致命:引擎已关闭,正在重新引发javax.net.ssl.SSLHandshakeException:spring Boot 嵌入式jetty服务器上没有通用的密码套件

nbnkbykc  于 2023-01-01  发布在  Java
关注(0)|答案(1)|浏览(123)

我有一个包含在嵌入式码头上运行的REST API的Sping Boot 应用程序。我试图通过在TLSv1上运行的另一个Java应用程序来命中它,但出现以下错误:

致命错误:引擎已关闭。正在重新抛出javax.net.ssl.SSLHandshakeException:Sping Boot 嵌入式Jetty服务器上没有通用的密码套件

我已检查服务器证书别名,并且已正确配置。在客户端,我收到以下网络调试日志:

pool-2-thread-1, READ: TLSv1 Alert, length = 2  
pool-2-thread-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure  
pool-2-thread-1, called closeSocket()  
pool-2-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

客户端似乎希望连接到TLSv1,但服务器( Spring Boot 码头)希望连接到TLSv1.2。我已尝试使用www.example.com文件中的以下配置在码头上使用TLSv1application.properties:

server.ssl.enabled=true
server.ssl.enabled-protocols=TLSv1
server.ssl.disabled-protocols=TLSv1.2
server.ssl.protocol=TLS
server.ssl.disabled-cipher-suites=

server.ssl.key-store-type=JKS  
server.ssl.keystore=keystore_path  
server.ssl.key-store-password=password  
server.ssl.key-alias=alias_name   
trust.store=truststore_path  
trust.store.password=password

但我猜他们不工作。请建议。以下是来自服务器端的网络调试日志:

Using SSLEngineImpl.  
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384  
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA  
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  
Allow unsafe renegotiation: false  
Allow legacy hello messages: true  
Is initial handshake: true  
Is secure renegotiation: false  
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1  
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256  
[Raw read]: length = 5  
0000: 16 03 01 00 63                                     ....c
[Raw read]: length = 99  
0000: 01 00 00 5F 03 01 63 AE   A7 33 45 C3 64 64 C9 BD  ..._..c..3E.dd..  
0010: BD 19 74 DA 21 29 8C 62   6B FB 32 67 86 C6 9A E0  ..t.!).bk.2g....  
0020: 91 04 3C 85 84 83 00 00   1E 00 FF C0 0A C0 14 00  ..<.............  
0030: 35 C0 05 C0 0F 00 39 00   38 C0 09 C0 13 00 2F C0  5.....9.8...../.  
0040: 04 C0 0E 00 33 00 32 01   00 00 18 00 0A 00 0A 00  ....3.2.........  
0050: 08 00 17 00 18 00 19 00   16 00 0B 00 02 01 00 00  ................  
0060: 17 00 00                                           ...  
qtp1209702763-21, READ: TLSv1 Handshake, length = 99  
*** ClientHello, TLSv1  
RandomCookie:  GMT: 1655547699 bytes = { 69, 195, 100, 100, 201, 189, 189, 25, 116, 218, 33,    41, 140, 98, 107, 251, 50, 103, 134, 198, 154, 224, 145, 4, 60, 133, 132, 131 }  
Session ID:  {}  
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA]  
Compression Methods:  { 0 }  
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, secp256k1}  
Extension ec_point_formats, formats: [uncompressed]  
Unsupported extension type_23, data:  
***  
[read] MD5 and SHA1 hashes:  len = 99  
0000: 01 00 00 5F 03 01 63 AE   A7 33 45 C3 64 64 C9 BD  ..._..c..3E.dd..  
0010: BD 19 74 DA 21 29 8C 62   6B FB 32 67 86 C6 9A E0  ..t.!).bk.2g....
0020: 91 04 3C 85 84 83 00 00   1E 00 FF C0 0A C0 14 00  ..<.............
0030: 35 C0 05 C0 0F 00 39 00   38 C0 09 C0 13 00 2F C0  5.....9.8...../.
0040: 04 C0 0E 00 33 00 32 01   00 00 18 00 0A 00 0A 00  ....3.2.........
0050: 08 00 17 00 18 00 19 00   16 00 0B 00 02 01 00 00  ................  
0060: 17 00 00                                           ...  
%% Initialized:  [Session-3, SSL_NULL_WITH_NULL_NULL]  
qtp1209702763-21, fatal error: 40: no cipher suites in common  
javax.net.ssl.SSLHandshakeException: no cipher suites in common  
%% Invalidated:  [Session-3, SSL_NULL_WITH_NULL_NULL]  
qtp1209702763-21, SEND TLSv1 ALERT:  fatal, description = handshake_failure  
qtp1209702763-21, WRITE: TLSv1 Alert, length = 2  
qtp1209702763-21, fatal: engine already closed.  Rethrowing  
 javax.net.ssl.SSLHandshakeException: no cipher suites in common  
qtp1209702763-21, called closeOutbound()  
qtp1209702763-21, closeOutboundInternal()
ttp71kqs

ttp71kqs1#

TLSv 1也被Java禁用。
在Java上启用TLSv 1协议(以及TLSv 1所需的密码套件)还需要做很多工作。
在Jetty端,简单地不指定禁用的密码套件不会在Java端启用已经禁用的密码套件。
有关特定Java版本上Crypto的状态,请参见https://www.java.com/en/jre-jdk-cryptoroadmap.html
您在服务器证书中的选择(使用的加密、位长等)也会影响您使用TLS/1.0或TLS/1.1的能力,因为现代浏览器的建议与TLS/1.0和TLS/1.1所需的密码套件越来越不兼容。

相关问题