我正在开发一个 Java 应用程序,但无法创建与 API 的连接以进行集成。我遇到了握手失败,甚至不得不使用 wireshark 来抓取流量。我有点确信这是 TLS 版本问题。
我看到握手失败,协议显示 TLSv1,我猜这是问题所在。另外,如果我尝试使用 cURL 或 openSSL 连接到此 API,它会正常工作,并在 ClientHello 位的协议中显示 TLSv1.3。
但是,如果我查看 ClientHello 的详细信息,它显示 TlSv1.2 作为请求的协议,所以我不确定为什么这是一个问题。
有人能告诉我如何从中获取更多信息吗?如果有人能告诉我如何让 Java 应用程序改变其在这方面的行为,那就更好了。
投射式电容:https://drive.google.com/file/d/1qbzgU6L9AhPY8IPIy6KM1C6BP7ghOaAV/view?usp=sharing
SSL握手的Java调试:
javax.net.ssl|DEBUG|17|HttpClient-1-Worker-0|2024-04-04 21:42:19.180 EDT|ClientHello.java:640|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "450D606506B1335CBF914F1AF981CE839E0A832B5648DA495514698FB44C3002",
"session id" : "567D9AC550CAD29ACBEAF2328E9A51E9E5D167C97C8B6CA750BDD611AC48BE7D",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"named groups": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"application_layer_protocol_negotiation (16)": {
[h2, http/1.1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"session_ticket (35)": {
<empty>
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: F9 2E FF DC 09 15 6C 94 D7 44 F4 95 00 C5 A0 EE ......l..D......
0010: C1 CD 97 E0 7E B4 77 05 B6 E9 2C 79 DB 83 A5 43 ......w...,y...C
}
},
{
"named group": secp256r1
"key_exchange": {
0000: 04 6E FA 0C F4 C2 62 10 D0 98 44 1F F8 C5 A9 90 .n....b...D.....
0010: 42 02 8D 42 B0 83 A7 11 15 C1 39 58 B7 17 E1 6B B..B......9X...k
0020: BC 19 00 BF 0D D1 98 D6 FF 87 4E A9 32 19 25 77 ..........N.2.%w
0030: DB 0C 51 20 74 06 46 55 89 F8 56 32 B3 03 E4 DB ..Q t.FU..V2....
0040: A2
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|17|HttpClient-1-Worker-0|2024-04-04 21:42:19.208 EDT|Alert.java:232|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
答案1
感谢 Steffen Ullrich 在评论中指出 SNI 可能导致此问题。我发现此 Java 应用程序的其他地方已禁用它:
System.setProperty("jsse.enableSNIExtension", "false");
通过将其设置为 true 来纠正它,解决了我眼前的问题。