我有一个使用 RESTTemplate 与服务对话的 java 程序。我正在使用客户端证书与服务器通信。出现以下错误
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 19:53:13.851 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection 19:53:13.852 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded 19:53:13.852 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://api.entrust.net:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] 19:53:13.854 [main] ERROR com.x.y.z.provider.a.Client - exception I/O error on GET request for "https://api.entrust.net/enterprise/v2/application/version": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 19:53:13.858 [main] DEBUG com.x.y.z.provider.a.Client - Map the failure exception {} org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://api.entrust.net/enterprise/v2/application/version": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670)
当我启用调试日志时,我看到初始握手已完成,但后来失败并出现以下错误
*** CertificateVerify
Signature Algorithm SHA256withRSA
update handshake state: certificate_verify[15]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Handshake, length = 264
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 101, 230, 249, 79, 106, 34, 167, 222, 44, 208, 111, 11 }
***
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
**main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]**
main, called closeSocket()
有趣的是,我在笔记本电脑上运行它没有问题,但是一旦我在容器上运行它,它就会给我握手错误
我在笔记本电脑上运行 oracle jdk,但在我的容器上运行 OpenJDK-1.8.0.212 版本。可能的问题是什么?
在容器中,我确实安装了信任库和 keystore ,我可以看到它正在被使用,因为它失败的地方是我在 SSL 调试日志中显示的地方。
最佳答案
选项 1。您需要将您的信任库/ keystore 添加到您正在测试它的容器或环境的 cacerts 中,以便握手成功通过。
选项 2。您可以让您的程序读取容器/沙箱/环境中 keystore 文件的位置。
关于openjdk 1.8 的 Java SSL 通信握手失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58107934/