java - CalDAV 日历服务器 SSL 不工作

Question

我正在构建一个 java-ee 应用程序，它应该使用 SSL 连接到 iCal CalDAV 服务器。
每次我尝试连接到服务器时都会收到此错误。

javax.net.ssl.SSLException: Received fatal alert: bad_record_mac

使用其他工具它工作正常，即使在将证书导入信任库后使用 java 工具也是如此。

如果我尝试使用 TLS 进行连接，我会收到一条响应:服务器仅支持 SSLv3。这是我使用 openssl 工具调查 SSL 握手的方式

openssl s_client -host kalender.myserver.com -port 8443

这是我得到的:

CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.myserver.com
   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
 2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
[[certificate]]
subject=/OU=Domain Control Validated/CN=*.myserver.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 3422 bytes and written 565 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 99D28660004D122D20657883562319F4F3063B1123AC882AD722B781EB13FF45
    Session-ID-ctx: 
    Master-Key: 6228C28941D81771C68F0FA5546491804081294A95F4A2BE19AC239CF47C24752AC350F54BAEDD3C8E4A7E1044B4B429
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1406820530
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

当我尝试

openssl s_client -tls1 -host kalender.myserver.com -port 8443

这出现并且连接失败:

CONNECTED(00000003)
139883471566496:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1407752794
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

以下是我如何使用我发现的 Java 工具调查 SSL 握手 here .
我修改了它以便我可以使用另一个端口。
谷歌:
java HTTPSClient google.com --> 不抛出异常
在端口 8443 上连接到我的服务器:
SSLv3: 没有错误
TLSv1:javax.net.ssl.SSLHandshakeException:服务器选择了 SSLv3，但客户端未启用或不支持该协议(protocol)版本。
我得出的结论是服务器仅支持 SSLv3，因此我尝试使用 apache 提供的 HttpClient 让我的应用程序也这样做。但它似乎不兼容。这意味着我必须说我的应用程序也使用 SSLv3。那将在继承自 org.apache.commons.httpclient.HttpClient 的 org.osaf.caldav4j.methods.HttpClient 类中的某处。问题是，我找不到任何方法。
我试过了

System.setProperty("https.protocols", "SSLv3");

和

httpClient.getParams().setParameter("https.protocols", "SSLv3");

但两者都没有区别。我还尝试以某种方式将自定义 SSLSocketFactory 插入到 HTTPClient 中，但没有办法做到这一点。下面是构建 HTTPClient 的代码:

public HttpClient getHttpClient(String host, int port, String user, String password){        
    System.setProperty("https.protocols", "SSLv3");
    org.apache.commons.httpclient.HttpClient httpClient = new HttpClient();
    String protocol = "https";
    String baseDir = "/calendars/users/" + user + "/calendar/";
    httpClient.getHostConfiguration().setHost(host, port, protocol);
    Credentials httpCredentials = new UsernamePasswordCredentials(user, password);
    httpClient.getState().setCredentials(AuthScope.ANY, httpCredentials);
    httpClient.getParams().setAuthenticationPreemptive(true);
    httpClient.getParams().setParameter("https.protocols", "SSLv3");
    return (HttpClient) httpClient;
}

这是我尝试连接时得到的堆栈跟踪(我切断了 java-ee 内部的东西):

Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.apache.webdav.lib.methods.HttpRequestBodyMethodBase.writeRequestBody(HttpRequestBodyMethodBase.java:235)
    at org.apache.webdav.lib.methods.XMLResponseMethodBase.writeRequestBody(XMLResponseMethodBase.java:303)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
    at org.osaf.caldav4j.methods.HttpClient.executeMethod(HttpClient.java:103)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
    at org.osaf.caldav4j.CalDAVCollection.getCalDAVResources(CalDAVCollection.java:1029)
    ... 86 more

Answer 1

一行代码解决问题。

System.setProperty("com.sun.net.ssl.rsaPreMasterSecretFix", "true");

如果我理解正确，我需要它来告诉 Java 使用 SSL/TLS 的最大支持版本，而不是其他一些奇怪的版本。可以查一下here .无论如何感谢您的帮助!