问题:
javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure
张高澹
我在使用Java 1.7.0_67的linux服务器上使用Tomcat 7.065和APR 1.1.33。
多年来,我的应用程序一直通过SSL愉快地连接到第三方站点。第三方颁发了一个新证书。第三部分站点是:https://its.changehealthcare.com/
我下载了。cer文件并导入了一个keytool:
$JAVA_HOME/bin/keytool -import -trustcacerts -keystore cacerts -noprompt -file path\to\certificate.cer
当我做一个keytools列表时,我得到:
Owner: CN=its.changehealthcare.com, OU=COMODO EV SSL, OU=Web Operations, O=Change Healthcare Inc, STREET=3055 Lebanon Pike, L=Nashville, ST=TN, OID.2.5.4.17=37221, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4237148
DNSName: its.changehealthcare.com
DNSName: www.its.changehealthcare.com
但是我继续得到一个ssl握手错误。
我的tomcat ssl配置如下所示:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLCertificateFile="mycert.crt"
SSLCertificateKeyFile="mykey.key"
SSLCertificateChainFile="gd_bundle-g2-g1.crt"
keyAlias="tomcat"
SSLCipherSuite="ALL:!ADH:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT:!DHE:!EDH:!ECDH"
compression="on" compressableMimeType="text/xml"
SSLHonorCipherOrder="true"
/>
我很困惑。任何见解不胜感激。以下是调试错误的完整读数:
INFO: Server startup in 26519 ms
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/lib/java/jdk1.7.0_67/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 03:36:00 CDT 2006 until Sat Oct 25 03:36:00 CDT 2036
******THERE ARE LIKE 20 of these but I could fit it inside the character limit so just the first and last are shown
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
adding as trusted cert:
****THERE ARE LIKE 30 of these but I could fit it inside the character limit so just the first and last are shown**
adding as trusted cert:
Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
Issuer: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b
Valid from Thu Jan 12 08:38:43 CST 2006 until Wed Dec 31 16:59:59 CST 2025
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-apr-8443-exec-1, setSoTimeout(25000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1458500800 bytes = { 168, 201, 205, 79, 149, 19, 79, 199, 46, 252, 11, 245, 12, 118, 202, 82, 232, 228, 105, 152, 123, 244, 31, 152, 229, 163, 180, 208 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: its.changehealthcare.com]
***
[write] MD5 and SHA1 hashes: len = 196
0000: 01 00 00 C0 03 01 57 EF F5 C0 A8 C9 CD 4F 95 13 ......W......O..
0010: 4F C7 2E FC 0B F5 0C 76 CA 52 E8 E4 69 98 7B F4 O......v.R..i...
0020: 1F 98 E5 A3 B4 D0 00 00 38 C0 0A C0 14 00 35 C0 ........8.....5.
0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0 ....9.8...../...
0040: 0E 00 33 00 32 C0 07 C0 11 00 05 C0 02 C0 0C C0 ..3.2...........
0050: 08 C0 12 00 0A C0 03 C0 0D 00 16 00 13 00 04 00 ................
0060: FF 01 00 00 5F 00 0A 00 34 00 32 00 17 00 01 00 ...._...4.2.....
0070: 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 18 00 ................
0080: 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 11 00 ................
0090: 02 00 12 00 04 00 05 00 14 00 08 00 16 00 0B 00 ................
00A0: 02 01 00 00 00 00 1D 00 1B 00 00 18 69 74 73 2E ............its.
00B0: 63 68 61 6E 67 65 68 65 61 6C 74 68 63 61 72 65 changehealthcare
00C0: 2E 63 6F 6D .com
http-apr-8443-exec-1, WRITE: TLSv1 Handshake, length = 196
[Raw write]: length = 201
0000: 16 03 01 00 C4 01 00 00 C0 03 01 57 EF F5 C0 A8 ...........W....
0010: C9 CD 4F 95 13 4F C7 2E FC 0B F5 0C 76 CA 52 E8 ..O..O......v.R.
0020: E4 69 98 7B F4 1F 98 E5 A3 B4 D0 00 00 38 C0 0A .i...........8..
0030: C0 14 00 35 C0 05 C0 0F 00 39 00 38 C0 09 C0 13 ...5.....9.8....
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 07 C0 11 00 05 ./.....3.2......
0050: C0 02 C0 0C C0 08 C0 12 00 0A C0 03 C0 0D 00 16 ................
0060: 00 13 00 04 00 FF 01 00 00 5F 00 0A 00 34 00 32 ........._...4.2
0070: 00 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09 ................
0080: 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F ................
0090: 00 10 00 11 00 02 00 12 00 04 00 05 00 14 00 08 ................
00A0: 00 16 00 0B 00 02 01 00 00 00 00 1D 00 1B 00 00 ................
00B0: 18 69 74 73 2E 63 68 61 6E 67 65 68 65 61 6C 74 .its.changehealt
00C0: 68 63 61 72 65 2E 63 6F 6D hcare.com
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
http-apr-8443-exec-1, READ: TLSv1 Alert, length = 2
http-apr-8443-exec-1, RECV TLSv1 ALERT: fatal, handshake_failure
http-apr-8443-exec-1, called closeSocket()
http-apr-8443-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
http-apr-8443-exec-1, called close()
http-apr-8443-exec-1, called closeInternal(true)
共有1个答案
向子安
我下载了.cer文件并进行了keytool导入…但我继续收到ssl握手错误。
来自服务器的握手错误与客户端对服务器证书的验证无关。因此,信任新证书对解决此错误没有帮助。
ClientHello, TLSv1
您的客户端仅发送 TLS 1.0 请求,尽管根据 SSLLabs,服务器只能执行 TLS 1.2。
在这种情况下,为tomcat服务器配置TLS 1.2并不重要,因为问题是您的TLS客户端无法连接到第三方服务器。有关如何配置Java 7以在客户端使用TLS 1.2,请参见Java 7上启用的TLS 1.2和TLS 1.1。
类似资料:
-
我在使用Java 1.7.0_67的linux服务器上使用Tomcat 7.065和APR 1.1.33。 多年来,我的应用程序一直通过SSL愉快地连接到第三方站点。第三方颁发了一个新证书。第三部分站点是:https://its.changehealthcare.com/ 我下载了。cer文件并导入了一个keytool: 当我做一个keytools列表时,我得到: 但是我继续得到一个ssl握手错误
-
我在Java 8上运行以下代码, 获得例外, ioException 在发送 http 请求时发生:javax.net.ssl.SSLHandshake异常:收到致命警报:handshake_failure。 我能够通过卷曲连接到, 有人能告诉我我的java代码有什么问题吗? 依赖关系如下,
-
问题内容: 我创建了SSLClient和SSLServer,还为SSLServer 创建了密钥库,将其存储为 “ server.jks”, 对于SSLClient,创建了密钥库为 “ client.jks” 。首先,我执行SSLServer.java文件,然后执行SSLClient.java文件。抛出异常 “”。我不知道为什么我得到这个例外。我按照http://ruchirawageesha.bl
-
我试图使用Java-pns向iPhone发送推送通知,但我得到以下错误-javax.net.ssl.sslhandShakeException:Received Fatalic Alert:handshake_failure 我的密码是- 对于NotificationTest.VerifyKeystore,我得到的有效信息是文件和密钥库。 拜托,有人能帮我吗? 提前谢谢... 在我的日志里我看到了
-
问题内容: 我正在尝试使用Java-pns将推送通知发送到iPhone,但出现以下错误-javax.net.ssl.SSLHandshakeException :收到致命警报:handshake_failure 我的代码是- 对于 NotificationTest.verifyKeystore, 我得到的是这个有效的是File and Keystore。 我不明白为什么会收到此错误。 请有人可以帮
-
问题内容: 我正在尝试使用 liferay中的* javapns 库将推送通知发送到我的设备。这是代码: * 调用pushNotification时出现此错误: 我已经用谷歌搜索了,但是找不到任何解决方案。 有谁知道如何解决这个问题? 问题答案: 当您要连接的服务器没有来自授权CA的有效证书时,通常会引发该异常。 简而言之,您尝试连接的服务器很可能使用自签名证书,因此您必须在Java代码中容纳该证