, 187, 242, 188, 165, 192, 49, 29, 203, 96, 228, 212, 99, 190, 50, 149
, 219, 193, 146, 98, 47, 55, 155, 153, 148 }
Session ID: {215, 1, 126, 144, 1, 117, 237, 244, 231, 139, 61, 205, 198, 118, 31, 104, 79, 113, 148, 163, 72, 102, 159, 154, 7
9, 160, 201, 174, 102, 35, 3, 107}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
最佳答案
根据SSLLabs report该站点需要 ECDHE 密码。您的 Linux 客户端不支持这些密码,而您的 Windows 客户端支持。
ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine表明这可能是 OpenJDK 与 Oracle JDK 的问题。
关于在 Linux 上运行的 Java 应用程序在某些网站上出现 SSL 握手错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39184469/