gpt4 book ai didi

javax.net.ssl.SSLHandshakeException : Received fatal alert: handshake_failure inside docker container

转载 作者:搜寻专家 更新时间:2023-11-01 03:56:22 26 4
gpt4 key购买 nike

我正在使用以下代码针对远程端点运行本地测试:

        URL url = new URL(remoteEndpointUrl);
String encoded = Base64.getEncoder().encodeToString((login + ":"+ password).getBytes("UTF-8")); //Java 8
conn = (HttpURLConnection) url.openConnection();
conn.setRequestProperty("Authorization", "Basic "+encoded);
conn.setRequestMethod("DELETE");
conn.setRequestProperty("Accept", "application/json");
conn.setDoOutput(true);
conn.getResponseCode();

这在我的具有以下 Java 版本的 Mac OS 上完美运行

java version "1.8.0_152"
Java(TM) SE Runtime Environment (build 1.8.0_152-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16,
mixed mode)

现在,如果我使用它并在使用 openjdk:8u151 图像(我也是从我的 Mac OS 启动)运行的 docker 容器中运行它,我最终会遇到以下异常:

    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:203)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:162)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)

显然,我的本地 TLS 默认设置与 docker 容器内的设置之间似乎没有任何区别。这是使用 -Djavax.net.debug=all 运行的调试输出:

本地输出:

    Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1541229707 bytes = { 122, 255, 53, 110, 142, 33, 132, 23, 192, 232, 102, 11, 200, 33, 185, 187, 146, 150, 134, 215, 2, 72, 62, 10, 76, 46, 224, 66 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=example.com]
***
[write] MD5 and SHA1 hashes: len = 198
0000: 01 00 00 C2 03 03 5C DD 4D 8B 7A FF 35 6E 8E 21 ......\.M.z.5n.!
0010: 84 17 C0 E8 66 0B C8 21 B9 BB 92 96 86 D7 02 48 ....f..!.......H
0020: 3E 0A 4C 2E E0 42 00 00 3A C0 23 C0 27 00 3C C0 >.L..B..:.#.'.<.
0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../...
0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1.
0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................
0060: 13 00 FF 01 00 00 5F 00 0A 00 16 00 14 00 17 00 ......_.........
0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................
0080: 16 00 0B 00 02 01 00 00 0D 00 1C 00 1A 06 03 06 ................
0090: 01 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 ................
00A0: 02 02 03 02 01 02 02 00 00 00 1B 00 19 00 00 16 ................
00B0: 73 75 6D 69 74 64 65 76 2E 6D 79 73 68 6F 70 69 example.com
00C0: 66 79 2E 63 6F 6D
main, WRITE: TLSv1.2 Handshake, length = 198
[Raw write]: length = 203
0000: 16 03 03 00 C6 01 00 00 C2 03 03 5C DD 4D 8B 7A ...........\.M.z
0010: FF 35 6E 8E 21 84 17 C0 E8 66 0B C8 21 B9 BB 92 .5n.!....f..!...
0020: 96 86 D7 02 48 3E 0A 4C 2E E0 42 00 00 3A C0 23 ....H>.L..B..:.#
0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./..
0050: C0 2D C0 31 00 9E 00 A2 C0 08 C0 12 00 0A C0 03 .-.1............
0060: C0 0D 00 16 00 13 00 FF 01 00 00 5F 00 0A 00 16 ..........._....
0070: 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B 00 0C ................
0080: 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 0D 00 1C ................
0090: 00 1A 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................
00A0: 03 03 03 01 03 02 02 03 02 01 02 02 00 00 00 1B ................
00B0: 00 19 00 00 16 73 75 6D 69 74 64 65 76 2E 6D 79 .....example.com
[Raw read]: length = 5
0000: 16 03 03 00 57 ....W
[Raw read]: length = 87
0000: 02 00 00 53 03 03 5C DD 4D 8B A2 3C 5D 36 46 82 ...S..\.M..<]6F.
0010: BE 0E 5E DA 23 05 66 D5 1B AE 13 AA 8F 98 12 30 ..^.#.f........0
0020: DF 52 9C 28 AA 7B 20 43 4F 5E 40 8C B4 C4 1E 26 .R.(.. CO^@....&
0030: 4F 5D B8 3D 39 16 D5 56 41 9C B0 F8 D5 F4 2A 55 O].=9..VA.....*U
0040: B3 0A E9 A2 6F 9D 88 C0 2B 00 00 0B FF 01 00 01 ....o...+.......
0050: 00 00 0B 00 02 01 00 .......
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1541229707 bytes = { 162, 60, 93, 54, 70, 130, 190, 14, 94, 218, 35, 5, 102, 213, 27, 174, 19, 170, 143, 152, 18, 48, 223, 82, 156, 40, 170, 123 }
Session ID: {67, 79, 94, 64, 140, 180, 196, 30, 38, 79, 93, 184, 61, 57, 22, 213, 86, 65, 156, 176, 248, 213, 244, 42, 85, 179, 10, 233, 162, 111, 157, 136}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-4, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[read] MD5 and SHA1 hashes: len = 87ere

内部 docker 容器输出:

    Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Test worker, setSoTimeout(0) called
Test worker, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1541242532 bytes = { 118, 119, 70, 101, 0, 69, 160, 231, 254, 159, 164, 222, 99, 67, 81, 99, 102, 20, 11, 71, 1, 162, 231, 238, 141, 93, 75, 42 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=example.com]
***
[write] MD5 and SHA1 hashes: len = 208
0000: 01 00 00 CC 03 03 5C DD 7F A4 76 77 46 65 00 45 ......\...vwFe.E
0010: A0 E7 FE 9F A4 DE 63 43 51 63 66 14 0B 47 01 A2 ......cCQcf..G..
0020: E7 EE 8D 5D 4B 2A 00 00 64 C0 24 C0 28 00 3D C0 ...]K*..d.$.(.=.
0030: 26 C0 2A 00 6B 00 6A C0 0A C0 14 00 35 C0 05 C0 &.*.k.j.....5...
0040: 0F 00 39 00 38 C0 23 C0 27 00 3C C0 25 C0 29 00 ..9.8.#.'.<.%.).
0050: 67 00 40 C0 09 C0 13 00 2F C0 04 C0 0E 00 33 00 g.@...../.....3.
0060: 32 C0 2C C0 2B C0 30 00 9D C0 2E C0 32 00 9F 00 2.,.+.0.....2...
0070: A3 C0 2F 00 9C C0 2D C0 31 00 9E 00 A2 C0 08 C0 ../...-.1.......
0080: 12 00 0A C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 ................
0090: 3F 00 0D 00 1C 00 1A 06 03 06 01 05 03 05 01 04 ?...............
00A0: 03 04 01 04 02 03 03 03 01 03 02 02 03 02 01 02 ................
00B0: 02 00 00 00 1B 00 19 00 00 16 73 75 6D 69 74 64 ..........
00C0: 65 76 2E 6D 79 73 68 6F 70 69 66 79 2E 63 6F 6D example.com
Test worker, WRITE: TLSv1.2 Handshake, length = 208
[Raw write]: length = 213
0000: 16 03 03 00 D0 01 00 00 CC 03 03 5C DD 7F A4 76 ...........\...v
0010: 77 46 65 00 45 A0 E7 FE 9F A4 DE 63 43 51 63 66 wFe.E......cCQcf
0020: 14 0B 47 01 A2 E7 EE 8D 5D 4B 2A 00 00 64 C0 24 ..G.....]K*..d.$
0030: C0 28 00 3D C0 26 C0 2A 00 6B 00 6A C0 0A C0 14 .(.=.&.*.k.j....
0040: 00 35 C0 05 C0 0F 00 39 00 38 C0 23 C0 27 00 3C .5.....9.8.#.'.<
0050: C0 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 .%.).g.@...../..
0060: C0 0E 00 33 00 32 C0 2C C0 2B C0 30 00 9D C0 2E ...3.2.,.+.0....
0070: C0 32 00 9F 00 A3 C0 2F 00 9C C0 2D C0 31 00 9E .2...../...-.1..
0080: 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 13 ................
0090: 00 FF 01 00 00 3F 00 0D 00 1C 00 1A 06 03 06 01 .....?..........
00A0: 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 02 ................
00B0: 02 03 02 01 02 02 00 00 00 1B 00 19 00 00 16 73 ...............s
00C0: 75 6D 69 74 64 65 76 2E 6D 79 73 68 6F 70 69 66 example.com
00D0: 79 2E 63 6F 6D
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
Test worker, READ: TLSv1.2 Alert, length = 2
Test worker, RECV TLSv1.2 ALERT: fatal, handshake_failure
Test worker, called closeSocket()
Test worker, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureere

现在,我尝试根据 https://www.petefreitag.com/item/844.cfm 将安全属性 crypto.policy 设置为 unlimited这应该可以轻松启用 JCE(Java 加密扩展),我从中获得了领先:https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https但它仍然失败。

我一直在与此作斗争,并且不知道该检查什么,因为两次执行都使用 TLSv1.2 作为 https 协议(protocol),并且都使用相同的密码套件,所以知道为什么它在 docker 中失败了吗?

非常感谢任何帮助,提前致谢

编辑:在我的 Mac 操作系统上使用 -Dcom.sun.net.ssl.enableECC=false 运行

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
main, the previous server name in SNI (type=host_name (0), value=example.com) was replaced with (type=host_name (0), value=example.com)
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1541432023 bytes = { 91, 55, 180, 242, 51, 13, 227, 239, 109, 218, 210, 217, 65, 181, 16, 146, 251, 182, 30, 23, 156, 83, 207, 5, 80, 0, 133, 88 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=example.com]
***
[write] MD5 and SHA1 hashes: len = 134
0000: 01 00 00 82 03 03 5C E0 63 D7 5B 37 B4 F2 33 0D ......\.c.[7..3.
0010: E3 EF 6D DA D2 D9 41 B5 10 92 FB B6 1E 17 9C 53 ..m...A........S
0020: CF 05 50 00 85 58 00 00 1A 00 3C 00 67 00 40 00 ..P..X....<.g.@.
0030: 2F 00 33 00 32 00 9C 00 9E 00 A2 00 0A 00 16 00 /.3.2...........
0040: 13 00 FF 01 00 00 3F 00 0D 00 1C 00 1A 06 03 06 ......?.........
0050: 01 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 ................
0060: 02 02 03 02 01 02 02 00 00 00 1B 00 19 00 00 16 ................
0070: 73 75 6D 69 74 64 65 76 2E 6D 79 73 68 6F 70 69 example.com
0080: 66 79 2E 63 6F 6D
main, WRITE: TLSv1.2 Handshake, length = 134
[Raw write]: length = 139
0000: 16 03 03 00 86 01 00 00 82 03 03 5C E0 63 D7 5B ...........\.c.[
0010: 37 B4 F2 33 0D E3 EF 6D DA D2 D9 41 B5 10 92 FB 7..3...m...A....
0020: B6 1E 17 9C 53 CF 05 50 00 85 58 00 00 1A 00 3C ....S..P..X....<
0030: 00 67 00 40 00 2F 00 33 00 32 00 9C 00 9E 00 A2 .g.@./.3.2......
0040: 00 0A 00 16 00 13 00 FF 01 00 00 3F 00 0D 00 1C ...........?....
0050: 00 1A 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................
0060: 03 03 03 01 03 02 02 03 02 01 02 02 00 00 00 1B ................
0070: 00 19 00 00 16 73 75 6D 69 74 64 65 76 2E 6D 79 .....example.com
0080: 73 68 6F 70 69 66 79 2E 63 6F 6D
[Raw read]: length = 5
0000: 16 03 03 00 51 ....Q
[Raw read]: length = 81
0000: 02 00 00 4D 03 03 5C E0 63 DA 99 74 67 FF 71 48 ...M..\.c..tg.qH
0010: B5 9B 8F 63 A4 06 15 AE 1D E6 1B CA 27 C6 9C 85 ...c........'...
0020: B8 E8 40 03 89 54 20 29 3F 81 6A E8 E4 54 39 D7 ..@..T )?.j..T9.
0030: 5A 95 5B DD 7C 59 18 28 05 C2 49 75 22 2E 69 78 Z.[..Y.(..Iu".ix
0040: E1 1B 11 62 03 62 C0 00 9C 00 00 05 FF 01 00 01 ...b.b..........
0050: 00 .
main, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1541432026 bytes = { 153, 116, 103, 255, 113, 72, 181, 155, 143, 99, 164, 6, 21, 174, 29, 230, 27, 202, 39, 198, 156, 133, 184, 232, 64, 3, 137, 84 }
Session ID: {41, 63, 129, 106, 232, 228, 84, 57, 215, 90, 149, 91, 221, 124, 89, 24, 40, 5, 194, 73, 117, 34, 46, 105, 120, 225, 27, 17, 98, 3, 98, 192}
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-4, TLS_RSA_WITH_AES_128_GCM_SHA256]
** TLS_RSA_WITH_AES_128_GCM_SHA256
[read] MD5 and SHA1 hashes: len = 81

最佳答案

不完全是答案,但我希望它能有所帮助。

在第一种情况下,客户端发送了两个椭圆曲线扩展,但在第二种情况下则没有。我不知道这种不同行为的原因,但这可能以服务器无法继续运行而告终,因为无法找到通用的密码套件。

RFC 4492给出了 2 个理由,你不应该对缺少的扩展有任何问题:

  1. 如果缺少握手失败,则不会将其作为默认情况提及:

If a server does not understand the Supported Elliptic Curves
Extension, does not understand the Supported Point Formats Extension, or is unable to complete the ECC handshake while restricting itself
to the enumerated curves and point formats, it MUST NOT negotiate the use of an ECC cipher suite. Depending on what other cipher suites
are proposed by the client and supported by the server, this may
result in a fatal handshake failure alert due to the lack of common
cipher suites.

  1. 发送它们并不是强制性的,只是带有“应该”字样的更可取的行为:

A TLS client that proposes ECC cipher suites in its ClientHello
message SHOULD include these extensions.

这会导致客户端或服务器出现软件错误或安装错误(丢失文件、错误权限等)。

如果您使用 -Dcom.sun.net.ssl.enableECC=false 运行本地测试,会发生什么情况?

您可以比较 jre/lib 中所有目录的内容,以找到可能缺少的内容。

例如,您的 docker 客户端是否包含文件 libsunec.so

您端点上的 TLS 服务器是什么?它也被 jetty 化了吗?

至少 Release Notes for JDK 8没有提到任何可以解决的客户端问题。但恰恰相反,它提到了一个 jdk.tls.namedGroups(null) 问题已在 8u131 中解决。 ,错误 JDK-8173783它的重复错误很好地解释了 - JDK-8173960漏洞。这并不能解释为什么您会面临两种不同的行为,但也许它周围有些东西没有被提及(另一个丢失的文件而不是 sunec.jar 在错误中说,导致同样的问题)。从我的角度来看,客户端丢失的文件会导致服务器端错误(也由丢失的文件或简单的软件错误触发)。如果您找到解决方案,请告诉我们。

关于javax.net.ssl.SSLHandshakeException : Received fatal alert: handshake_failure inside docker container,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56190856/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com