- android - 多次调用 OnPrimaryClipChangedListener
- android - 无法更新 RecyclerView 中的 TextView 字段
- android.database.CursorIndexOutOfBoundsException : Index 0 requested, 光标大小为 0
- android - 使用 AppCompat 时,我们是否需要明确指定其 UI 组件(Spinner、EditText)颜色
“Java 1.7 TLS 1.1 服务器”和“Java 1.8 客户端”之间的 SSL/TLS 握手在我的环境中失败,服务器端出现以下异常:
java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips
以下是我环境中服务器和客户端的详细信息:
服务器:
客户:
问题:
补充观察:
服务器端 SSL 调试日志:
TLS 1.1 Java 1.7u45 server + Java 1.8u25 TLS 1.2 disabled client - fails:
2014/11/28 15:03:38 | INFO | jvm 1 | *** ClientHello, TLSv1.1
2014/11/28 15:03:38 | INFO | jvm 1 | RandomCookie: GMT: 1417167224 bytes = { 55, 212, 126, 68, 49, 1, 205, 58, 112, 15, 1, 9, 38, 31, 58, 188, 229, 115, 10, 61, 249, 209, 98, 140, 149, 113, 149, 231 }
2014/11/28 15:03:38 | INFO | jvm 1 | Session ID: {84, 120, 65, 114, 3, 180, 96, 53, 232, 47, 28, 70, 58, 150, 117, 9, 169, 7, 94, 233, 94, 198, 136, 202, 240, 130, 18, 23, 89, 10, 220, 111}
2014/11/28 15:03:38 | INFO | jvm 1 | Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA]
2014/11/28 15:03:38 | INFO | jvm 1 | Compression Methods: { 0 }
2014/11/28 15:03:38 | INFO | jvm 1 | Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
2014/11/28 15:03:38 | INFO | jvm 1 | Extension ec_point_formats, formats: [uncompressed]
2014/11/28 15:03:38 | INFO | jvm 1 | Extension renegotiation_info, renegotiated_connection: <empty>
2014/11/28 15:03:38 | INFO | jvm 1 | ***
2014/11/28 15:03:38 | INFO | jvm 1 | %% Resuming [Session-135, TLS_RSA_WITH_AES_128_CBC_SHA]
2014/11/28 15:03:38 | INFO | jvm 1 | *** ServerHello, TLSv1.1
2014/11/28 15:03:38 | INFO | jvm 1 | RandomCookie: GMT: 1417167218 bytes = { 175, 0, 103, 107, 78, 20, 172, 204, 4, 196, 148, 153, 126, 87, 188, 255, 85, 219, 140, 39, 41, 136, 51, 33, 169, 31, 36, 150 }
2014/11/28 15:03:38 | INFO | jvm 1 | Session ID: {84, 120, 65, 114, 3, 180, 96, 53, 232, 47, 28, 70, 58, 150, 117, 9, 169, 7, 94, 233, 94, 198, 136, 202, 240, 130, 18, 23, 89, 10, 220, 111}
2014/11/28 15:03:38 | INFO | jvm 1 | Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
2014/11/28 15:03:38 | INFO | jvm 1 | Compression Method: 0
2014/11/28 15:03:38 | INFO | jvm 1 | Extension renegotiation_info, renegotiated_connection: <empty>
2014/11/28 15:03:38 | INFO | jvm 1 | ***
2014/11/28 15:03:38 | INFO | jvm 1 | Cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA
2014/11/28 15:03:38 | INFO | jvm 1 | CONNECTION KEYGEN:
2014/11/28 15:03:38 | INFO | jvm 1 | Client Nonce:
2014/11/28 15:03:38 | INFO | jvm 1 | 0000: 54 78 41 78 37 D4 7E 44 31 01 CD 3A 70 0F 01 09 TxAx7..D1..:p...
2014/11/28 15:03:38 | INFO | jvm 1 | 0010: 26 1F 3A BC E5 73 0A 3D F9 D1 62 8C 95 71 95 E7 &.:..s.=..b..q..
2014/11/28 15:03:38 | INFO | jvm 1 | Server Nonce:
2014/11/28 15:03:38 | INFO | jvm 1 | 0000: 54 78 41 72 AF 00 67 6B 4E 14 AC CC 04 C4 94 99 TxAr..gkN.......
2014/11/28 15:03:38 | INFO | jvm 1 | 0010: 7E 57 BC FF 55 DB 8C 27 29 88 33 21 A9 1F 24 96 .W..U..').3!..$.
2014/11/28 15:03:38 | INFO | jvm 1 | Master Secret:
2014/11/28 15:03:38 | INFO | jvm 1 | (key bytes not available)
2014/11/28 15:03:38 | INFO | jvm 1 | Client MAC write Secret:
2014/11/28 15:03:38 | INFO | jvm 1 | (key bytes not available)
2014/11/28 15:03:38 | INFO | jvm 1 | Server MAC write Secret:
2014/11/28 15:03:38 | INFO | jvm 1 | (key bytes not available)
2014/11/28 15:03:38 | INFO | jvm 1 | Client write key:
2014/11/28 15:03:38 | INFO | jvm 1 | (key bytes not available)
2014/11/28 15:03:38 | INFO | jvm 1 | Server write key:
2014/11/28 15:03:38 | INFO | jvm 1 | (key bytes not available)
2014/11/28 15:03:38 | INFO | jvm 1 | ... no IV derived for this protocol
2014/11/28 15:03:38 | INFO | jvm 1 | qtp1981883520-300, WRITE: TLSv1.1 Handshake, length = 81
2014/11/28 15:03:38 | INFO | jvm 1 | qtp1981883520-300, WRITE: TLSv1.1 Change Cipher Spec, length = 1
2014/11/28 15:03:38 | INFO | jvm 1 | *** Finished
2014/11/28 15:03:38 | INFO | jvm 1 | verify_data: { 205, 73, 239, 162, 189, 111, 93, 112, 252, 191, 178, 72 }
2014/11/28 15:03:38 | INFO | jvm 1 | ***
2014/11/28 15:03:38 | INFO | jvm 1 | qtp1981883520-300, WRITE: TLSv1.1 Handshake, length = 64
2014/11/28 15:03:38 | INFO | jvm 1 | qtp1981883520-299, READ: TLSv1.1 Change Cipher Spec, length = 1
2014/11/28 15:03:38 | INFO | jvm 1 | qtp1981883520-299, READ: TLSv1.1 Handshake, length = 64
2014/11/28 15:03:38 | INFO | jvm 1 | *** Finished
2014/11/28 15:03:38 | INFO | jvm 1 | verify_data: { 19, 183, 83, 202, 63, 74, 163, 0, 247, 151, 206, 20 }
2014/11/28 15:03:38 | INFO | jvm 1 | ***
2014/11/28 15:03:38 | INFO | jvm 1 | qtp1981883520-299 - /AuthServices/auth/tokens, WRITE: TLSv1.1 Application Data, length = 184
2014/11/28 15:03:38 | INFO | jvm 1 | qtp1981883520-299 - /AuthServices/auth/tokens, WRITE: TLSv1.1 Application Data, length = 2987
2014/11/28 15:03:38 | INFO | jvm 1 | qtp1981883520-299, WRITE: TLSv1.1 Application Data, length = 5
2014/11/28 15:03:38 | INFO | jvm 1 | Allow unsafe renegotiation: false
2014/11/28 15:03:38 | INFO | jvm 1 | Allow legacy hello messages: true
2014/11/28 15:03:38 | INFO | jvm 1 | Is initial handshake: true
2014/11/28 15:03:38 | INFO | jvm 1 | Is secure renegotiation: false
2014/11/28 15:03:38 | INFO | jvm 1 | Is secure renegotiation: false
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, READ: TLSv1.2 Handshake, length = 207
2014/11/28 15:03:43 | INFO | jvm 1 | *** ClientHello, TLSv1.2
2014/11/28 15:03:43 | INFO | jvm 1 | RandomCookie: GMT: 1417167229 bytes = { 209, 207, 128, 77, 244, 126, 201, 133, 122, 149, 46, 174, 146, 131, 232, 171, 236, 114, 188, 239, 89, 136, 179, 55, 42, 35, 10, 208 }
2014/11/28 15:03:43 | INFO | jvm 1 | Session ID: {}
2014/11/28 15:03:43 | INFO | jvm 1 | Session ID: {}
2014/11/28 15:03:43 | INFO | jvm 1 | Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2014/11/28 15:03:43 | INFO | jvm 1 | Compression Methods: { 0 }
2014/11/28 15:03:43 | INFO | jvm 1 | Compression Methods: { 0 }
2014/11/28 15:03:43 | INFO | jvm 1 | Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
2014/11/28 15:03:43 | INFO | jvm 1 | Extension ec_point_formats, formats: [uncompressed]
2014/11/28 15:03:43 | INFO | jvm 1 | Extension ec_point_formats, formats: [uncompressed]
2014/11/28 15:03:43 | INFO | jvm 1 | Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
2014/11/28 15:03:43 | INFO | jvm 1 | ***
2014/11/28 15:03:43 | INFO | jvm 1 | %% Initialized: [Session-136, SSL_NULL_WITH_NULL_NULL]
2014/11/28 15:03:43 | INFO | jvm 1 | %% Initialized: [Session-136, SSL_NULL_WITH_NULL_NULL]
2014/11/28 15:03:43 | INFO | jvm 1 | %% Negotiating: [Session-136, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
2014/11/28 15:03:43 | INFO | jvm 1 | *** ServerHello, TLSv1.2
2014/11/28 15:03:43 | INFO | jvm 1 | RandomCookie: GMT: 1417167223 bytes = { 117, 144, 129, 63, 132, 34, 26, 83, 118, 25, 122, 135, 116, 24, 242, 213, 196, 31, 25, 127, 155, 153, 6, 132, 244, 45, 21, 235 }
2014/11/28 15:03:43 | INFO | jvm 1 | RandomCookie: GMT: 1417167223 bytes = { 117, 144, 129, 63, 132, 34, 26, 83, 118, 25, 122, 135, 116, 24, 242, 213, 196, 31, 25, 127, 155, 153, 6, 132, 244, 45, 21, 235 }
2014/11/28 15:03:43 | INFO | jvm 1 | Session ID: {84, 120, 65, 119, 78, 220, 0, 216, 29, 255, 202, 86, 198, 210, 97, 121, 235, 184, 87, 232, 34, 43, 85, 29, 148, 43, 201, 241, 189, 70, 130, 185}
2014/11/28 15:03:43 | INFO | jvm 1 | Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2014/11/28 15:03:43 | INFO | jvm 1 | Compression Method: 0
2014/11/28 15:03:43 | INFO | jvm 1 | Extension renegotiation_info, renegotiated_connection: <empty>
2014/11/28 15:03:43 | INFO | jvm 1 | ***
2014/11/28 15:03:43 | INFO | jvm 1 | Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2014/11/28 15:03:43 | INFO | jvm 1 | *** Certificate chain
2014/11/28 15:03:43 | INFO | jvm 1 | chain [0] = [
2014/11/28 15:03:43 | INFO | jvm 1 | [
2014/11/28 15:03:43 | INFO | jvm 1 | Version: V3
2014/11/28 15:03:43 | INFO | jvm 1 | Subject: CN=dev-05.labs.blr.com, O=webserver
2014/11/28 15:03:43 | INFO | jvm 1 | Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
2014/11/28 15:03:43 | INFO | jvm 1 |
2014/11/28 15:03:43 | INFO | jvm 1 | Key: SunPKCS11-NSSfips RSA public key, 2048 bits (id 1, session object)
2014/11/28 15:03:43 | INFO | jvm 1 | Key: SunPKCS11-NSSfips RSA public key, 2048 bits (id 1, session object)
2014/11/28 15:03:43 | INFO | jvm 1 | modulus: 19751124565775544542661601941034719218747286997557229376272410409764009924174952830102822006739940996361158891315994655677031683410457285645708620145915789088144941408425439122384306771006790672852952487887077643219829713631271285091822690455402307000211724434432943370113476924425722411995320247744734057517566666508974254720742261526685687656494544221796453195966155694205640019924093341684193258103280171653517687458035087335731929833587535142452049552301009807817546366586239918288540321429443922231821575519420587811789981092934767950075857907111279056051594689275813767976468618202672668356345198890748632149983
2014/11/28 15:03:43 | INFO | jvm 1 | public exponent: 65537
2014/11/28 15:03:43 | INFO | jvm 1 | public exponent: 65537
2014/11/28 15:03:43 | INFO | jvm 1 | Validity: [From: Tue Nov 25 14:37:52 IST 2014,
2014/11/28 15:03:43 | INFO | jvm 1 | To: Thu Nov 01 14:37:52 IST 2114]
2014/11/28 15:03:43 | INFO | jvm 1 | Issuer: CN=dev-05.labs.blr.com, O=webserver
2014/11/28 15:03:43 | INFO | jvm 1 | SerialNumber: [ 0d54f951]
2014/11/28 15:03:43 | INFO | jvm 1 |
2014/11/28 15:03:43 | INFO | jvm 1 | Certificate Extensions: 1
2014/11/28 15:03:43 | INFO | jvm 1 | [1]: ObjectId: 2.5.29.14 Criticality=false
2014/11/28 15:03:43 | INFO | jvm 1 | SubjectKeyIdentifier [
2014/11/28 15:03:43 | INFO | jvm 1 | KeyIdentifier [
2014/11/28 15:03:43 | INFO | jvm 1 | 0000: 94 2D EB EF E8 04 5F 84 B2 BA F6 A5 C9 58 D3 79 .-...._......X.y
2014/11/28 15:03:43 | INFO | jvm 1 | 0010: 44 8F 40 07 D.@.
2014/11/28 15:03:43 | INFO | jvm 1 | ]
2014/11/28 15:03:43 | INFO | jvm 1 | ]
2014/11/28 15:03:43 | INFO | jvm 1 |
2014/11/28 15:03:43 | INFO | jvm 1 | ]
2014/11/28 15:03:43 | INFO | jvm 1 | Algorithm: [SHA256withRSA]
2014/11/28 15:03:43 | INFO | jvm 1 | Signature:
2014/11/28 15:03:43 | INFO | jvm 1 | 0000: 39 59 42 B8 26 F6 64 7E CA C1 33 7C 60 6A FC 80 9YB.&.d...3.`j..
2014/11/28 15:03:43 | INFO | jvm 1 | 0010: 5F AF 51 89 98 B7 AC 0C 27 DA A1 60 AD 5B 87 11 _.Q.....'..`.[..
2014/11/28 15:03:43 | INFO | jvm 1 | 0020: D8 95 E3 37 D2 CB E3 8A 6F CF 82 F3 4C AA B6 42 ...7....o...L..B
2014/11/28 15:03:43 | INFO | jvm 1 | 0030: F5 8B 67 0B D9 F2 3E FA FE 81 C5 77 78 47 E2 61 ..g...>....wxG.a
2014/11/28 15:03:43 | INFO | jvm 1 | 0040: 33 DC 97 CB FC 04 1D 99 18 84 C3 DC 28 8D 14 D7 3...........(...
2014/11/28 15:03:43 | INFO | jvm 1 | 0050: AF 71 1C E6 41 FC D1 71 CB C3 50 66 5E 28 AF EB .q..A..q..Pf^(..
2014/11/28 15:03:43 | INFO | jvm 1 | 0060: AF 80 52 CC 89 BE 0D 0B 58 1C CA 1C 34 36 BA 96 ..R.....X...46..
2014/11/28 15:03:43 | INFO | jvm 1 | 0070: F2 FE 18 73 6B F7 09 35 94 AC 8E CB F2 83 47 62 ...sk..5......Gb
2014/11/28 15:03:43 | INFO | jvm 1 | 0080: 20 FD 64 64 72 D6 89 D7 77 A7 D0 17 43 7E FF 44 .ddr...w...C..D
2014/11/28 15:03:43 | INFO | jvm 1 | 0090: 57 B5 1D 27 24 1D F5 87 86 E9 29 EF DE E7 D2 2E W..'$.....).....
2014/11/28 15:03:43 | INFO | jvm 1 | 00A0: 32 EE 3D 82 7C 53 7E 93 E9 5F 5E 9C 62 F5 31 C7 2.=..S..._^.b.1.
2014/11/28 15:03:43 | INFO | jvm 1 | 00B0: 9E 54 58 50 01 EE 58 18 81 6D 52 C0 EB CA CA 52 .TXP..X..mR....R
2014/11/28 15:03:43 | INFO | jvm 1 | 00C0: 26 CC 3C 9D E5 60 BE BE A1 E6 D5 79 66 F9 0C FD &.<..`.....yf...
2014/11/28 15:03:43 | INFO | jvm 1 | 00D0: BB 9E 36 E5 31 FC D4 68 8A 06 8D A0 0B 68 BA 2B ..6.1..h.....h.+
2014/11/28 15:03:43 | INFO | jvm 1 | 00E0: 1E AF 51 4A 6C BC 2D 7D B4 04 EA D6 DA 28 9B 64 ..QJl.-......(.d
2014/11/28 15:03:43 | INFO | jvm 1 | 00F0: F9 FF 35 7B E7 91 02 01 37 E7 C2 AA 8D 1E 48 22 ..5.....7.....H"
2014/11/28 15:03:43 | INFO | jvm 1 |
2014/11/28 15:03:43 | INFO | jvm 1 | ]
2014/11/28 15:03:43 | INFO | jvm 1 | ***
2014/11/28 15:03:43 | INFO | jvm 1 | *** ECDH ServerKeyExchange
2014/11/28 15:03:43 | INFO | jvm 1 | Signature Algorithm SHA512withRSA
2014/11/28 15:03:43 | INFO | jvm 1 | Server key: SunPKCS11-NSSfips EC public key, 256 bits (id 1668, session object)
2014/11/28 15:03:43 | INFO | jvm 1 | public x coord: 22811020849167726801730368600918463139597169803826118722525163464343792847845
2014/11/28 15:03:43 | INFO | jvm 1 | public y coord: 73886304187565809239631250457098470068449769526968865962213829575389354072377
2014/11/28 15:03:43 | INFO | jvm 1 | parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
2014/11/28 15:03:43 | INFO | jvm 1 | *** ServerHelloDone
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, WRITE: TLSv1.2 Handshake, length = 1237
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, READ: TLSv1.2 Handshake, length = 70
2014/11/28 15:03:43 | INFO | jvm 1 | *** ECDHClientKeyExchange
2014/11/28 15:03:43 | INFO | jvm 1 | ECDH Public value: { 4, 121, 116, 89, 85, 251, 91, 15, 91, 227, 244, 77, 243, 1, 197, 145, 33, 117, 182, 143, 76, 42, 19, 121, 131, 88, 88, 58, 225, 42, 50, 178, 100, 17, 18, 128, 220, 237, 192, 247, 67, 173, 13, 185, 114, 213, 250, 172, 58, 145, 158, 237, 115, 94, 129, 246, 254, 151, 126, 190, 182, 240, 45, 57, 62 }
2014/11/28 15:03:43 | INFO | jvm 1 | SESSION KEYGEN:
2014/11/28 15:03:43 | INFO | jvm 1 | PreMaster Secret:
2014/11/28 15:03:43 | INFO | jvm 1 | (key bytes not available)
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, handling exception: java.security.ProviderException: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips
2014/11/28 15:03:43 | INFO | jvm 1 | %% Invalidated: [Session-136, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, SEND TLSv1.2 ALERT: fatal, description = internal_error
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, WRITE: TLSv1.2 Alert, length = 2
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, called closeSocket()
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, IOException in getSession(): javax.net.ssl.SSLException: java.security.ProviderException: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
2014/11/28 15:03:43 | INFO | jvm 1 | Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
2014/11/28 15:03:43 | INFO | jvm 1 | Fri Nov 28 15:03:43 IST 2014|WARNING|Thread-601|ccs.comp.clientproxy.ProxiedClientListener$ProxyConnection.run
2014/11/28 15:03:43 | INFO | jvm 1 | Error processing requests from proxied client : unestablished
2014/11/28 15:03:43 | INFO | jvm 1 | Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips (java.security.ProviderException); Root cause: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips (java.security.NoSuchAlgorithmException)
2014/11/28 15:03:43 | INFO | jvm 1 | javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.security.ProviderException: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1476)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.AppInputStream.read(AppInputStream.java:92)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
2014/11/28 15:03:43 | INFO | jvm 1 | at java.io.DataInputStream.readByte(DataInputStream.java:265)
2014/11/28 15:03:43 | INFO | jvm 1 | at ccs.comp.clientproxy.ProxiedClientListener$ProxyConnection.getNext(ProxiedClientListener.java:438)
2014/11/28 15:03:43 | INFO | jvm 1 | at ccs.comp.clientproxy.ProxiedClientListener$ProxyConnection.run(ProxiedClientListener.java:245)
2014/11/28 15:03:43 | INFO | jvm 1 | Caused by: javax.net.ssl.SSLException: java.security.ProviderException: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1842)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1825)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1346)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2171)
2014/11/28 15:03:43 | INFO | jvm 1 | at ccs.comp.clientproxy.ProxiedClientListener.listen(ProxiedClientListener.java:126)
2014/11/28 15:03:43 | INFO | jvm 1 | at ccs.comp.clientproxy.ProxiedClientListener.run(ProxiedClientListener.java:105)
2014/11/28 15:03:43 | INFO | jvm 1 | Caused by: java.security.ProviderException: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1060)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:999)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:234)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
2014/11/28 15:03:43 | INFO | jvm 1 | ... 3 more
2014/11/28 15:03:43 | INFO | jvm 1 | Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12MasterSecret for provider SunPKCS11-NSSfips
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.jca.GetInstance.getService(GetInstance.java:100)
2014/11/28 15:03:43 | INFO | jvm 1 | at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109)
2014/11/28 15:03:43 | INFO | jvm 1 | at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:287)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:269)
2014/11/28 15:03:43 | INFO | jvm 1 | at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1052)
2014/11/28 15:03:43 | INFO | jvm 1 | ... 10 more
最佳答案
Since the server does not support TLS 1.2, I disabled TLS 1.2 on the client side.
I could not figure out why the handshake fails "even after" disabling TLS 1.2 on the client side. Can you please help me with this?
和:
...
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, WRITE: TLSv1.2 Alert, length = 2
2014/11/28 15:03:43 | INFO | jvm 1 | Thread-31, called closeSocket()
只是猜测,TLS 1.1 和更早版本中的 PRF(伪随机函数)使用 MD5(和 SHA1)。 TLS 1.2 PRF 使用 SHA2 系列 (IIRC)。该库可能对 MD5 过于热心。
这有点像试图怀孕一半。您如何在一个函数内部允许 MD5,但不允许在其他函数上使用它并仍然通过测试实验室的验证?
因此您应该尝试使用这些库并启用 TLS 1.2。
The client is a Java Swing based client application which is launched using Java Web Start.
我认为您应该执行的第一步是删除无法处理 TLS 1.2 的 Java 客户端,并验证服务器是否按预期工作。这将为您提供某种基准。
您可以使用以下 OpenSSL 命令测试启用了 TLS 1.2 的服务器:
openssl s_client -tls1_2 -connect www.example.com:443 -servername www.example.com
您还可以使用 -cipher
选项指定特定的密码。例如,TLS_RSA_WITH_AES_128_CBC_SHA
是 AES128-SHA
在 OpenSSL 中:
openssl s_client -tls1_2 -connect www.example.com:443 -servername www.example.com -cipher AES128-SHA
你甚至可以用类似的东西来 fecth 一个页面(注意 -ign_eof
的添加):
echo -e "GET / HTTP/1.1\r\nHost:www.example.com\r\n\r\n" | openssl s_client -ign_eof -tls1_2 -connect...
Java 在 Java 8 之前的 TLS 协议(protocol)和密码套件方面表现不佳。尽管可用,但 Java 7 默认不启用 TLS 1.1 和 1.2和更早。您需要明确启用它们。
此外,即使您不要求,Java 也会偷偷加入 SSLv3。要亲自查看,请尝试 SSLContext.getInstance("TLS")
并查看 SSLv3 是否是启用的协议(protocol):)
您可以在 Which Cipher Suites to enable for SSL Socket? 查看启用可用协议(protocol)和密码套件的示例
有趣的是,NIST 允许在 TLS 中使用 MD5 作为 PRF。但这是一个非常具体的异常(exception)。这是允许的,因为 PRF 不需要抗碰撞的特性——它只需要提取熵。
以下内容来自 NIST 的 SP 800-135 :
The outputs from both P_MD5 and P_SHA-1 are XOR ed together to producethe PRF output. This PRF is used as both a randomness extraction stepto generate the master secret and as a key expansion step to derivekeying material for the protocol from the master secret.
The TLS 1.0 and 1.1 KDF is approved when the following conditions aresatisfied:
(1) The TLS 1.0 and 1.1 KDF is performed in the context ofthe TLS protocol.
(2) SHA-1 and HMAC are as specified in FIPSs 180-3and 198-1, respectively.
关于security - 即使在客户端禁用 TLS 1.2 后,Java 1.8 客户端和以 FIPS 模式运行的 Java 1.7 TLS 1.1 服务器之间的 TLS 握手失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/27346039/
是否可以使用 OpenSSL 或其他工具通过 TLS 建立 TLS 连接? 如果可能,每个级别的证书是否需要不同? 最佳答案 这在理论上应该工作得很好,但我不能确定 OpenSSL 或其他东西是否会轻
在我的 java 代码中,我正在使用命令创建 SSL 上下文的一个实例 SSLContext ctx = SSLContext.getInstance("TLS"); 但是在我的 tomcat 服务器
在我的 java 代码中,我正在使用命令创建一个 SSL 上下文实例 SSLContext ctx = SSLContext.getInstance("TLS"); 但在我的 tomcat 服务器中,
范围:这是一个具有一个 channel 的网络,该 channel 由 3 个组织组成,每个组织 1 个 anchor 节点,每个组织 1 个 CA 和每个组织 1 个 MSP。 我在我的 Hyper
无法找到用于在 iis 上启用/禁用 tls 的特定设置。启用/禁用 ssl 是否与启用/禁用 tls 相同? 我浏览了一些博客,发现 SSL 是 TLS 的前身,旧版本的 SSL 已被弃用。但我无法
最近,我一直在为基于物联网的项目评估不同的 API 网关 (API GW) 选项。这样做的目的是找到一个足够好的解决方案来执行设备和 API GW 的相互 TLS (mTLS) 身份验证。 我尝试过的
几个月来,我的 Web 应用程序在不同版本的 IE/Firefox/Chrome 上运行良好。我的应用程序在 IIS 10.0 上运行。当我从 Windows 7 框 (IE 11.0.***) 中点
我有一个在 Java 7 上运行的 HTTPS 网络服务。我需要进行更改,以便此服务仅接受 TLS1.2 连接并拒绝 SSL3、TLS1.0 和 TLS1.1。 我添加了以下 Java 参数,使 TL
我在资源管理器不显示网站时遇到问题:“无法显示此页面。在高级设置中打开 TLS 1.0、TLS 1.1 和 TLS 1.2”。 我在 chrome 中调试了证书并说“连接是使用 aes_128_cbc
我正在与 5 个订购者、1 个组织和 2 个同行建立我的网络。还有 1 个 cli 和 1 个 ca。 我从 1 个排序者扩展到 5 个实现 Raft 的排序者。这就是为什么我想扩展我的网络并对多个对
当k8s集群开启了TLS认证后,每个节点的kubelet组件都要使用由kube-apiserver的CA签发的有效证书才能与kube-apiserver通信;当节点非常多的时候,为每个节点都单独签署证
我正在尝试使用 pjsip 安装中的 pjsua 程序在两个虚拟机之间进行安全调用。我通过以下方式在每个节点上启动程序: pjsua-x86_64-unknown-linux-gnu --use-tl
我开发的软件应用程序使用 gRPC 在客户端和服务器之间建立双向流。 我只在 java 中寻找类似于这张票的答案的东西:How to enable server side SSL for gRPC?
我正在尝试调试与 TLS 相关的问题。TLS 在两个应用程序客户端 A 和服务器 B 之间设置。A 和 B 都交换了证书,我已经验证证书具有正确的扩展名,并且还通过其根 CA 成功验证。叶证书的根 C
“Java 1.7 TLS 1.1 服务器”和“Java 1.8 客户端”之间的 SSL/TLS 握手在我的环境中失败,服务器端出现以下异常: java.security.NoSuchAlgorith
我正在尝试了解 Docker ,但我不断收到神秘的(对我而言)错误消息。 可能最简单的例子是尝试打印我安装的 Docker 版本: $ sudo docker version Client versi
这是我第一次使用 Amazon Lighsail、Wordpress Multisite、Bitnami甚至使用 Let's Encrypt;现在似乎一切正常,除了我的虚拟主机文件中的 SSL 指令。
我有一个 MariaDB "M"。在同一台机器上有一个应用程序“A”,它可以访问它。在不同的服务器上,另一个应用程序“B”也在访问它。 现在我想在 MariaDB 上启用 TLS 以保护连接 B ->
我正在寻找通过代理连接到一些 HTTPS/TLS 站点,其中到代理本身的连接也是通过 HTTPS/TLS 建立的,来自一个高度依赖请求的 python 应用程序。 urllib3(因此 request
现在我正在努力改变 EMQtt 和 Erlang MQTT 代理,以便我可以使用预共享 key 而不是非对称方法执行 TLS 握手。 到目前为止,我几乎遍历了源代码中的每个文件,但找不到任何加密函数。
我是一名优秀的程序员,十分优秀!