SSL握手异常
我正在使用 Apache HttpClient(4.0) 与 HTTP 服务器(配置了 SSL)进行通信。
服务器正在使用自签名证书。理想情况下,我希望 HttpClient 库的行为方式与浏览器相同,但经过一些谷歌搜索后,我明白我必须将证书导入到 JRE 密钥库(cacert)。尽管在 JRE 密钥库中安装了证书,但我仍然收到“SSLHandshake 异常”。
这是一个SSL日志,我不是这方面的专家,所以需要帮助来分析日志的内容。
trigger seeding of SecureRandom
done seeding SecureRandom
log4j:WARN No appenders could be found for logger (org.apache.http.impl.conn.SingleClientConnManager).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
main, setSoTimeout(0) called
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1328639128 bytes = { 1, 30, 97, 51, 147, 14, 89, 41, 43, 120, 56, 192, 4, 5, 113, 203, 165, 199, 153, 199, 137, 199, 98, 242, 166, 81, 208, 129 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 161
main, WRITE: SSLv2 client hello message, length = 146
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
这是我正在使用的代码片段。
DefaultHttpClient httpClient = new DefaultHttpClient();
X509HostnameVerifier verifier = new X509HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
@Override
public void verify(String arg0, String[] arg1, String[] arg2) throws SSLException {
}
@Override
public void verify(String arg0, X509Certificate arg1) throws SSLException {
}
@Override
public void verify(String arg0, SSLSocket arg1) throws IOException {
}
};
private static class DefaultTrustManager implements X509TrustManager {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1) throws java.security.cert.CertificateException {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1) throws java.security.cert.CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
}
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(null, new TrustManager[] {new DefaultTrustManager()}, new SecureRandom());
SSLContext.setDefault(sslContext);
SSLSocketFactory sf = new SSLSocketFactory(sslContext,verifier);
ClientConnectionManager ccm = httpClient.getConnectionManager();
SchemeRegistry sr = ccm.getSchemeRegistry();
sr.register(new Scheme("https", sf, 9002));
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
HttpParams params = new BasicHttpParams();
httpClient = new DefaultHttpClient(ccm, params);
I am using Apache HttpClient(4.0) to communicate with an HTTP server(SSL configured).
The server is using a self-signed certificate. Ideally I would love to have HttpClient library behave the same way as browsers, but after doing some google I understand that I will have to import the certificate to JRE keystore(cacert). Inspite of installing the certificate in JRE keystore, I am stil getting "SSLHandshake exception".
Here is a SSL log, I am not an expert in this area, so need help to analyse the contents of the log.
trigger seeding of SecureRandom
done seeding SecureRandom
log4j:WARN No appenders could be found for logger (org.apache.http.impl.conn.SingleClientConnManager).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
main, setSoTimeout(0) called
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1328639128 bytes = { 1, 30, 97, 51, 147, 14, 89, 41, 43, 120, 56, 192, 4, 5, 113, 203, 165, 199, 153, 199, 137, 199, 98, 242, 166, 81, 208, 129 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 161
main, WRITE: SSLv2 client hello message, length = 146
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
Here is the code snippet I am using.
DefaultHttpClient httpClient = new DefaultHttpClient();
X509HostnameVerifier verifier = new X509HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
@Override
public void verify(String arg0, String[] arg1, String[] arg2) throws SSLException {
}
@Override
public void verify(String arg0, X509Certificate arg1) throws SSLException {
}
@Override
public void verify(String arg0, SSLSocket arg1) throws IOException {
}
};
private static class DefaultTrustManager implements X509TrustManager {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1) throws java.security.cert.CertificateException {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1) throws java.security.cert.CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
}
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(null, new TrustManager[] {new DefaultTrustManager()}, new SecureRandom());
SSLContext.setDefault(sslContext);
SSLSocketFactory sf = new SSLSocketFactory(sslContext,verifier);
ClientConnectionManager ccm = httpClient.getConnectionManager();
SchemeRegistry sr = ccm.getSchemeRegistry();
sr.register(new Scheme("https", sf, 9002));
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
HttpParams params = new BasicHttpParams();
httpClient = new DefaultHttpClient(ccm, params);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
日志中没有太多有用的信息。但是,为什么不尝试使用不同的 SSL 算法,例如“SSLv2”而不是 TLSv1 呢?
not a lot of useful info in the log. however why don't you try to use a different SSL algorithm like say "SSLv2" instead of TLSv1 ?