我正在构建一个 java-ee 应用程序,它应该使用 SSL 连接到 iCal CalDAV 服务器。
每次我尝试连接到服务器时都会收到此错误。
javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
使用其他工具它工作正常,即使在将证书导入信任库后使用 java 工具也是如此。
如果我尝试使用 TLS 进行连接,我会收到一条响应:服务器仅支持 SSLv3。 这是我使用 openssl 工具调查 SSL 握手的方式
openssl s_client -host kalender.myserver.com -port 8443
这是我得到的:
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.myserver.com
i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
[[certificate]]
subject=/OU=Domain Control Validated/CN=*.myserver.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3422 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: 99D28660004D122D20657883562319F4F3063B1123AC882AD722B781EB13FF45
Session-ID-ctx:
Master-Key: 6228C28941D81771C68F0FA5546491804081294A95F4A2BE19AC239CF47C24752AC350F54BAEDD3C8E4A7E1044B4B429
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1406820530
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
当我尝试
openssl s_client -tls1 -host kalender.myserver.com -port 8443
这出现并且连接失败:
CONNECTED(00000003)
139883471566496:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1407752794
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
以下是我如何使用我发现的 Java 工具调查 SSL 握手 here .
我修改了它以便我可以使用另一个端口。
谷歌:
java HTTPSClient google.com --> 不抛出异常
在端口 8443 上连接到我的服务器:
SSLv3: 没有错误
TLSv1:javax.net.ssl.SSLHandshakeException:服务器选择了 SSLv3,但客户端未启用或不支持该协议(protocol)版本。
我得出的结论是服务器仅支持 SSLv3,因此我尝试使用 apache 提供的 HttpClient 让我的应用程序也这样做。但它似乎不兼容。
这意味着我必须说我的应用程序也使用 SSLv3。那将在继承自 org.apache.commons.httpclient.HttpClient 的 org.osaf.caldav4j.methods.HttpClient 类中的某处。问题是,我找不到任何方法。
我试过了
System.setProperty("https.protocols", "SSLv3");
和
httpClient.getParams().setParameter("https.protocols", "SSLv3");
但两者都没有区别。我还尝试以某种方式将自定义 SSLSocketFactory 插入到 HTTPClient 中,但没有办法做到这一点。下面是构建 HTTPClient 的代码:
public HttpClient getHttpClient(String host, int port, String user, String password){
System.setProperty("https.protocols", "SSLv3");
org.apache.commons.httpclient.HttpClient httpClient = new HttpClient();
String protocol = "https";
String baseDir = "/calendars/users/" + user + "/calendar/";
httpClient.getHostConfiguration().setHost(host, port, protocol);
Credentials httpCredentials = new UsernamePasswordCredentials(user, password);
httpClient.getState().setCredentials(AuthScope.ANY, httpCredentials);
httpClient.getParams().setAuthenticationPreemptive(true);
httpClient.getParams().setParameter("https.protocols", "SSLv3");
return (HttpClient) httpClient;
}
这是我尝试连接时得到的堆栈跟踪(我切断了 java-ee 内部的东西):
Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.apache.webdav.lib.methods.HttpRequestBodyMethodBase.writeRequestBody(HttpRequestBodyMethodBase.java:235)
at org.apache.webdav.lib.methods.XMLResponseMethodBase.writeRequestBody(XMLResponseMethodBase.java:303)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.osaf.caldav4j.methods.HttpClient.executeMethod(HttpClient.java:103)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
at org.osaf.caldav4j.CalDAVCollection.getCalDAVResources(CalDAVCollection.java:1029)
... 86 more
最佳答案
一行代码解决问题。
System.setProperty("com.sun.net.ssl.rsaPreMasterSecretFix", "true");
如果我理解正确,我需要它来告诉 Java 使用 SSL/TLS 的最大支持版本,而不是其他一些奇怪的版本。可以查一下here .无论如何感谢您的帮助!
关于java - CalDAV 日历服务器 SSL 不工作,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25243418/