请求开始时出现异常 - ClientAuth SSL
我有一个嵌入 Jetty 的应用程序。我想在 SSL 中使用客户端证书身份验证,并且当我启用它时;我在请求开始时收到以下异常。但此后请求得到了正确的满足。仅当从 IE 或 Chrome 访问时才会出现此异常。从 Firefox 访问时它不会出现。我们有自定义的 SSLConnector 扩展 SslSocketConnector。我正在尝试调试它;但想知道是否有任何特定的地方/代码可以开始检查。
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:631)
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
更新:
我启用了 SSL 调试选项,并在 ServerHelloDone 消息之后立即读取时遇到此异常。我相信这是服务器发送其证书以及客户端证书请求的消息。我不确定第一次阅读时发生了什么。非常感谢任何帮助。
*** ClientHello, TLSv1
****
%% Created: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
*** Certificate chain
***
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
*** ServerHelloDone
WRITE: TLSv1 Handshake, length = 703
received EOFException: error
handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
更新: 将 JDK 更新到最新版本 23 并尝试启用/禁用这两个属性。仍然有同样的行为。
更多信息: 所有浏览器均启用 TLSv1 和 SSLv3。在未启用客户端身份验证的情况下,通信正常进行。通过客户端身份验证,我们总是在第一次握手时遇到异常,而下一次握手则正确完成并继续进行,没有异常。在服务器端使用jetty版本6.1.14
I have an application embedding Jetty. I would like to use client cert authentication in SSL and when I enable that; I am getting the following exception at start of request. But the request is getting served properly after that. This exception comes only when accessed from IE or Chrome. It does not come when accessed from Firefox. We have our custom SSLConnector extending SslSocketConnector. I am trying to debug it; but wanted to know if there is any specific place/code where I can start checking.
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:631)
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
Update:
I enabled SSL debug option and was getting this exception on a read immediately after the ServerHelloDone message. This is the message where server sends its cert along with request for client certificate i believe. I am not sure whats happening in first read. Any help is deeply appreciated.
*** ClientHello, TLSv1
****
%% Created: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
*** Certificate chain
***
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
*** ServerHelloDone
WRITE: TLSv1 Handshake, length = 703
received EOFException: error
handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Update:
Updated JDK to latest, 23 and tried with the two properties enabled/disabled. Still gettting the same behavior.
More info:
TLSv1 and SSLv3 are enabled in all browsers. The communication is happening properly without client-auth enabled. With client auth, always we get exception on first handshake and the next is getting properly done and proceeding without exceptions. Using jetty version 6.1.14 at server side
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我在 TLS/SSLv3 协商中遇到过类似的问题。
http://www.oracle.com/technetwork/java/javase /documentation/tlsreadme2-176330.html
如果仍然没有帮助,您可以尝试打开 SSL dedug,并查看握手过程。
-Djavax.net.debug=allI have seen issues like this with TLS/SSLv3 negotiation.
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
If that still doesn't help, you can try turning on SSL dedug, and taking a look at the handshaking.
-Djavax.net.debug=all当我不小心将非 ssl 端口放入 URL 但以 https 开头的 URL 时,我得到了这个信息。哦。
有时,最简单的解决方案就是我们忘记的!
I got this when I accidentally put the non-ssl port in the URL but started the URL with https. Doh.
Sometimes the simplest solutions are the ones that we forget!
试试最新的jdk。他们修复了 ssl 握手错误。 http://www.java.net/blogs/kumarjayanti/
Try the newest jdk. They fixed an ssl handshake bug. http://www.java.net/blogs/kumarjayanti/
我仍然认为这是 TLS/SSL 协商问题。
提供调试信息后,它显示您正在执行 TLSv1 握手。
您确定您的浏览器启用了 TLSv1 吗?
铬合金:
要在 Chrome 中启用 TLS 1.0,请执行以下操作:
IE:
Firefox:
然后您还提到:
您是否已将客户端证书安装到您正在测试的每个 Web 浏览器中?
确保您可以在没有相互/客户端身份验证的情况下让一切正常工作,然后一旦工作正常,将其添加回来。
I still think this is a TLS/SSL negotiation issue.
After you posed the debug info, it shows you are doing a TLSv1 Handshake.
Are you sure you have TLSv1 enabled in your browsers?
Chrome:
In order to enable TLS 1.0 in chrome do the following:
IE:
Firefox:
You then also mention that:
Have you installed the client certificate into each of the web browsers you are testing from?
Make sure you can get everything working without mutual/client authentication first, and then once its working, add it back in.