发表新帖
发表新帖

SSL Handshake Failed - Java 1.8

后端 未结
关注
3 1344
半阙折子戏
半阙折子戏 2021-01-05 00:42

Just letting folks know about an issue I had that many seemed to have had after upgrading to Java 1.8. Not all of the solutions are the same hence posting how I resolved th

相关标签:
3条回答
  • 旧巷少年郎
    2021-01-05 00:56

    RC4 was effectively cracked - 14 years ago.

    The Fluhrer, Mantin and Shamir (FMS) attack, published in their 2001 paper "Weaknesses in the Key Scheduling Algorithm of RC4", takes advantage of a weakness in the RC4 key scheduling algorithm to reconstruct the key from encrypted messages.

    The problem isn't in Java 8.

    The problem is your server is using RC4.

    0 讨论(0)
  • 长发绾君心
    2021-01-05 01:02

    With JDK 1.8.0_51 release RC4 is no longer supported from Java as client (also as server) to negotiate SSL handshake, RC4 is considered weak (and compromised ) cipher and that is the reason for removal

    http://bugs.java.com/view_bug.do?bug_id=8076221

    You can still however enable it by removing RC4 from jdk.tls.disabledAlgorithms from your Java security config or progamatically enabling them using setEnabledCipherSuites() method

    However better solution would be to update the server configuration (if it is under your control) to upgrade to stronger Ciphers

    RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods.

    As to your approach on setting it by using Security.setProperty(), it is not reliable way because the fields which hold disabled algorithms are static and final, So if that class gets loaded first you don't have controll over it, you could alternatively try by creating a properties file

    like this

    ## override it to remove RC4, in disabledcipher.properties
jdk.tls.disabledAlgorithms=DHE

    and in your JVM, you could refer it as system property like this

    java -Djava.security.properties=disabledcipher.properties blah...
    0 讨论(0)
  • 孤城傲影
    2021-01-05 01:10

    Thanks alton for sharing such a life saver information. Only one thing I'd like to change since 

    openssl s_client -host yourproblemhost.com -port 443
returned ->
Protocol  : TLSv1.2
Cipher    : 0000
openssl s_client -connect X.X.X.X:993  -prexit -tls1
returned -> the expected response as
Protocol  : TLSv1
Cipher    : RC4-MD5
    0 讨论(0)
 看不清?
提交回复
热议问题