我有一个嵌入 Jetty 的应用程序。我想在 SSL 中使用客户端证书身份验证,当我启用它时;我在请求开始时收到以下异常。但在那之后请求得到了正确的服务。只有从 IE 或 Chrome 访问时才会出现此异常。从 Firefox 访问时不会出现。我们有自定义的 SSLConnector 扩展 SslSocketConnector。我正在尝试调试它;但想知道是否有任何特定的地方/代码我可以开始检查。
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:631)
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
更新:
我启用了 SSL 调试选项,并在 ServerHelloDone 消息后立即读取此异常。这是服务器发送其证书以及我相信的客户端证书请求的消息。我不确定初读时发生了什么。非常感谢任何帮助。
*** ClientHello, TLSv1
****
%% Created: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
*** Certificate chain
***
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
*** ServerHelloDone
WRITE: TLSv1 Handshake, length = 703
received EOFException: error
handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
更新: 将 JDK 更新到最新版本 23,并尝试启用/禁用这两个属性。仍然出现相同的行为。
更多信息: 所有浏览器都启用了 TLSv1 和 SSLv3。通信在没有启用客户端身份验证的情况下正常进行。使用客户端身份验证,我们总是会在第一次握手时遇到异常,而下一次握手会正确完成并继续进行,无一异常(exception)。在服务器端使用 jetty 版本 6.1.14
最佳答案
我在 TLS/SSLv3 协商中遇到过这样的问题。 http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
In SSL/TLS, renegotiations can be initiated by either side. Like the Phase 1 fix, applications communicating with an un-upgraded peer in Interoperable mode and that attempt to initiate renegotiation (via
SSLSocket.startHandshake()
orSSLEngine.beginHandshake()
) will receive aSSLHandshakeException
(IOException
) and the connection will be shutdown (handshake_failure
). Applications that receive a renegotiation request from a non-upgraded peer will respond according to the type of connection in place:
- TLSv1: A warning
Alert
message of type "no_renegotiation
(100)" will be sent to the peer and the connection will remain open. Older versions of SunJSSE will shutdown the connection when a "no_renegotiation
" Alert is received.- SSLv3: The application will receive a
SSLHandshakeException
, and the connection will be closed (handshake_failure
). ("no_renegotiation
" is not defined in the SSLv3 spec.)To set these modes, two system properties are used:
sun.security.ssl.allowUnsafeRenegotiation
- Introduced in Phase 1, this controls whether legacy (unsafe) renegotiations are permitted.sun.security.ssl.allowLegacyHelloMessages
- Introduced in Phase 2, this allows the peer to handshake without requiring the proper RFC 5746 messages.
如果仍然没有帮助,您可以尝试打开 SSL dedug,并查看握手。
-Djavax.net.debug=all
关于java - 请求开始时的异常 - ClientAuth SSL,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/4827190/