Java:SSL 身份验证/SSL 调试问题

Question

我目前正在尝试开发一个小型实用程序，用于将 http 请求发送到给定的 https url。我尝试通过将系统属性“java.net.debug”设置为“ssl”来进行调试。但是，我想知道是否有办法知道连接的另一端是谁。这很重要，这样我可能会发现我的问题是由于代理(我必须使用)还是目标本身引起的。这可能吗？

我很乐意提供有助于解决此问题可能需要的任何其他信息。 (这已经花了我很多时间，我非常希望在我身后看到它)

此外，我将在下面发布我的错误输出的摘录(尝试通过代理连接时带有“ssl”调试标志)。

感谢任何可能提供想法、技巧、资源等帮助的人。

Error output (extract):
trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1315387357 bytes = { 204, 54, 224, 210, 62, 4, 115, 194, 63, 143, 61, 163, 43, 167, 63, 217, 104, 166, 123, 152, 32, 226, 42, 143, 191, 249, 183, 192 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 75
0000: 01 00 00 47 03 01 4E 67   38 DD CC 36 E0 D2 3E 04  ...G..Ng8..6..>.
0010: 73 C2 3F 8F 3D A3 2B A7   3F D9 68 A6 7B 98 20 E2  s.?.=.+.?.h... .
0020: 2A 8F BF F9 B7 C0 00 00   20 00 04 00 05 00 2F 00  *....... ...../.
0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
0040: 03 00 08 00 14 00 11 00   FF 01 00                 ...........
main, WRITE: TLSv1 Handshake, length = 75
[write] MD5 and SHA1 hashes:  len = 101
0000: 01 03 01 00 3C 00 00 00   20 00 00 04 01 00 80 00  ....<... .......
0010: 00 05 00 00 2F 00 00 33   00 00 32 00 00 0A 07 00  ..../..3..2.....
0020: C0 00 00 16 00 00 13 00   00 09 06 00 40 00 00 15  ............@...
0030: 00 00 12 00 00 03 02 00   80 00 00 08 00 00 14 00  ................
0040: 00 11 00 00 FF 4E 67 38   DD CC 36 E0 D2 3E 04 73  .....Ng8..6..>.s
0050: C2 3F 8F 3D A3 2B A7 3F   D9 68 A6 7B 98 20 E2 2A  .?.=.+.?.h... .*
0060: 8F BF F9 B7 C0                                     .....
main, WRITE: SSLv2 client hello message, length = 101
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT:  fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, IOException in getSession():  javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
    at <my.fqdn.class>.run(EisRequestResponseMonitor.java:193)
    at <my.fqdn.class>.main(EisRequestResponseMonitor.java:81)

更新:自从我发帖以来，我能够获得更多信息。我的问题似乎确实与代理有关。我收到一个 407 HTTP 代码，当我查看我的调试信息时我丢失了它(这个错误被写入日志，但我错过了它)。我正在使用 Apache 的 httpclient 组件(当前最新版本是 4.1.2)，现在我正在努力正确地“附加”我的凭据提供程序。我说“挣扎”是因为我找到的所有示例都是针对版本 3.x 的，并且 api 从那时起就发生了变化。

UPDATE.V2:好吧，经过更多的测试后，我发现我正在使用的机器无法像我被告知的那样访问代理。但是，此信息直接来自安全人员。除了他们，其他人都认为这是可能的。

Answer 1

非常奇怪的痕迹。正在写入 TLSv1 和 SSLv2 ClientHello 消息，而对等方肯定不接受后者，您可以通过从启用的协议(protocol)中删除 SSLv2ClientHello 来解决这个问题。但是为什么两者都有一个谜。