1. 首页
  2. 问答
  3. 坏SSL握手泽西

坏SSL握手泽西

2014-10-16 108 views
0

鉴于这种球衣初始化代码:坏SSL握手泽西

boolean clientMode = false, 
      needClientAuth = true, 
      wantClientAuth = true; 
    SSLContext sslcconf = SSLContext.getDefault(); 
    SSLEngineConfigurator ssleconf = new SSLEngineConfigurator(sslcconf, clientMode, needClientAuth, wantClientAuth); 
    boolean secure = true, 
      start = true; 
    ResourceConfig resconf = new ResourceConfig(classes); 
    HttpServer server = GrizzlyHttpServerFactory.createHttpServer(
     new URI("https://localhost:8080"), 
     resconf, secure, ssleconf, start);

的所有客户端试图连接到该服务器抛出通用SSL握手错误。特别是:

$ openssl s_client -debug -msg -connect localhost:8080 
CONNECTED(00000003) 
write to 0xa024118 [0xa024b48] (118 bytes => 118 (0x76)) 
0000 - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00 .t....K... ..9.. 
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... 
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ 
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... 
0050 - 00 00 03 02 00 80 bf 3e-48 68 ef c9 6f aa 65 88 .......>Hh..o.e. 
0060 - 86 e7 eb 77 e9 be 3c 69-67 0b 3c ae 3a dc 69 5f ...w..<ig.<.:.i_ 
0070 - ad c0 c4 93 61 ce         ....a. 
>>> SSL 2.0 [length 0074], CLIENT-HELLO 
    01 03 01 00 4b 00 00 00 20 00 00 39 00 00 38 00 
    00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 
    33 00 00 32 00 00 2f 03 00 80 00 00 05 00 00 04 
    01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00 
    00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 
    03 02 00 80 bf 3e 48 68 ef c9 6f aa 65 88 86 e7 
    eb 77 e9 be 3c 69 67 0b 3c ae 3a dc 69 5f ad c0 
    c4 93 61 ce 
read from 0xa024118 [0xa02a0a8] (7 bytes => 0 (0x0)) 
21856:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

具有良好的请求到不同的服务器比较:

CONNECTED(00000003) 
write to 0xa024138 [0xa024b48] (118 bytes => 118 (0x76)) 
0000 - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00 .t....K... ..9.. 
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../....... 
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................ 
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @............... 
0050 - 00 00 03 02 00 80 b1 33-32 65 f0 53 60 2d aa 85 .......32e.S`-.. 
0060 - b1 5c 19 1f f2 5b 8b 1a-2d 8a ed 8f c0 79 f7 72 .\...[..-....y.r 
0070 - 9c 31 b3 ec 39 b5         .1..9. 
>>> SSL 2.0 [length 0074], CLIENT-HELLO 
    01 03 01 00 4b 00 00 00 20 00 00 39 00 00 38 00 
    00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 
    33 00 00 32 00 00 2f 03 00 80 00 00 05 00 00 04 
    01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00 
    00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 
    03 02 00 80 b1 33 32 65 f0 53 60 2d aa 85 b1 5c 
    19 1f f2 5b 8b 1a 2d 8a ed 8f c0 79 f7 72 9c 31 
    b3 ec 39 b5 
read from 0xa024138 [0xa02a0a8] (7 bytes => 7 (0x7)) 
0000 - 16 03 01 00 4a 02         ....J. 
0007 - <SPACES/NULS> 
...

编辑:

boolean clientMode = false, 
      needClientAuth = true, 
      wantClientAuth = true; 
    SSLContextConfigurator sslcconf = new SSLContextConfigurator(); 
    sslcconf.setSecurityProtocol("TLSv1.2"); 
    SSLEngineConfigurator ssleconf = new SSLEngineConfigurator(sslcconf, clientMode, needClientAuth, wantClientAuth); 
    ssleconf.setEnabledProtocols(new String[] { "TLSv1.2" }); 
    ssleconf.setEnabledCipherSuites(new String[] { 
      "TLS_RSA_WITH_AES_128_CBC_SHA256", 
      "TLS_RSA_WITH_AES_256_CBC_SHA256", 
      "TLS_RSA_WITH_AES_128_GCM_SHA256", 
      "TLS_RSA_WITH_AES_256_GCM_SHA384", 
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" 
    }); 

    // SSLContext sslcconf = SSLContext.getDefault(); 
    boolean secure = true, 
      start = true; 
    ResourceConfig resconf = new ResourceConfig(classes); 
    HttpServer server = GrizzlyHttpServerFactory.createHttpServer(
     new URI("https://localhost:8080"), 
     resconf, secure, ssleconf, start);

来源

2014-10-16 Reinderien

+0

尝试在s_client中使用-ssl2选项。如果可行,你应该知道sslv2有很多问题。 – Khanna111 2014-12-01 19:31:33

回答

0

这实际上是这样的:尽管明确的密码下产生类似的结果一个OpenSSL问题。您连接的服务器是否禁用了SSLv3? 您需要检查在该客户端上运行的OpenSSL的版本。如果安装了0.9.x分支,则默认上下文不包括TLS,即使该库可以支持TLS。在上面发布的代码中,默认情况下是默认情况下,而不是指定自己的情况,所以在这种情况下,在远程禁用SSLv3时,您将无法连接。

你这里有几个选择,如果这是真的:

  1. 遥控器上启用SSLv3的(不这样做)
  2. 更新您的客户端上的1.x的OpenSSL的分支,它应该有一个更现代的默认上下文
  3. 更改您的代码以修改您的上下文并明确定义您的密码字符串。

来源

2014-10-16 20:11:59

+0

请参阅更新的问题。谢谢。 – Reinderien 2014-10-16 20:47:45

+0

我已经明确添加了密码列表,但似乎没有改变行为。 – Reinderien 2014-10-17 16:00:36

0

对不起奇怪的问题,但是你配置了SSLContextConfigurator的Keystore(有正确的密码等)吗?

如果您忘记这么做或者从密钥库中不能获取密钥(由于配置错误或错误),将使用“SSL_NULL_WITH_NULL_NULL”作为密码,然后您将得到“无共同密码套件”和握手失败。

来源

2014-12-01 19:17:59 Grigory

相关问题

 相关问题