RECV TLSv1 ALERT: fatal, handshake_failure
问题描述:在发送https请求的时候出现的握手失败,使用JDK1.7时连接时报 fatal, handshake_failure 使用JDK1.8能够正常连接。由于jdk只能使用1.7不能升级到1.8,故jdk升级行不通。
起初怀疑jdk1.7是使用的TLSv1 TLSv1.1 设置成1.2也没用
用过的方法
1.部分网友解释:是因为jdk中jce的安全机制导致报的错,要去oracle官网下载对应的jce包替换jdk中的jce包。
jce所在地址: %JAVA_HOME%\jre\lib\security里的local_policy.jar,US_export_policy.jar
System.setProperty("https.protocols", "TLSv1.2,TLSv1.1,SSLv3");
这些都不能解决问题
在连接之前加上 System.setProperty("javax.net.debug","ssl"); 设置个全局变量,使得Http对象打印出连接过程中的日志。
jdk1.8得到的日志
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1685065972 bytes = { 180, 167, 167, 30, 101, 36, 224, 182, 178, 1, 107, 69, 157, 193, 60, 134, 73, 82, 52, 43, 245, 157, 76, 224, 97, 13, 43, 240 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=]
***
main, WRITE: TLSv1.2 Handshake, length = 186
main, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie: GMT: 128395243 bytes = { 213, 74, 26, 241, 198, 201, 117, 36, 14, 30, 62, 71, 0, 3, 29, 120, 23, 113, 68, 153, 70, 49, 60, 120, 218, 84, 180, 221 }
Session ID: {217, 189, 132, 63, 91, 244, 112, 43, 66, 15, 89, 235, 122, 238, 181, 113, 43, 222, 161, 9, 207, 60, 40, 184, 143, 175, 110, 178, 22, 203, 95, 159}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 4001
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.csair.cn, O="China Southern Airlines Co., Ltd.", L=广州市, ST=广东省, C=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 23794062191036910280077559575255559737611436304163502329853602936793768796250440016628733687458899014967262092675042930966652163251796754210369109327209373679016767247638826318268177343637263284991406976996220906427528186891321380783949063091643942094096514695881514872231471839270467340168246467601966189176896701714706127770542293128553985572071718355650072193944050254678989468845815730954682960614788570081584907810368245603964014586751431006016630984862318797880480336811754328666585324425280492613341146535634255636418272871437372845168357219661263764971768916749160541034043074434592506265425729031567102897101
public exponent: 65537
Validity: [From: Thu Apr 20 08:00:00 CST 2023,
To: Sat Apr 20 07:59:59 CST 2024]
Issuer: CN=DigiCert Basic RSA CN CA G2, O=DigiCert Inc, C=US
SerialNumber: [ 06061ef0 25270948 65fde6d8 3f44bb50]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6E 04 82 01 6A 01 68 00 76 00 76 FF 88 ...n...j.h.v.v..
0010: 3F 0A B6 FB 95 51 C2 61 CC F5 87 BA 34 B4 A4 CD ?....Q.a....4...
0020: BB 29 DC 68 42 0A 9F E6 67 4C 5A 3A 74 00 00 01 .).hB...gLZ:t...
0030: 87 9E 88 0C 4A 00 00 04 03 00 47 30 45 02 20 0A ....J.....G0E. .
0040: E9 0A 33 08 34 9A C7 D8 AE 71 BB 30 E8 29 1E B9 ..3.4....q.0.)..
0050: 40 C6 CE CE 31 B0 6B ED 6C 63 06 0A 2C 5E 98 02 @...1.k.lc..,^..
0060: 21 00 8E 33 F7 4F B5 62 F6 CA EB CB 17 9B 90 8C !..3.O.b........
0070: 19 D0 94 CA 4A 40 C6 DE CA DA 4E 42 B2 B1 0A 2B ....J@....NB...+
0080: 5F CB 00 76 00 73 D9 9E 89 1B 4C 96 78 A0 20 7D _..v.s....L.x. .
0090: 47 9D E6 B2 C6 1C D0 51 5E 71 19 2A 8C 6B 80 10 G......Q^q.*.k..
00A0: 7A C1 77 72 B5 00 00 01 87 9E 88 0C 63 00 00 04 z.wr........c...
00B0: 03 00 47 30 45 02 20 75 5C D2 6E 0D C4 84 F4 04 ..G0E. u\.n.....
00C0: 06 69 32 A3 AE D9 16 4C F7 C9 48 E3 74 57 20 1D .i2....L..H.tW .
00D0: 2E 68 BE B8 83 DA B8 02 21 00 DF 3D 3E EC C1 31 .h......!..=>..1
00E0: F5 B8 87 83 4E E6 FB 77 EF 8C 25 D9 20 34 89 4C ....N..w..%. 4.L
00F0: 47 8D 6A 04 D1 33 66 C7 8E 3D 00 76 00 48 B0 E3 G.j..3f..=.v.H..
0100: 6B DA A6 47 34 0F E5 6A 02 FA 9D 30 EB 1C 52 01 k..G4..j...0..R.
0110: CB 56 DD 2C 81 D9 BB BF AB 39 D8 84 73 00 00 01 .V.,.....9..s...
0120: 87 9E 88 0C 37 00 00 04 03 00 47 30 45 02 21 00 ....7.....G0E.!.
0130: 91 1E 99 D9 31 A3 E7 E1 01 E9 16 D9 8C A4 10 0D ....1...........
0140: EB 27 8C A4 CB 92 BD C5 43 DE FA 6B 1C A1 D5 D1 .'......C..k....
0150: 02 20 63 1C C8 77 06 23 84 1E 30 E1 B4 7A E2 D1 . c..w.#..0..z..
0160: 5D BD C2 8C 70 65 70 0D C3 6D 66 47 F1 17 1F CB ]...pep..mfG....
0170: 3A 9D :.
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.cn
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.cn/DigiCertBasicRSACNCAG2.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 06 BD A6 9B 60 79 50 31 BE D5 A9 02 4A A0 D0 95 ....`yP1....J...
0010: 53 8B 2F 34 S./4
]
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.digicert.cn/DigiCertBasicRSACNCAG2.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1B 68 74 74 70 3A 2F 2F 77 77 77 2E 64 69 67 ..http://www.dig
0010: 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 icert.com/CPS
]] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.csair.cn
DNSName: csair.cn
DNSName: *.csair.com
DNSName: csair.com
DNSName: *.csairgroup.cn
DNSName: csairgroup.cn
DNSName: *.tapd.csair.cn
DNSName: tapd.csair.cn
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E2 7C A1 B4 48 E5 D2 69 B4 84 2D D6 99 3B 8A DA ....H..i..-..;..
0010: A0 2C 86 EB .,..
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 4C C9 FD 6D 0D 5E DB C4 22 B8 B3 3A 2E 93 F7 4A L..m.^.."..:...J
0010: 3E 65 8D EC 72 C6 DF 17 43 E3 E6 A8 90 88 5E 57 >e..r...C.....^W
0020: 74 0F F3 05 53 6B 2A 11 DF 3F E8 8A 6F 84 D9 FB t...Sk*..?..o...
0030: 18 3F E2 E6 61 DB 16 98 60 59 A2 D5 FA B5 7F 3C .?..a...`Y.....<
0040: 92 03 95 E9 50 83 A1 25 D1 46 F7 EE 95 27 1A 54 ....P..%.F...'.T
0050: 9E F4 88 80 62 45 60 47 FF 2A DD 16 A5 B6 4F 62 ....bE`G.*....Ob
0060: 87 14 3E B1 AE 23 B7 67 4D 31 AB 27 DB 37 E5 11 ..>..#.gM1.'.7..
0070: 0E 27 1A 6D 4F 30 F6 E7 CB D5 38 88 4D A5 E5 37 .'.mO0....8.M..7
0080: F8 D7 9E AA C9 13 2F 4F 0E 78 99 6A 82 BE A7 38 ....../O.x.j...8
0090: D7 58 B9 0F 1E 02 E4 5A 46 E9 4F B0 8B EF EB 94 .X.....ZF.O.....
00A0: 26 39 75 62 3E 3F 3B C0 3C F6 0E AD 3E BB 8B D9 &9ub>?;.<...>...
00B0: B0 A5 0A 86 5E E2 60 42 0A CB CD B7 65 15 97 E4 ....^.`B....e...
00C0: D8 43 CE 0C D6 5C FB 93 CC 35 25 47 95 66 24 92 .C...\...5%G.f$.
00D0: 56 2C FC DE 8B 56 CB 9C 55 EF 19 BD AD 1F 2A 9E V,...V..U.....*.
00E0: 19 5B 20 F4 BF 75 12 1E 03 C2 7B 02 36 45 CB EA .[ ..u......6E..
00F0: EF 43 08 A9 F5 41 5B 43 66 74 07 1D FD 08 54 6E .C...A[Cft....Tn
]
chain [1] = [
[
Version: V3
Subject: CN=DigiCert Basic RSA CN CA G2, O=DigiCert Inc, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 24015833904671436252129024690912839989876015179925281629659019649897677425646607558788792948028960610010361377458639996078036666122341752294544060678867768847781731241906182127503008829873763635104554932538483543024022805849712830976542794107796859584831751710878229793818657621015598570757815477506798485430926068449537851581506738888191257092297977665705701061742214763073291370567714214863393014151811458507070877197626087296203511787679312943501759300507528811828328637546012540834630095033198508372464189229346371526459471686236652016790701347456262453189635296336439817740575197672464259860562262467493733567667
public exponent: 65537
Validity: [From: Wed Mar 04 20:04:07 CST 2020,
To: Mon Mar 04 20:04:07 CST 2030]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ 02f7e1f9 82bad009 aff47dc9 5741b2f6]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.cn
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.digicert.cn/DigiCertGlobalRootCA.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 7E 0C 7C 41 6E 79 20 75 73 65 20 6F 66 20 74 0...Any use of t
0010: 68 69 73 20 43 65 72 74 69 66 69 63 61 74 65 20 his Certificate
0020: 63 6F 6E 73 74 69 74 75 74 65 73 20 61 63 63 65 constitutes acce
0030: 70 74 61 6E 63 65 20 6F 66 20 74 68 65 20 52 65 ptance of the Re
0040: 6C 79 69 6E 67 20 50 61 72 74 79 20 41 67 72 65 lying Party Agre
0050: 65 6D 65 6E 74 20 6C 6F 63 61 74 65 64 20 61 74 ement located at
0060: 20 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 67 https://www.dig
0070: 69 63 65 72 74 2E 63 6F 6D 2F 72 70 61 2D 75 61 icert.com/rpa-ua
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 06 BD A6 9B 60 79 50 31 BE D5 A9 02 4A A0 D0 95 ....`yP1....J...
0010: 53 8B 2F 34 S./4
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 0D 64 22 57 06 5E 94 07 62 12 52 C8 1F 9C 47 3B .d"W.^..b.R...G;
0010: 76 02 D0 33 95 FC BC 03 AA D7 19 4E E6 9D 9D EF v..3.......N....
0020: 42 35 4C 27 67 18 CF FE 44 0B 2B 94 7B D0 1F 98 B5L'g...D.+.....
0030: 72 1E AF BB CA A2 78 62 C9 E9 BC CF 06 1E 7F B6 r.....xb........
0040: 58 85 D5 80 5C DE 51 FF 68 D2 07 08 37 58 79 49 X...\.Q.h...7XyI
0050: 60 E8 A0 C5 C6 8D D4 B8 D8 C5 28 B2 E0 2C 4C 7D `.........(..,L.
0060: AB 79 E0 6E 34 BE 14 30 32 68 4F 0E 66 23 04 D1 .y.n4..02hO.f#..
0070: 1B 64 22 DF 3E F8 55 54 C9 BD 74 4F 25 82 4B F9 .d".>.UT..tO%.K.
0080: 2A D8 F4 77 51 1F 7F 36 60 40 17 2B 98 28 E1 A4 *..wQ..6`@.+.(..
0090: 4C 6A AB D7 63 F3 9B 4D F1 88 2F 4B 4A 2F 2D 4C Lj..c..M../KJ/-L
00A0: 83 9A 1A 59 AD 52 94 D4 E0 99 AA FE 80 4B 12 18 ...Y.R.......K..
00B0: BB 81 F0 B6 35 C9 1E EF 22 92 CC 09 B2 44 17 CD ....5..."....D..
00C0: D3 9C 27 2A C3 C8 40 35 12 62 1A 15 45 C9 10 7B ..'*..@5.b..E...
00D0: E5 40 EE 48 74 22 E6 BB DE 66 EA 5F CD F0 1F E8 .@.Ht"...f._....
00E0: E6 B2 00 49 39 36 37 A6 8C EB 83 E4 08 1E 5E F9 ...I967.......^.
00F0: F2 97 CD EB 3C E2 77 C0 0C 75 71 73 03 C5 C2 D4 ....<.w..uqs....
]
chain [2] = [
[
Version: V3
Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 28559384442792876273280274398620578979733786817784174960112400169719065906301471912340204391164075730987771255281479191858503912379974443363319206013285922932969143082114108995903507302607372164107846395526169928849546930352778612946811335349917424469188917500996253619438384218721744278787164274625243781917237444202229339672234113350935948264576180342492691117960376023738627349150441152487120197333042448834154779966801277094070528166918968412433078879939664053044797116916260095055641583506170045241549105022323819314163625798834513544420165235412105694681616578431019525684868803389424296613694298865514217451303
public exponent: 65537
Validity: [From: Fri Nov 10 08:00:00 CST 2006,
To: Mon Nov 10 08:00:00 CST 2031]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ 083be056 904246b1 a1756ac9 5991c74a]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: CB 9C 37 AA 48 13 12 0A FA DD 44 9C 4F 52 B0 F4 ..7.H.....D.OR..
0010: DF AE 04 F5 79 79 08 A3 24 18 FC 4B 2B 84 C0 2D ....yy..$..K+..-
0020: B9 D5 C7 FE F4 C1 1F 58 CB B8 6D 9C 7A 74 E7 98 .......X..m.zt..
0030: 29 AB 11 B5 E3 70 A0 A1 CD 4C 88 99 93 8C 91 70 )....p...L.....p
0040: E2 AB 0F 1C BE 93 A9 FF 63 D5 E4 07 60 D3 A3 BF ........c...`...
0050: 9D 5B 09 F1 D5 8E E3 53 F4 8E 63 FA 3F A7 DB B4 .[.....S..c.?...
0060: 66 DF 62 66 D6 D1 6E 41 8D F2 2D B5 EA 77 4A 9F f.bf..nA..-..wJ.
0070: 9D 58 E2 2B 59 C0 40 23 ED 2D 28 82 45 3E 79 54 .X.+Y.@#.-(.E>yT
0080: 92 26 98 E0 80 48 A8 37 EF F0 D6 79 60 16 DE AC .&...H.7...y`...
0090: E8 0E CD 6E AC 44 17 38 2F 49 DA E1 45 3E 2A B9 ...n.D.8/I..E>*.
00A0: 36 53 CF 3A 50 06 F7 2E E8 C4 57 49 6C 61 21 18 6S.:P.....WIla!.
00B0: D5 04 AD 78 3C 2C 3A 80 6B A7 EB AF 15 14 E9 D8 ...x<,:.k.......
00C0: 89 C1 B9 38 6C E2 91 6C 8A FF 64 B9 77 25 57 30 ...8l..l..d.w%W0
00D0: C0 1B 24 A3 E1 DC E9 DF 47 7C B5 B4 24 08 05 30 ..$.....G...$..0
00E0: EC 2D BD 0B BF 45 BF 50 B9 A9 F3 EB 98 01 12 AD .-...E.P........
00F0: C8 88 C6 98 34 5F 8D 0A 3C C6 E9 D5 95 95 6D DE ....4_..<.....m.
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 28559384442792876273280274398620578979733786817784174960112400169719065906301471912340204391164075730987771255281479191858503912379974443363319206013285922932969143082114108995903507302607372164107846395526169928849546930352778612946811335349917424469188917500996253619438384218721744278787164274625243781917237444202229339672234113350935948264576180342492691117960376023738627349150441152487120197333042448834154779966801277094070528166918968412433078879939664053044797116916260095055641583506170045241549105022323819314163625798834513544420165235412105694681616578431019525684868803389424296613694298865514217451303
public exponent: 65537
Validity: [From: Fri Nov 10 08:00:00 CST 2006,
To: Mon Nov 10 08:00:00 CST 2031]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ 083be056 904246b1 a1756ac9 5991c74a]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: CB 9C 37 AA 48 13 12 0A FA DD 44 9C 4F 52 B0 F4 ..7.H.....D.OR..
0010: DF AE 04 F5 79 79 08 A3 24 18 FC 4B 2B 84 C0 2D ....yy..$..K+..-
0020: B9 D5 C7 FE F4 C1 1F 58 CB B8 6D 9C 7A 74 E7 98 .......X..m.zt..
0030: 29 AB 11 B5 E3 70 A0 A1 CD 4C 88 99 93 8C 91 70 )....p...L.....p
0040: E2 AB 0F 1C BE 93 A9 FF 63 D5 E4 07 60 D3 A3 BF ........c...`...
0050: 9D 5B 09 F1 D5 8E E3 53 F4 8E 63 FA 3F A7 DB B4 .[.....S..c.?...
0060: 66 DF 62 66 D6 D1 6E 41 8D F2 2D B5 EA 77 4A 9F f.bf..nA..-..wJ.
0070: 9D 58 E2 2B 59 C0 40 23 ED 2D 28 82 45 3E 79 54 .X.+Y.@#.-(.E>yT
0080: 92 26 98 E0 80 48 A8 37 EF F0 D6 79 60 16 DE AC .&...H.7...y`...
0090: E8 0E CD 6E AC 44 17 38 2F 49 DA E1 45 3E 2A B9 ...n.D.8/I..E>*.
00A0: 36 53 CF 3A 50 06 F7 2E E8 C4 57 49 6C 61 21 18 6S.:P.....WIla!.
00B0: D5 04 AD 78 3C 2C 3A 80 6B A7 EB AF 15 14 E9 D8 ...x<,:.k.......
00C0: 89 C1 B9 38 6C E2 91 6C 8A FF 64 B9 77 25 57 30 ...8l..l..d.w%W0
00D0: C0 1B 24 A3 E1 DC E9 DF 47 7C B5 B4 24 08 05 30 ..$.....G...$..0
00E0: EC 2D BD 0B BF 45 BF 50 B9 A9 F3 EB 98 01 12 AD .-...E.P........
00F0: C8 88 C6 98 34 5F 8D 0A 3C C6 E9 D5 95 95 6D DE ....4_..<.....m.
]
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 26083742763050795111353435260306152074280465361673391661171468586130247150830
public y coord: 24859181352039959123612508587176130494098692519318933817895276944220138020529
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 246, 150, 22, 179, 54, 196, 7, 16, 66, 27, 79, 159, 165, 126, 155, 239, 232, 44, 39, 215, 206, 130, 82, 199, 37, 177, 147, 111, 246, 27, 204, 85, 23, 32, 156, 168, 193, 119, 229, 151, 186, 80, 215, 26, 228, 99, 120, 71, 168, 171, 226, 224, 128, 155, 73, 118, 127, 119, 162, 209, 22, 19, 31, 54 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 39 9E DA 77 EC DD 6D 28 16 2D 14 AC 5D C8 3D A5 9..w..m(.-..].=.
0010: E8 5A 45 31 19 82 52 F6 70 72 B7 A8 3C 9D D3 EB .ZE1..R.pr..<...
CONNECTION KEYGEN:
Client Nonce:
0000: 64 70 11 F4 B4 A7 A7 1E 65 24 E0 B6 B2 01 6B 45 dp......e$....kE
0010: 9D C1 3C 86 49 52 34 2B F5 9D 4C E0 61 0D 2B F0 ..<.IR4+..L.a.+.
Server Nonce:
0000: 08 A7 28 EB D5 4A 1A F1 C6 C9 75 24 0E 1E 3E 47 ..(..J....u$..>G
0010: 00 03 1D 78 17 71 44 99 46 31 3C 78 DA 54 B4 DD ...x.qD.F1<x.T..
Master Secret:
0000: 8D 09 0D 79 42 0D 73 D8 BA C4 9F 6B 61 99 9C E9 ...yB.s....ka...
0010: 50 40 EB B3 CE 12 88 A8 75 12 BE AA 28 4B 23 AD P@......u...(K#.
0020: 76 FA 92 99 92 87 D6 54 9D D2 1F 31 EB 23 83 43 v......T...1.#.C
... no MAC keys used for this cipher
Client write key:
0000: F0 1F DC D5 0A 00 35 57 09 E8 0F 1D 92 CA 0C 4E ......5W.......N
Server write key:
0000: 19 7E 1D 58 65 27 C6 07 1C 0D 85 81 F7 D3 6C 12 ...Xe'........l.
Client write IV:
0000: 36 8D 2A 0A 6.*.
Server write IV:
0000: 9E F8 0D 68 ...h
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 244, 5, 255, 115, 2, 193, 173, 40, 158, 146, 78, 156 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data: { 178, 122, 193, 234, 86, 196, 91, 182, 190, 122, 115, 220 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, setSoTimeout(20000) called
main, WRITE: TLSv1.2 Application Data, length = 561
main, READ: TLSv1.2 Application Data, length = 2582
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT: warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 26
main, called closeSocket(true)
Process finished with exit code 0
jdk1.7得到的日志
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1685067020 bytes = { 90, 39, 242, 187, 139, 108, 50, 231, 227, 123, 130, 101, 172, 22, 245, 91, 218, 23, 252, 50, 15, 220, 193, 32, 226, 251, 254, 86 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name:
***
main, WRITE: TLSv1.2 Handshake, length = 218
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
Process finished with exit code 0
发现调用失败(javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure)
根据参考资料和问题描述,原因是在进行HTTPS请求时出现了javax.net.ssl.SSLHandshakeException异常,已经尝试了设置TLSv1.2和TLSv1.1协议以及添加System.setProperty("https.protocols", "TLSv1.2,TLSv1.1,SSLv3"),但并没有解决问题。同时,升级JDK版本也不是一个可选的方案。解决方案是应用Bouncy Castle库中的TLSSocketConnectionFactory工厂类,将其作为SSLSocketFactory的实现,重写在HTTPS请求过程中所需的方法来实现TLSv1.2和TLSv1.1协议支持。代码和步骤如下:
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.54</version>
</dependency>
public class TLSSocketConnectionFactory extends SSLSocketFactory {
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
}
}
// overwrite all createSocket methods to make TLSv1.2 and TLSv1.1 protocols available
@Override
public Socket createSocket(Socket socket, final String host, int port,
boolean arg3) throws IOException {
// implementation
}
@Override public String[] getDefaultCipherSuites() { return null; }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { return null; }
@Override public Socket createSocket(InetAddress host, int port) throws IOException { return null; }
@Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return null; }
@Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { return null; }
private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
// implementation
};
}
}
public static JSONObject send(String signData,String signURL,String requestMethod) {
URL myurl = null;
try {
myurl = new URL(signURL);
} catch (Exception e) {
e.printStackTrace();
}
HttpsURLConnection con = null;
try {
con = (HttpsURLConnection) myurl.openConnection();
con.setSSLSocketFactory(new TLSSocketConnectionFactory());
/*用于解决host name wrong问题,重写主机验证方法,如果请求正常可以去掉*/
con.setHostnameVerifier(new HostnameVerifier(){
public boolean verify(String hostname, SSLSession session) {
// TODO Auto-generated method stub
return true;
}
});
// set other required parameters for the HttpURLConnection
// ...
con.connect();
} catch (Exception e) {
e.printStackTrace();
}
// send the request body if requestMethod is POST
// ...
// receive the response and return it as a JSONObject
StringBuffer buffer = null;
try {
BufferedReader br = new BufferedReader(new InputStreamReader(con.getInputStream(), "utf-8"));
buffer=new StringBuffer();
String line=null;
while((line=br.readLine())!=null){
buffer.append(line);
}
br.close();
con.disconnect();
} catch (Exception ioex) {
ioex.printStackTrace();
}
return buffer!=null?JSONObject.parseObject(buffer.toString()):null;
}
public static void main(String[] args) {
JSONObject jsonObj = send(null, "https://devau33.cnooc.comss.cn/idp/oauth2/getToken?client_id=tmis&grant_type=authorization_code&client_secret=6c4cf0445ccd42ab8eaf63101e7a4602&code=122", "POST");
System.out.println(jsonObj.get("message"));
}