我们有一个对USPS地址验证服务进行REST调用的服务。我们最近升级到了新版本的电子商务框架(Broadleaf Commerce),并对Sping Boot 和Java版本进行了相关更新。升级后,我们无法再连接到USPS服务。我们失败了,因为SSL握手没有完成(似乎更改密码请求从未得到响应)。代码的现有生产版本按原样工作。
奇怪的是,它在本地工作,如果我从目标服务器发出cURL请求,它就能工作。但是当我从目标服务器上的应用程序进行调用时,它并没有完成握手。
我一直在搜索互联网和堆栈溢出的答案,但没有找到一个修复我的问题。以下是我迄今为止遵循的故障排除步骤:
1.我已经测试了代码本地和美国邮政调用工程
1.我已经通过从服务器执行cURL命令测试了服务器防火墙/网络。它按预期工作(TLS已正确协商)
1.我对应用程序进行了dockerized,以验证Java版本和Java Trust Store证书在不同环境中的一致性。dockerized应用程序在我的本地机器上工作,它在目标机器上失败,并出现相同的SSL握手错误。
1.我测试了对另一个SSL安全端点的另一个REST调用。它工作正常。它和USPS调用之间的区别是(1)第二个端点是我们网络的内部端点,(2)内部端点使用TLS 1。USPS使用TLS 1。3.应用程序根据日志支持两者。
1.我尝试使用jdk.tls.client.protocols
和https.protocols
属性强制JVM支持TLS版本。这没有影响(预期为TLS 1。2和1.3是当前默认值)。
1.我已经对cURL命令和Application调用进行了WireShark跟踪。WireShark显示cURL正确协商握手。对于应用程序来说,似乎更改密码的请求从未得到回复。
1.我已经与美国邮政核实,他们没有阻止我们的IP或类似的东西。
我不知道要测试什么来确定问题的根本原因。似乎与代码无关(代码在本地工作),似乎与服务器网络/防火墙无关(cURL在服务器上工作)。
还剩下什么?我错过了什么?
错误消息:
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://stg-secure.shippingapis.com/ShippingAPI.dll": Remote host terminated the handshake; nested exception is javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
RestCall代码:
@Value("${usps.addressValidation.url}")
private String url;
private ResponseEntity<String> callUsps() {
Map<String, String> uriVariables = new HashMap<>();
uriVariables.put("userId", apiKey);
... more variables ...
ResponseEntity<String> response = restTemplate.postForEntity(url, null, String.class, uriVariables);
}
RestTemplate配置:
@Bean
public RestTemplate restTemplate() {
RestTemplate restTemplate = new RestTemplate();
restTemplate.setRequestFactory(new HttpComponentsClientHttpRequestFactory()); // HttpComponents added for debug logging purposes, originally it was stock rest template
return restTemplate;
}
日志输出:
2023-03-09 20:43:39.007 DEBUG 1 --- [io-8080-exec-11] o.s.web.client.RestTemplate : HTTP POST https://stg-secure.shippingapis.com/ShippingAPI.dll?API=Verify&XML=%3CAddressValidateRequest%20USERID%3D%22<userId>%22%20PASSWORD%3D%22<password>%22%3E%3CRevision%3E1%3C/Revision%3E%3CAddress%20ID%3D%220%22%3E%3CAddress1%3E%3C/Address1%3E%3CAddress2%3E<Address>%3C/Address2%3E%3CCity%3E<City>%3C/City%3E%3CState%3E<State>%3C/State%3E%3CZip5%3E<Zip>%3C/Zip5%3E%3CZip4%3E%3C/Zip4%3E%3C/Address%3E%3C/AddressValidateRequest%3E
2023-03-09 20:43:39.007 DEBUG 1 --- [io-8080-exec-11] o.s.web.client.RestTemplate : Accept=[text/plain, application/xml, text/xml, application/json, application/x-jackson-smile, application/*+xml, application/*+json, */*]
2023-03-09 20:43:39.008 DEBUG 1 --- [io-8080-exec-11] o.a.h.client.protocol.RequestAddCookies : CookieSpec selected: default
2023-03-09 20:43:39.008 DEBUG 1 --- [io-8080-exec-11] o.a.h.client.protocol.RequestAuthCache : Auth cache not set in the context
2023-03-09 20:43:39.008 DEBUG 1 --- [io-8080-exec-11] h.i.c.PoolingHttpClientConnectionManager : Connection request: [route: {s}->https://stg-secure.shippingapis.com:443][total available: 1; route allocated: 0 of 5; total allocated: 1 of 10]
2023-03-09 20:43:39.008 DEBUG 1 --- [io-8080-exec-11] h.i.c.PoolingHttpClientConnectionManager : Connection leased: [id: 4][route: {s}->https://stg-secure.shippingapis.com:443][total available: 1; route allocated: 1 of 5; total allocated: 2 of 10]
2023-03-09 20:43:39.008 DEBUG 1 --- [io-8080-exec-11] o.a.http.impl.execchain.MainClientExec : Opening connection {s}->https://stg-secure.shippingapis.com:443
2023-03-09 20:43:39.047 DEBUG 1 --- [io-8080-exec-11] .i.c.DefaultHttpClientConnectionOperator : Connecting to stg-secure.shippingapis.com/72.21.81.70:443
2023-03-09 20:43:39.047 DEBUG 1 --- [io-8080-exec-11] o.a.h.c.ssl.SSLConnectionSocketFactory : Connecting socket to stg-secure.shippingapis.com/72.21.81.70:443 with timeout 0
2023-03-09 20:43:39.070 DEBUG 1 --- [io-8080-exec-11] o.a.h.c.ssl.SSLConnectionSocketFactory : Enabled protocols: [TLSv1.3, TLSv1.2]
2023-03-09 20:43:39.071 DEBUG 1 --- [io-8080-exec-11] o.a.h.c.ssl.SSLConnectionSocketFactory : Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2023-03-09 20:43:39.071 DEBUG 1 --- [io-8080-exec-11] o.a.h.c.ssl.SSLConnectionSocketFactory : Starting handshake
2023-03-09 20:44:19.722 DEBUG 1 --- [nection evictor] h.i.c.PoolingHttpClientConnectionManager : Closing expired connections
2023-03-09 20:44:19.722 DEBUG 1 --- [nection evictor] h.i.c.PoolingHttpClientConnectionManager : Closing connections idle longer than 50000 MILLISECONDS
2023-03-09 20:44:19.723 DEBUG 1 --- [nection evictor] h.i.c.DefaultManagedHttpClientConnection : http-outgoing-1: Close connection
2023-03-09 20:44:19.723 DEBUG 1 --- [nection evictor] h.i.c.DefaultManagedHttpClientConnection : http-outgoing-0: Close connection
2023-03-09 20:44:19.731 DEBUG 1 --- [nection evictor] h.i.c.PoolingHttpClientConnectionManager : Closing expired connections
2023-03-09 20:44:19.731 DEBUG 1 --- [nection evictor] h.i.c.PoolingHttpClientConnectionManager : Closing connections idle longer than 50000 MILLISECONDS
2023-03-09 20:44:25.397 DEBUG 1 --- [nection evictor] h.i.c.PoolingHttpClientConnectionManager : Closing expired connections
2023-03-09 20:44:25.397 DEBUG 1 --- [nection evictor] h.i.c.PoolingHttpClientConnectionManager : Closing connections idle longer than 50000 MILLISECONDS
2023-03-09 20:44:25.401 DEBUG 1 --- [nection evictor] h.i.c.PoolingHttpClientConnectionManager : Closing expired connections
2023-03-09 20:44:25.402 DEBUG 1 --- [nection evictor] h.i.c.PoolingHttpClientConnectionManager : Closing connections idle longer than 50000 MILLISECONDS
2023-03-09 20:44:39.520 DEBUG 1 --- [io-8080-exec-11] h.i.c.DefaultManagedHttpClientConnection : http-outgoing-4: Shutdown connection
2023-03-09 20:44:39.520 DEBUG 1 --- [io-8080-exec-11] o.a.http.impl.execchain.MainClientExec : Connection discarded
2023-03-09 20:44:39.520 DEBUG 1 --- [io-8080-exec-11] h.i.c.PoolingHttpClientConnectionManager : Connection released: [id: 4][route: {s}->https://stg-secure.shippingapis.com:443][total available: 1; route allocated: 0 of 5; total allocated: 1 of 10]
2023-03-09 20:44:39.521 ERROR 1 --- [io-8080-exec-11] b.c.b.s.v.a.AddressValidationServiceImpl : Exception while validating address.
2023-03-09 20:44:39.527 ERROR 1 --- [io-8080-exec-11] b.c.b.s.v.a.AddressValidationServiceImpl : Root exception:
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://stg-secure.shippingapis.com/ShippingAPI.dll": Remote host terminated the handshake; nested exception is javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:732)
at org.springframework.web.client.RestTemplate.postForEntity(RestTemplate.java:477)
at company.commerce.broadleaf.wsclient.usps.service.UspsAddressValidationServiceClientImpl.callUsps(UspsAddressValidationServiceClientImpl.java:76)
at company.commerce.broadleaf.wsclient.usps.service.UspsAddressValidationServiceClientImpl.validateAddress(UspsAddressValidationServiceClientImpl.java:62)
at company.commerce.broadleaf.service.validation.address.AddressValidationServiceImpl.standardizeAddress(AddressValidationServiceImpl.java:85)
at company.commerce.broadleaf.controller.account.AddressVerificationController.validateShippingAddress(AddressVerificationController.java:40)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)
...
Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1697)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1515)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1417)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:66)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:776)
... 201 common frames omitted
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:489)
at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507)
... 220 common frames omitted
WireShark输出(Java应用程序调用失败):
No. Time Source Destination Protocol Length Info
1 0.000000 <Our IP> <USPS IP> TCP 74 49116 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2640145959 TSecr=0 WS=128
2 0.023028 <USPS IP> <Our IP> TCP 74 443 → 49116 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1380 SACK_PERM TSval=3604861692 TSecr=2640145959 WS=512
3 0.023028 <Our IP> <USPS IP> TCP 66 49116 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2640145982 TSecr=3604861692
4 0.023836 <Our IP> <USPS IP> TLSv1.3 481 Client Hello
5 0.024180 <USPS IP> <Our IP> TCP 66 443 → 49116 [ACK] Seq=1 Ack=416 Win=32768 Len=0 TSval=3604861692 TSecr=2640145982
6 0.047150 <USPS IP> <Our IP> TLSv1.3 159 Hello Retry Request
7 0.047151 <USPS IP> <Our IP> TLSv1.3 72 Change Cipher Spec
8 0.047151 <Our IP> <USPS IP> TCP 66 49116 → 443 [ACK] Seq=416 Ack=94 Win=64256 Len=0 TSval=2640146006 TSecr=3604861715
9 0.047175 <Our IP> <USPS IP> TCP 66 49116 → 443 [ACK] Seq=416 Ack=100 Win=64256 Len=0 TSval=2640146006 TSecr=3604861715
10 0.048275 <Our IP> <USPS IP> TLSv1.3 514 Client Hello
11 0.048280 <USPS IP> <Our IP> TCP 66 443 → 49116 [ACK] Seq=100 Ack=864 Win=32256 Len=0 TSval=3604861716 TSecr=2640146007
WireShark输出(从cURL成功调用):
No. Time Source Destination Protocol Length Info
1 0.000000 <Our IP> <USPS IP> TCP 74 58184 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3286965270 TSecr=0 WS=128
2 0.023011 <USPS IP> <Our IP> TCP 74 443 → 58184 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1380 SACK_PERM TSval=401053718 TSecr=3286965270 WS=512
3 0.023011 <Our IP> <USPS IP> TCP 66 58184 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3286965293 TSecr=401053718
4 0.029806 <Our IP> <USPS IP> TLSv1.3 583 Client Hello
5 0.030079 <USPS IP> <Our IP> TCP 66 443 → 58184 [ACK] Seq=1 Ack=518 Win=32768 Len=0 TSval=401053718 TSecr=3286965300
6 0.252624 <USPS IP> <Our IP> TLSv1.3 159 Hello Retry Request
7 0.252625 <USPS IP> <Our IP> TLSv1.3 72 Change Cipher Spec
8 0.252625 <Our IP> <USPS IP> TCP 66 58184 → 443 [ACK] Seq=518 Ack=94 Win=64256 Len=0 TSval=3286965523 TSecr=401053941
9 0.252625 <Our IP> <USPS IP> TCP 66 58184 → 443 [ACK] Seq=518 Ack=100 Win=64256 Len=0 TSval=3286965523 TSecr=401053941
10 0.252852 <Our IP> <USPS IP> TLSv1.3 589 Change Cipher Spec, Client Hello
11 0.252853 <USPS IP> <Our IP> TCP 66 443 → 58184 [ACK] Seq=100 Ack=1041 Win=31744 Len=0 TSval=401053941 TSecr=3286965523
12 0.277201 <USPS IP> <Our IP> TLSv1.3 1434 Server Hello, Application Data
13 0.277203 <USPS IP> <Our IP> TCP 1434 443 → 58184 [PSH, ACK] Seq=1468 Ack=1041 Win=68096 Len=1368 TSval=401053972 TSecr=3286965523 [TCP segment of a reassembled PDU]
14 0.277269 <USPS IP> <Our IP> TLSv1.3 1354 Application Data, Application Data, Application Data
15 0.277271 <Our IP> <USPS IP> TCP 66 58184 → 443 [ACK] Seq=1041 Ack=4124 Win=62592 Len=0 TSval=3286965547 TSecr=401053972
16 0.278039 <Our IP> <USPS IP> TLSv1.3 140 Application Data
17 0.278385 <Our IP> <USPS IP> TLSv1.3 112 Application Data
18 0.278385 <Our IP> <USPS IP> TLSv1.3 115 Application Data
19 0.278386 <Our IP> <USPS IP> TLSv1.3 101 Application Data
20 0.278386 <Our IP> <USPS IP> TLSv1.3 414 Application Data
21 0.300775 <USPS IP> <Our IP> TCP 66 443 → 58184 [ACK] Seq=4124 Ack=1115 Win=68096 Len=0 TSval=401053996 TSecr=3286965548
22 0.300776 <USPS IP> <Our IP> TLSv1.3 321 Application Data
23 0.300776 <USPS IP> <Our IP> TLSv1.3 321 Application Data
24 0.300777 <USPS IP> <Our IP> TLSv1.3 162 Application Data, Application Data
25 0.300828 <Our IP> <USPS IP> TLSv1.3 97 Application Data
26 0.301368 <USPS IP> <Our IP> TCP 66 443 → 58184 [ACK] Seq=4730 Ack=1593 Win=69120 Len=0 TSval=401053997 TSecr=3286965548
27 0.301724 <USPS IP> <Our IP> TLSv1.3 97 Application Data
28 0.343705 <Our IP> <USPS IP> TCP 66 58184 → 443 [ACK] Seq=1624 Ack=4761 Win=64128 Len=0 TSval=3286965614 TSecr=401053997
29 0.364919 <USPS IP> <Our IP> TCP 66 443 → 58184 [ACK] Seq=4761 Ack=1624 Win=69120 Len=0 TSval=401054060 TSecr=3286965571
30 0.365596 <USPS IP> <Our IP> TLSv1.3 849 Application Data, Application Data, Application Data
31 0.365600 <Our IP> <USPS IP> TCP 66 58184 → 443 [ACK] Seq=1624 Ack=5544 Win=64128 Len=0 TSval=3286965636 TSecr=401054061
32 0.365952 <Our IP> <USPS IP> TLSv1.3 90 Application Data
33 0.366549 <Our IP> <USPS IP> TCP 66 58184 → 443 [FIN, ACK] Seq=1648 Ack=5544 Win=64128 Len=0 TSval=3286965637 TSecr=401054061
34 0.388421 <USPS IP> <Our IP> TCP 66 443 → 58184 [ACK] Seq=5544 Ack=1648 Win=69120 Len=0 TSval=401054084 TSecr=3286965636
35 0.388421 <USPS IP> <Our IP> TLSv1.3 90 Application Data
36 0.388421 <USPS IP> <Our IP> TCP 66 443 → 58184 [FIN, ACK] Seq=5568 Ack=1648 Win=69120 Len=0 TSval=401054084 TSecr=3286965636
37 0.388422 <Our IP> <USPS IP> TCP 60 58184 → 443 [RST] Seq=1648 Win=0 Len=0
38 0.388422 <Our IP> <USPS IP> TCP 60 58184 → 443 [RST] Seq=1648 Win=0 Len=0
39 80.823845 <Our IP> <USPS IP> TCP 74 58192 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3287046092 TSecr=0 WS=128
40 80.846555 <USPS IP> <Our IP> TCP 74 443 → 58192 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1380 SACK_PERM TSval=472250826 TSecr=3287046092 WS=512
41 80.846556 <Our IP> <USPS IP> TCP 66 58192 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3287046115 TSecr=472250826
42 80.853620 <Our IP> <USPS IP> TLSv1.3 583 Client Hello
43 80.854172 <USPS IP> <Our IP> TCP 66 443 → 58192 [ACK] Seq=1 Ack=518 Win=32768 Len=0 TSval=472250826 TSecr=3287046122
44 80.876813 <USPS IP> <Our IP> TLSv1.3 159 Hello Retry Request
45 80.876818 <Our IP> <USPS IP> TCP 66 58192 → 443 [ACK] Seq=518 Ack=94 Win=64256 Len=0 TSval=3287046145 TSecr=472250848
46 80.876818 <USPS IP> <Our IP> TLSv1.3 72 Change Cipher Spec
47 80.876818 <Our IP> <USPS IP> TCP 66 58192 → 443 [ACK] Seq=518 Ack=100 Win=64256 Len=0 TSval=3287046145 TSecr=472250848
48 80.877240 <Our IP> <USPS IP> TLSv1.3 589 Change Cipher Spec, Client Hello
49 80.877240 <USPS IP> <Our IP> TCP 66 443 → 58192 [ACK] Seq=100 Ack=1041 Win=31744 Len=0 TSval=472250849 TSecr=3287046146
50 80.900887 <USPS IP> <Our IP> TLSv1.3 1434 Server Hello, Application Data
51 80.900888 <USPS IP> <Our IP> TCP 1434 443 → 58192 [PSH, ACK] Seq=1468 Ack=1041 Win=68096 Len=1368 TSval=472250881 TSecr=3287046145 [TCP segment of a reassembled PDU]
52 80.900888 <USPS IP> <Our IP> TLSv1.3 1354 Application Data, Application Data, Application Data
53 80.901181 <Our IP> <USPS IP> TCP 66 58192 → 443 [ACK] Seq=1041 Ack=4124 Win=62592 Len=0 TSval=3287046170 TSecr=472250881
54 80.902491 <Our IP> <USPS IP> TLSv1.3 140 Application Data
55 80.903307 <Our IP> <USPS IP> TLSv1.3 112 Application Data
56 80.903307 <Our IP> <USPS IP> TLSv1.3 115 Application Data
57 80.903495 <Our IP> <USPS IP> TLSv1.3 101 Application Data
58 80.903496 <Our IP> <USPS IP> TLSv1.3 414 Application Data
59 80.924618 <USPS IP> <Our IP> TCP 66 443 → 58192 [ACK] Seq=4124 Ack=1115 Win=68096 Len=0 TSval=472250905 TSecr=3287046171
60 80.924630 <USPS IP> <Our IP> TLSv1.3 321 Application Data
61 80.924725 <USPS IP> <Our IP> TLSv1.3 321 Application Data
62 80.924725 <USPS IP> <Our IP> TLSv1.3 162 Application Data, Application Data
63 80.925401 <USPS IP> <Our IP> TCP 66 443 → 58192 [ACK] Seq=4730 Ack=1210 Win=68096 Len=0 TSval=472250906 TSecr=3287046172
64 80.925401 <USPS IP> <Our IP> TLSv1.3 97 Application Data
65 80.925649 <Our IP> <USPS IP> TLSv1.3 97 Application Data
66 80.925817 <USPS IP> <Our IP> TCP 66 443 → 58192 [ACK] Seq=4761 Ack=1593 Win=69120 Len=0 TSval=472250906 TSecr=3287046172
67 80.987738 <USPS IP> <Our IP> TCP 66 443 → 58192 [ACK] Seq=4761 Ack=1624 Win=69120 Len=0 TSval=472250968 TSecr=3287046194
68 80.989877 <USPS IP> <Our IP> TLSv1.3 849 Application Data, Application Data, Application Data
69 80.992126 <Our IP> <USPS IP> TLSv1.3 90 Application Data
70 80.992648 <Our IP> <USPS IP> TCP 66 58192 → 443 [FIN, ACK] Seq=1648 Ack=5544 Win=64128 Len=0 TSval=3287046261 TSecr=472250970
71 81.014173 <USPS IP> <Our IP> TCP 66 443 → 58192 [ACK] Seq=5544 Ack=1648 Win=69120 Len=0 TSval=472250994 TSecr=3287046261
72 81.014173 <USPS IP> <Our IP> TLSv1.3 90 Application Data
73 81.014173 <USPS IP> <Our IP> TCP 66 443 → 58192 [FIN, ACK] Seq=5568 Ack=1648 Win=69120 Len=0 TSval=472250994 TSecr=3287046261
74 81.014313 <Our IP> <USPS IP> TCP 60 58192 → 443 [RST] Seq=1648 Win=0 Len=0
75 81.014314 <Our IP> <USPS IP> TCP 60 58192 → 443 [RST] Seq=1648 Win=0 Len=0
1条答案
按热度按时间qjp7pelc1#
Java 11和TLS 1。3有一个历史(见this和this等)。我最终限制应用程序只使用TLS 1。2、问题解决了。USPS是我们目前使用的唯一支持TLS 1的API。3、为什么这是唯一失败的电话。
最终,这不是一个令人满意的答案(也不被接受),因为这些问题已经很老了(对于Java 11的旧版本),必须有一个版本可以在这一点上工作。
此外,这个解释/解决方案与相同的docker镜像在本地工作而不是远程工作的事实不符(Java / Sping Boot 版本是相同的)。它也只是踢了可以下道路直到TLS 1。3成为强制性的。我们计划在EoY迁移到Java 17,因此希望对该版本的Java和相关依赖项的支持更好。
如果/当我找到更满意的解决方案时,我会更新答案(或接受竞争对手)。