以下代码在 JDK 11 中会引发错误:
HttpURLConnection con = (HttpURLConnection) new URL("https://sis.redsys.es/sis/realizarPago").openConnection();
con.setRequestMethod("GET");
con.getResponseCode();
错误是:
javax.net.ssl.SSLHandshakeException: extension (10) should not be presented in server_hello
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:71)
at java.base/sun.security.ssl.ServerHello$ServerHelloMessage.<init>(ServerHello.java:169)
at java.base/sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:860)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:390)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:877)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:810)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:383)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
它在任何以前的 JDK 中都有效(我在 7、8、9 和 10 中测试过)。
该证书似乎有效,因为它已被浏览器或我在互联网上找到的大多数 SSL 测试所识别。
我试过禁用主机名验证、禁用 cacerts、将 DigiCert 添加到 cacerts 文件,但都没有成功。
这似乎是 openJDK 中的一个错误。在构建 26、27 和 28(候选发布版)中测试。
最佳答案
该问题目前已在 JDK 12 中得到解决 https://bugs.openjdk.java.net/browse/JDK-8209965 , 并被收录在 ea-9 中。
向后移植到 JDK 11 的问题也已解决 https://bugs.openjdk.java.net/browse/JDK-8210005并包含在
- 11.0.3(甲骨文 JDK)
- 11.0.2 (OpenJDK)
可以在此处的评论中找到一些背景信息 https://github.com/openssl/openssl/pull/4463/files
TLS 1.3 adds a scheme for the server to indicate to the client its list of supported groups in the EncryptedExtensions message, but none of the relevant specifications permit sending supported_groups in the ServerHello.
Nonetheless (possibly due to the close proximity to the "ec_point_formats" extension, which is allowed in the ServerHello), there are several servers that send this extension in the ServerHello anyway.
Up to and including the 1.1.0 release, we did not check for the presence of nonpermitted extensions, so to avoid a regression, we must permit this extension in the TLS 1.2 ServerHello as well.
关于java - 有效证书上的 JDK 11 SSL 错误(在以前的版本中工作),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52016415/