java - HttpClientBuilder 使用的是 TLSv1.2 而不是 TLSv1

Question

以下是创建Httpclient的代码。

        client =
            HttpClients.custom().setConnectionManager(connManager).setDefaultCredentialsProvider(provider)
                .setDefaultRequestConfig(config).setSslcontext(SSLContexts.custom().useProtocol("TLSv1").build()).build();

但是，每当基于此客户端的 resttemplate 发起 SSL 握手时，它都会在 TLSv1.2 中发生。以下是客户端的 SSL 调试日志。

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1431720225 bytes = { 14, 133, 24, 60, 189, 198, 176, 35, 186, 71, 229, 4, 43, 213, 142, 236, 141, 14, 104, 83, 202, 72, 243, 74, 244, 170, 247, 15 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: dev.*****.com]
***
main, WRITE: TLSv1.2 Handshake, length = 216
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT:  fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()

服务器在 JDK5 上运行，TLSv1.2 是不可能的。

谁能阐明为什么 useProtocol("TLSv1") 被忽略？

类似的问题已经在 https://stackoverflow.com/questions/28619942/how-to-force-httpclient-4-3-to-use-the-tlsv1-and-not-the-tlsv1-2 中提出过, 但没有回答。

谢谢。

Answer 1

我不是 Java 专家，但这是我从文档中得到的:

• “TLSv1”是协议(protocol)组，包括TLS 1.0、TLS 1.1和TLS 1.2。
• 要将自己限制为仅使用 TLS 1.0，您必须禁用 TLS 1.1 和 TLS 1.2，请参阅 https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls

编辑:Java 似乎不支持 SSLv23 除此之外尝试使用 SSLv23 而不是 TLSv1 进行握手。如果服务器不支持这种最兼容的握手，那就是错误。