1. 首页
  2. 问答
  3. 错误javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

错误javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

2016-06-07 105 views
2

我想打电话给使用Spring RestTemplate POST REST调用:错误javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure

HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); 

RestTemplate restTemplate = new RestTemplate(requestFactory); 

HttpHeaders headers = new HttpHeaders(); 

headers.setContentType(MediaType.APPLICATION_XML); 

HttpEntity<GetBalanceHistoryRequest> request1 = new  HttpEntity<GetBalanceHistoryRequest>(request, headers); 
String result = restTemplate.postForObject("https://server.com/getBalance", request1, String.class);

https://server.com有一个证书:webapi.tartu-x86.p12 我将证书导入到C:\ Java_8 \ JRE \ lib \ security中\ cacerts中usinf密钥工具

运行我的代码后,我收到以下错误:

SLF4J: Actual binding is of type [ch.qos.logback.classic.util.ContextSelectorStaticBinder] 
trustStore is: C:\Java_8\jre\lib\security\cacerts 
trustStore type is : jks 
trustStore provider is : 
init truststore 
adding as trusted cert: 
    Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US 
    Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US 
    Algorithm: RSA; Serial number: 0xc3517 
    Valid from Mon Jun 21 07:00:00 IDT 1999 until Mon Jun 22 07:00:00 IDT 2020 

adding as trusted cert: 
    Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US 
    Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US 
.... 
.... 

** Finished 
verify_data: { 31, 64, 180, 145, 192, 1, 180, 119, 86, 70, 247, 140 } 
*** 
[write] MD5 and SHA1 hashes: len = 16 
0000: 14 00 00 0C 1F 40 B4 91 C0 01 B4 77 56 46 F7 8C [email protected] 
Padded plaintext before ENCRYPTION: len = 48 
0000: 14 00 00 0C 1F 40 B4 91 C0 01 B4 77 56 46 F7 8C [email protected] 
0010: 3F 56 B1 14 65 F3 18 C6 B3 98 D3 50 65 AC 74 1A ?V..e......Pe.t. 
0020: 48 11 50 C0 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B H.P............. 
main, WRITE: TLSv1 Handshake, length = 48 
[Raw write]: length = 53 
0000: 16 03 01 00 30 B6 A0 43 3D 91 3A C1 F6 34 F5 73 ....0..C=.:..4.s 
0010: 54 A7 1A 46 84 42 1A DC 0D 4D B9 4A C1 3F CB A6 T..F.B...M.J.?.. 
0020: 57 C6 5D DF C4 1D 62 22 92 FB 1F 3E F1 05 0C 5C W.]...b"...>...\ 
0030: 56 9E 9B 02 2D          V...- 
[Raw read]: length = 5 
0000: 15 03 01 00 02          ..... 
[Raw read]: length = 2 
0000: 02 28            .(
main, READ: TLSv1 Alert, length = 2 
main, RECV TLSv1 ALERT: fatal, handshake_failure 
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 
main, called closeSocket() 
main, handling exception: javax.net.ssl.SSLHandshakeException: Received     fatal alert: handshake_failure 
main, called close() 
main, called closeInternal(true)

我正在使用Java 1.8.0_91

任何人都可以在这里帮忙吗?

来源

2016-06-07 Yosefarr

回答

1

handshake_failure java的SSL问题的原因通常是这些:

  • 不兼容的密码套件:客户端必须使用服务器启用了加密套件
  • SSL/TLS的不兼容的版本:客户端必须确保它使用兼容版本。例如,服务器可能会强制在java7中默认未启用的TLS1.2(您的情况不是这样)
  • 服务器证书的信任路径不完整:服务器证书可能不受客户端信任。通常,修复方法是将服务器证书链导入到客户端信任库中。
  • 错误的服务器配置,如颁发给不同域或证书链的证书不完整。在这种情况下的解决方法是在服务器部分

在你的情况似乎已选定的TLSv1时默认使用java8 TLSv1.2工作,所以有可能是服务器没有更新,最新版本。

我建议调试协议消息ClientHello和ServerHello以观察套件中选定的协议和密码。

-Djavax.net.debug=ssl

你也可以检查SSLLabs

来源

2016-06-10 18:27:46 pedrofb

+0

感谢您的重播,我怎么能告诉java使用TLSv1? – Yosefarr

+0

默认情况下,java8将使用TLSv1.2,但如果它不可用,它将使用TLSv1.1或TLSv1。如果连接选择TLSv1,这是因为服务器不支持TLSv1.2或者没有共同的密码 – pedrofb

0

您的服务器的状态我有同样的问题,我解决了这个办法:

1 - 将您的P12文件到Java密钥存储文件(.jks扩展名),并在您的项目的资源文件夹:

keytool -importkeystore -srckeystore <pfxfilename.pfx> -srcstoretype pkcs12 -destkeystore <jks-filename.jks> -deststoretype JKS

2 - 实现一个要求在工厂中使用您JKS文件:

RestTemplate restTemplate = new RestTemplate(); 

ClientHttpRequestFactory requestFactory = null; 
try { 
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); 
    keyStore.load(
      this.getClass().getClassLoader().getResourceAsStream("jks-filename.jks"), //put your .jks file name here. 
      "password".toCharArray()); //the .jks file password. 

    SSLConnectionSocketFactory socketFactory = 
      new SSLConnectionSocketFactory(
        new SSLContextBuilder() 
        .loadTrustMaterial(null, new TrustSelfSignedStrategy()) 
        .loadKeyMaterial(keyStore, "password".toCharArray()).build()); //the .jks file password again... 

    HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build(); 
    requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient); 

} catch (Exception e) { 
    e.printStackTrace(); 
} 

restTemplate.setRequestFactory(requestFactory);

3 - 您可能需要将Apache Httpclient添加到您的项目中。在Gradle项目中,添加:

compile ("org.apache.httpcomponents:httpclient")

准备就绪!

另一种快速的解决方案是刚刚产生的JKS文件,并将文件和密码作为JVM参数:

-Djavax.net.ssl.keyStore=/absolute/file/location/java/application/keystore.jks 
-Djavax.net.ssl.keyStorePassword=jkspassword

或将在一个Java类的静态块:

System.setProperty("javax.net.ssl.keyStore", "/absolute/file/location/java/application/keystore.jks"); 
System.setProperty("javax.net.ssl.keyStorePassword", "jkspassword");

来源

2016-07-22 22:55:35 ntroccoli

相关问题

 相关问题