为了解决 SSL HANDSHAKE 问题。我写这段代码。
我有这个错误是因为我连接到 HTTPS URL,它有 3 级证书链,2048 key ,RSA。我在互联网上找到了解决方案。但我有问题。
exludedCipherSuites = { "_DHE_", "_DH_" };
List<String> enabledCiphers = new ArrayList<String>();
String[] cArray = new String[enabledCiphers.size()];
SSLSocketFactory osf=context.getSocketFactory();
SSLSocket socket =
(SSLSocket)osf.createSocket(url.getHost(), 443);
List<String> limited = new LinkedList<String>();
for(String cipher : ((SSLSocket)socket).getEnabledCipherSuites())
{
boolean exclude = false;
if (exludedCipherSuites != null) {
for (int i = 0; i < exludedCipherSuites.length && !exclude; i++) {
System.out.println("HERE");
exclude = cipher.indexOf(exludedCipherSuites[i]) >= 0;
}
}
if (!exclude) {
enabledCiphers.add(cipher);
}
}
enabledCiphers.toArray(cArray);
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
SSLSocketFactory sf = context.getSocketFactory();
sf = new DOSSLSocketFactory(sf, cArray);
urlConnection.setSSLSocketFactory(sf);
我的日志是:
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files (x86)\Java\jre1.5.0_04\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Sat Jun 26 00:19:54 GMT 1999 until Wed Jun 26 00:19:54 GMT 2019
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000bf
Valid from Wed May 17 14:01:00 GMT 2000 until Sat May 17 23:59:00 GMT 2025
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x374ad243
Valid from Tue May 25 16:09:40 GMT 1999 until Sat May 25 16:39:40 GMT 2019
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 18:46:00 GMT 2000 until Mon May 12 23:59:00 GMT 2025
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
Valid from Fri Oct 01 00:00:00 GMT 1999 until Wed Jul 16 23:59:59 GMT 2036
adding as trusted cert:
Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 17:39:16 GMT 2004 until Thu Jun 29 17:39:16 GMT 2034
adding as trusted cert:
Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 00:00:00 GMT 1996 until Thu Dec 31 23:59:59 GMT 2020
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
Valid from Mon Jan 29 00:00:00 GMT 1996 until Tue Aug 01 23:59:59 GMT 2028
adding as trusted cert:
Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Algorithm: RSA; Serial number: 0x3770cfb5
Valid from Wed Jun 23 12:14:45 GMT 1999 until Sun Jun 23 12:14:45 GMT 2019
adding as trusted cert:
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Algorithm: RSA; Serial number: 0x35def4cf
Valid from Sat Aug 22 16:41:51 GMT 1998 until Wed Aug 22 16:41:51 GMT 2018
adding as trusted cert:
Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 00:00:00 GMT 1996 until Thu Dec 31 23:59:59 GMT 2020
adding as trusted cert:
Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0x4
Valid from Mon Jun 21 04:00:00 GMT 1999 until Sun Jun 21 04:00:00 GMT 2020
adding as trusted cert:
Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 00:00:00 GMT 1996 until Thu Dec 31 23:59:59 GMT 2020
adding as trusted cert:
Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1b6
Valid from Fri Aug 14 14:50:00 GMT 1998 until Wed Aug 14 23:59:00 GMT 2013
adding as trusted cert:
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
Valid from Mon Jan 29 00:00:00 GMT 1996 until Tue Aug 01 23:59:59 GMT 2028
adding as trusted cert:
Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a3
Valid from Fri Feb 23 23:01:00 GMT 1996 until Thu Feb 23 23:59:00 GMT 2006
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389b113c
Valid from Fri Feb 04 17:20:00 GMT 2000 until Tue Feb 04 17:50:00 GMT 2020
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
Valid from Mon May 18 00:00:00 GMT 1998 until Tue Aug 01 23:59:59 GMT 2028
adding as trusted cert:
Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Thu Aug 01 00:00:00 GMT 1996 until Thu Dec 31 23:59:59 GMT 2020
adding as trusted cert:
Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
Valid from Wed Nov 09 00:00:00 GMT 1994 until Thu Jan 07 23:59:59 GMT 2010
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x380391ee
Valid from Tue Oct 12 19:24:30 GMT 1999 until Sat Oct 12 19:54:30 GMT 2019
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389ef6e4
Valid from Mon Feb 07 16:16:40 GMT 2000 until Fri Feb 07 16:46:40 GMT 2020
adding as trusted cert:
Subject: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x2d1bfc4a178da391ebe7fff58b45be0b
Valid from Mon Jan 29 00:00:00 GMT 1996 until Tue Aug 01 23:59:59 GMT 2028
adding as trusted cert:
Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
Valid from Fri Oct 01 00:00:00 GMT 1999 until Wed Jul 16 23:59:59 GMT 2036
adding as trusted cert:
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a5
Valid from Thu Aug 13 00:29:00 GMT 1998 until Mon Aug 13 23:59:00 GMT 2018
adding as trusted cert:
Subject: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Thu Aug 01 00:00:00 GMT 1996 until Thu Dec 31 23:59:59 GMT 2020
adding as trusted cert:
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x23456
Valid from Tue May 21 04:00:00 GMT 2002 until Sat May 21 04:00:00 GMT 2022
adding as trusted cert:
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x3863b966
Valid from Fri Dec 24 17:50:51 GMT 1999 until Tue Dec 24 18:20:51 GMT 2019
adding as trusted cert:
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0x1
Valid from Mon Jun 21 04:00:00 GMT 1999 until Sun Jun 21 04:00:00 GMT 2020
adding as trusted cert:
Subject: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 17:06:20 GMT 2004 until Thu Jun 29 17:06:20 GMT 2034
adding as trusted cert:
Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
Valid from Fri Oct 01 00:00:00 GMT 1999 until Wed Jul 16 23:59:59 GMT 2036
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xb92f60cc889fa17a4609b85b706c8aaf
Valid from Mon May 18 00:00:00 GMT 1998 until Tue Aug 01 23:59:59 GMT 2028
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
Valid from Mon May 18 00:00:00 GMT 1998 until Tue Aug 01 23:59:59 GMT 2028
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
export control - checking the cipher suites
export control - found legal entry in cache...
export control - checking the cipher suites
export control - found legal entry in cache...
export control - checking the cipher suites
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1408514027 bytes = { 131, 103, 243, 127, 176, 81, 196, 241, 82, 228, 105, 94, 214, 203, 201, 5, 194, 113, 57, 188, 61, 223, 159, 93, 195, 178, 117, 150 }
Session ID: {}
Cipher Suites: []
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 43
0000: 01 00 00 27 03 01 54 F4 38 EB 83 67 F3 7F B0 51 ...'..T.8..g...Q
0010: C4 F1 52 E4 69 5E D6 CB C9 05 C2 71 39 BC 3D DF ..R.i^.....q9.=.
0020: 9F 5D C3 B2 75 96 00 00 00 01 00 .]..u......
main, WRITE: TLSv1 Handshake, length = 43
[write] MD5 and SHA1 hashes: len = 41
0000: 01 03 01 00 00 00 00 00 20 54 F4 38 EB 83 67 F3 ........ T.8..g.
0010: 7F B0 51 C4 F1 52 E4 69 5E D6 CB C9 05 C2 71 39 ..Q..R.i^.....q9
0020: BC 3D DF 9F 5D C3 B2 75 96 .=..]..u.
main, WRITE: SSLv2 client hello message, length = 41
[Raw write]: length = 43
0000: 80 29 01 03 01 00 00 00 00 00 20 54 F4 38 EB 83 .)........ T.8..
0010: 67 F3 7F B0 51 C4 F1 52 E4 69 5E D6 CB C9 05 C2 g...Q..R.i^.....
0020: 71 39 BC 3D DF 9F 5D C3 B2 75 96 q9.=..]..u.
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 2F ./
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, illegal_parameter
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
- unexpected error
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
我通过了
-Dcom.sun.net.ssl.enableECC=false -Dcom.sun.net.ssl.enableECC=false
-Djsse.enableSNIExtension=false
但是并没有解决问题。 我用的是jdk 1.5
最佳答案
您的 VM args 有两倍的 enableECC 选项。尝试:
-Dsun.security.ssl.allowUnsafeRenegotiation=true
如果您使用自签名证书。
关于java - 如何解决 SSL illegal_parameter?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28807529/