SSL握手错误在JDK 11.0.6_10中,但在Java 8中正常工作。

huangapple go评论83阅读模式
英文:

SSLHandshake error in JDK 11.0.6_10 but works fine in Java8

问题

与 cacerts 文件进行比较并更新 JDK11,补充缺失的证书未能解决问题。
甚至尝试使用 -Djavax.net.ssl.trustStore 选项从 Java 8 加载 cacert 文件。

以下是错误,并且我正在使用 -Djavax.net.debug=ssl:handshake 参数。在从 Java 8 迁移到 JDK 11 时需要注意哪些特定问题吗?

javax.net.ssl|DEBUG|1B|https-jsse-nio-443-exec-9|2020-09-10 12:57:42.782 PDT|Alert.java:238|接收到警报消息 (
"Alert": {
  "level"      : "fatal",
  "description": "handshake_failure"
}
)
javax.net.ssl|ERROR|1B|https-jsse-nio-443-exec-9|2020-09-10 12:57:42.797 PDT|TransportContext.java:312|致命错误 (HANDSHAKE_FAILURE):接收到致命警报:handshake_failure (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: 接收到致命警报:handshake_failure
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
        ...

以下是捕获的 Java 8 和 11 的 wireshark 信息 - 注意 Java 11 客户端连接中的以下差异。尽管使用了 tslv1.2,这里是否有任何重要问题?

扩展:psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
            Extension: key_share (len=71)
                Type: key_share (51)
                Length: 71
                Key Share extension

Java 11 错误 - 它是否填充了服务器名称 (host-name)?

javax.net.ssl|INFO|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|AlpnExtension.java:161|没有可用的应用程序协议
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|SSLExtensions.java:257|忽略,上下文不可用的扩展:application_layer_protocol_negotiation
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|SSLExtensions.java:257|忽略,上下文不可用的扩展:cookie
...

javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.845 PDT|Alert.java:238|接收到警报消息 (
"Alert": {
  "level"      : "fatal",
  "description": "handshake_failure"
}
)
javax.net.ssl|ERROR|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.861 PDT|TransportContext.java:312|致命错误 (HANDSHAKE_FAILURE):接收到致命警报:handshake_failure (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: 接收到致命警报:handshake_failure
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
        ...

以上是您提供的内容的翻译。如果您还有其他问题或需要进一步帮助,请随时问我。

英文:

Compared the cacerts file and updated the JDK11 with missing certs no help.
Even tried to load the cacert file from java8 using -Djavax.net.ssl.trustStore option.

Here is the error and I'm using the -Djavax.net.debug=ssl:handshake argument. Anything specific to keep in mind when moving from Java8 to JDK11?

javax.net.ssl|DEBUG|1B|https-jsse-nio-443-exec-9|2020-09-10 12:57:42.782 PDT|Alert.java:238|Received alert message (
"Alert": {
"level"      : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|1B|https-jsse-nio-443-exec-9|2020-09-10 12:57:42.797 PDT|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:291)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.okta.commons.http.httpclient.HttpClientRequestExecutor.executeRequest(HttpClientRequestExecutor.java:186)        at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147)
at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120)
at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:443)
at com.okta.sdk.impl.ds.DefaultDataStore.lambda$getResourceData$1(DefaultDataStore.java:196)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47)
at com.okta.sdk.impl.ds.cache.WriteCacheFilter.filter(WriteCacheFilter.java:34)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.cache.ReadCacheFilter.filter(ReadCacheFilter.java:42)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.DefaultDataStore.getResourceData(DefaultDataStore.java:208)
at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:177)
at com.okta.sdk.impl.client.DefaultClient.listUsers(DefaultClient.java:2244)
at org.sutterhealth.accountlinker.service.okta.OktaService.getUserByGuid(OktaService.java:104)
at org.sutterhealth.accountlinker.web.controller.ValidateController.validateAndRedirect(ValidateController.java:59)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:92)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:109)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)}
)
javax.net.ssl|DEBUG|1B|https-jsse-nio-443-exec-9|2020-09-10 12:57:42.797 PDT|SSLSocketImpl.java:1360|close the underlying socket
javax.net.ssl|DEBUG|1B|https-jsse-nio-443-exec-9|2020-09-10 12:57:42.797 PDT|SSLSocketImpl.java:1379|close the SSL connection (initiative)

Captured wireshark for both java8 and 11 - Noticed below difference in java11 client connect. Using tslv1.2 though, any significant issue here?

 Extension: psk_key_exchange_modes (len=2)
Type: psk_key_exchange_modes (45)
Length: 2
PSK Key Exchange Modes Length: 1
PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
Extension: key_share (len=71)
Type: key_share (51)
Length: 71
Key Share extension

Java 11 Error - It does populate the server name (host-name)???

javax.net.ssl|INFO|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|SSLExtensions.java:257|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|PreSharedKeyExtension.java:633|No session to resume.
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.814 PDT|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.829 PDT|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
"client version"      : "TLSv1.2",
"random"              : "4A 90 84 06 22 50 AA 16 13 00 5E E2 66 42 55 CF 18 C2 AB A9 39 97 17 C3 C3 C1 7F 47 7B 41 91 D3",
"session id"          : "AF 3A 8B 45 00 7B 4E 37 77 DD 7C F5 50 D7 90 8B 50 6B 0D 18 0B FB 3B 25 D4 5A 93 57 40 0A 87 15",
"cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions"          : [
"server_name (0)": {
type=host_name (0), value=xxxxxx.okta.com
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": secp256r1
"key_exchange": {
0000: 04 3B B3 A1 E8 30 E8 AA   5D 8D E1 C1 DB 07 75 1C  .;...0..].....u.
0010: D4 F6 48 29 31 B8 FC BD   A9 B1 56 86 57 99 76 7C  ..H)1.....V.W.v.
0020: A6 D0 62 56 AC BA D3 1A   29 09 2B 46 F6 0B CC A7  ..bV....).+F....
0030: E6 BE FB C3 C7 84 E2 6F   77 97 9F 27 FB 39 1C 8D  .......ow..'.9..
0040: 5C
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.845 PDT|Alert.java:238|Received alert message (
"Alert": {
"level"      : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|16|https-jsse-nio-443-exec-4|2020-09-14 09:27:29.861 PDT|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:291)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)

答案1

得分: 1

不是答案,但是对于评论来说太多了。

首先,j11确实加载了证书。日志已更改,j11及以上版本(也包括8u261及以上版本)默认情况下不再记录javax.net.debug=ssl等情况下的trustmanager活动。正如我之前评论的,您需要使用例如javax.net.debug=ssl:trustmanager,或者在这种情况下使用javax.net.debug=ssl:trustmanager:handshake,因为您也想看到这一部分。

但这不是证书/信任存储问题。首先,“Received ... handshake_failure”绝对不可能由本地验证的负面结果或错误引起。任何告诉您解决此症状需要处理或查看信任存储的人都不知道他们在说什么,正在浪费您的时间。其次,跟踪清楚地显示了在服务器甚至发送其证书之前/之外就发生了这种情况,根据宇宙因果关系,证书只能在发送/接收之后才能被检查。(这本身并不是瞬时发生的,但这是一个与此无关的不同情况。)

很多因素都可能导致握手失败,修复这个问题的最佳方法是从服务器日志中具体找出服务器不喜欢的是什么。通常情况下,这是解决问题的最好方法。

但如果您无法或不愿这样做,只能猜测。一个合理的猜测是,您的应用(更准确地说,是您JVM中的JSSE代表您的应用代码)未发送服务器名称指示(SNI)。您的j11+TLSv1.2情况下的日志应该会在您发布的部分之前几行显示Unable to indicate server nameIgnore, context unavailable extension: server_name。如今,由于虚拟主机特别是云端和/或共享托管以及第三方CDN的越来越普遍使用,许多服务器需要SNI,否则将拒绝连接。您没有展示足够的j8日志来确定它是否发送了SNI,尽管我不知道有任何情况下j8会发送而j11不会发送。(在使用Apache httpclient(您通过okta进行了操作)时,j7存在一些bug,而且我IRC上的一些j8更新在某些情况下也不会发送SNI,但我相当确定这些问题在8u202版本之后都得到了解决。)

英文:

Not an answer but too much for comments.

First, j11 IS loading the certificates. The logging changed and j11 up (also 8u261 up) no longer logs trustmanager activity by default if e.g. you use javax.net.debug=ssl. As I commented, you need to use e.g. javax.net.debug=ssl:trustmanager or in this case javax.net.debug=ssl:trustmanager:handshake since you also want to see that.

But this is not a certificate/truststore problem. First, "Received ... handshake_failure" CANNOT EVER be caused by a negative result or even bug in local validation. Anyone who tells you to work on or look at the truststore for this symptom doesn't know what they are talking about and is wasting your time. Second, the trace clearly shows it is happening before/without the server even sending its certificate, and due to the causality of the universe, the certificate can only be checked after it is sent/received. (Which itself is not instantaneous, but that's a different barrel of monkeys not relevant here.)

Lots of things can cause handshake_failure and the best way to fix this is to find out specifically what the server doesn't like, usually from its logs.

But if you can't or won't do that, you have to guess. One plausible guess is that you (more exactly, JSSE in your JVM on behalf of your application code) is not sending Server Name Indication (SNI). The log from your j11+TLSv1.2 case should have had Unable to indicate server name and Ignore, context unavailable extension: server_name a few lines before the part you posted. Nowadays with the increasingly common use of virtual hosts and especially cloud and/or shared hosting and third-party CDNs, many servers require SNI, and will reject connections without it. You don't show enough of the j8 log to determine if it does send SNI, although I'm not aware of any cases where j8 does and j11 doesn't. (There were bugs in j7 and IIRC some updates of j8 which did not send SNI in some cases, particularly when using Apache httpclient as you are doing via okta, but I'm pretty sure those were all fixed by 8u202.)

答案2

得分: 0

蓝盾是罪魁祸首。它被升级到了一个新版本,其中存在代理错误并阻止了SSL。一旦在蓝盾上禁用了SSL拦截,这个问题就得以解决。

英文:

Well the culprit was bluecoat. It was updated to a newer version which had a proxy bug and blocking SSL. Once SSL intercepts were disabled on bluecoat this started working.

huangapple
  • 本文由 发表于 2020年9月12日 02:59:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/63852838.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定