0
https 사이트에 연결하는 동안 예외가 발생하는 데 어려움을 겪고 있습니다. 내 코드는 자바이다. 그것은 내 노트북에서 양식을 작동하지만 내 리눅스 서버에서 아닙니다 그리고 나는 이것을 디버깅하는 방법을 잘 모르겠습니다.Tomcat 환경에서 javax.net.ssl.SSLHandshakeException 받기
SSL 인증서를 가져 와서 cacerts truststore로 가져 왔습니다.
자바 코드는 다음
System.setProperty("javax.net.debug", "ssl");
String cacerts_file = System.getProperty("java.home")
+ "/lib/security/cacerts".replace('/', File.separatorChar);
System.out.println(System.getProperty("javax.net.ssl.trustStore"));
System.out.println("cacerts_file: " + cacerts_file);
System.out.println(System.getProperty("javax.net.ssl.trustStore"));
KeyStore ks = KeyStore.getInstance("JKS");
FileInputStream in2 = new FileInputStream(cacerts_file);
ks.load(in2, "changeit".toCharArray());
System.out.println(ks.containsAlias("badoojira"));
Enumeration<String> lAliases = ks.aliases();
while (lAliases.hasMoreElements()) {
String lAlias = (String) lAliases.nextElement();
System.out.println(lAlias);
}
javax.net.ssl.KeyManagerFactory lKeyManagerFactory = javax.net.ssl.KeyManagerFactory
.getInstance("SunX509");
lKeyManagerFactory.init(ks, "changeit".toCharArray());
javax.net.ssl.SSLContext lSSLContext = javax.net.ssl.SSLContext.getInstance("TLS");
lSSLContext.init(lKeyManagerFactory.getKeyManagers(), null, null);
SSLSocketFactory lSSLSocketFactory = lSSLContext.getSocketFactory();
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(lSSLSocketFactory);
SSLSocket socket = (SSLSocket) lSSLSocketFactory
.createSocket("wiki.badoojira.com", 443);
String[] suites = socket.getSupportedCipherSuites();
socket.setEnabledCipherSuites(suites);
// start handshake
socket.startHandshake();
내가 키 스토어 명령을 사용하여 서버에서 확인한 그 System.getProperty를 가리키는 cacerts에 ("java.home") + "/ lib 디렉토리/보안/cacerts에"입니다 .replace ('/', File.separatorChar)는 "keystore -list"를 호출하여 실제 인증서를가집니다.
는 예외입니다 : (편집) 디버그 추적 당신의 도움에 대한
cacerts_file: /usr/lib64/jvm/java-1.7.0-sun-1.7.0/jre/lib/security/cacerts
default truststore: /usr/lib64/jvm/java-1.7.0-sun-1.7.0/jre/lib/security/cacerts
null
true
digicertassuredidrootca
trustcenterclass2caii
thawtepremiumserverca
certifjira.com <<-- My certificate
[Edited - removed all other default certificates aliases]
trustStore is: /usr/lib64/jvm/java-1.7.0-sun-1.7.0/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 08:36:00 UTC 2006 until Sat Oct 25 08:36:00 UTC 2036
adding as trusted cert:
Subject: [email protected], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: [email protected], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x123df0e7da2a2247a43889e08aeec967
Valid from Mon Jan 01 00:00:00 UTC 1996 until Fri Jan 01 23:59:59 UTC 2021
adding as trusted cert:
Subject: [email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: [email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x34a4fff630af4ca53c331742a1946675
Valid from Thu Aug 01 00:00:00 UTC 1996 until Fri Jan 01 23:59:59 UTC 2021
adding as trusted cert:
Subject: CN=*.certifjira.com, O=Trading Limited, L=London, ST=United Kingdom, C=GB
Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x62a8e5628239c977eab16142cf0e8e0f
Valid from Tue May 27 00:00:00 UTC 2014 until Thu May 28 23:59:59 UTC 2015
[Edited to remove default certificates]
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1415190323 bytes = { 8, 10, 86, 52, 89, 227, 192, 166, 138, 175, 232, 157, 182, 160, 237, 133, 188, 63, 103, 151, 97, 195, 110, 180, 183, 28, 103, 245 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 213
main, WRITE: SSLv2 client hello message, length = 227
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
많은 감사와
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1718)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:962)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1170)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1154)
at com.corp.GetStatusPage.oneMoreTest(GetStatusPage.java:105)
at com.corp.GetStatusPage.main(GetStatusPage.java:35)
.
즉각적인 단점은 없지만 시간이 지남에 따라 앱이 최신 버전이 될 수 있습니다. 예 : 문제가 내가 j6에 client = tomcat을 추측하고 언젠가 j8로 업그레이드되고 서버가 TLS1 이상을 구현하고 * 서버가 java 일 경우 v2hello를 거부하면 적어도 j7임을 나타냅니다. 서버에서) * 지원 * 1.1 및 1.2 - * 다음 * 더 새로운 프로토콜을 얻을 수 없습니다. SSL3 및 TLS1.0에 대한 공격이 이제 귀하의 앱과 관련 될 수도 실제로는 중요하지 않을 수도 있지만, 감사인 방화벽 등에서 여전히 중요 할 수 있습니다. ... –
... "futureproof"에'.getEnabledProtocols', * 만약''SSLv2Hello'가 존재하면 그것을 제거하고 (temp ArrayList를 사용하여) 그것을 설정하십시오.최소 * SSL3을 시행하지만 JVM이 최대 값을 늘리도록하십시오. –