1. 技术文章
  2. TLS 1.2 was supported in Java 8 but not in Java 7

TLS 1.2 was supported in Java 8 but not in Java 7

落花浮王杯 提交于 2019-12-18 08:59:02

问题


When I tried to connect a URL (one of vendors URL which supports TLS 1.2 and worked fine previously with Java 7) by using Java 7, I found bellow Exception:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:523)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1087)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)

So that I have enabled -Dhttps.protocols=TLSv1.2, -Djavax.net.ssl.trustStore=<keystoreFilePath> and -Djavax.net.ssl.trustStorePassword=<password>

After that also I got the same issue. Then I have upgrade the Java version to 8 so it could connect to the URL without any SSL issue.

As per this blog, in Java 8, TLS 1.2 is default and TLS 1.2 can be tuned with the property -Dhttps.protocols in Java 7. In Java 7, I could be able to access a URL without a problem if I enable above properties through my past experiences.

But for the URL, I am requested to upgrade the Java version. What can be vendor side changes caused for the Exception mentioned above in Java 7? And without upgrading Java 8, can't I access the URL?

When try with -Djavax.net.debug=all I got below log

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
qtp11284997-17, setSoTimeout(0) called
qtp11284997-18, setSoTimeout(0) called
%% No cached client session
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  *** ClientHello, TLSv1.2
RandomCookie:  GMT: 1465902650 bytes = { GMT: 1465902650 bytes = { 113156, , 91, 215, 64, 8, 63, 32, 255, 223, 156, 170, 50, 244, 156, 18, 241, 241, 229, 169, 35, 160, 22, 15, 111, 204, 231, 28, 25, 203, 70, 164, 77, 14, 181, 126, 159, 152, 111, 221, 254, 59 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: postprod1.ratetiger.com]
***
[write] MD5 and SHA1 hashes:  len = 211
0000: 01 00 00 CF 03 03 57 60   E6 3A 71 D7 40 08 3F FF  ......W`.:q.@.?.
0010: 9C 32 9C F1 E5 23 16 6F   E7 19 46 A4 4D 0E B5 7E  .2...#.o..F.M...
0020: 9F 98 6F DD FE 3B 00 00   2A 00 33 C0 04 00 16 00  ..o..;..*.3.....
0030: 05 C0 03 C0 11 C0 02 C0   07 C0 13 C0 08 C0 0C 00  ................
0040: FF C0 0D C0 0E C0 09 00   2F C0 12 00 04 00 32 00  ......../.....2.
0050: 13 00 0A 01 00 00 7C 00   0A 00 34 00 32 00 17 00  ..........4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0242, E119,  001,  0F19,  00164,  1081, 3,  0063,  176,  255, .42, .23, .252, .164 }
Session ID:  .{}
..Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { .0 }
........
0080: 11Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
 00Extension ec_point_formats, formats: [uncompressed]
 02Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: postprod1.ratetiger.com]
***
[write] MD5 and SHA1 hashes:  len = 211
0000: 01 00 00 CF 03 03 57 60   E6 3A 9C 5B 20 DF AA F4  ......W`.:.[ ...
0010: 12 F1 A9 A0 0F CC 1C CB   F2 77 01 13 A4 51 03 3F  .........w...Q.?
0020: B0 FF 2A 17 FC A4 00 00   2A 00 33 C0 04 00 16 00  ..*.....*.3.....
0030: 05 C0 03 C0 11 C0 02 C0    0700 C0  131 C02 0 008 0 C04 0C  000 0  .  0.5. .0.0 14 00 08 00 16 00  .......................
.0.0.4.0
0090: : 0BF 00F 0 C02 0 01D 0 C00 0 00E 0 C0D 0 009    1A0 000 1 8  2 06F 0 C03 1 062 0 001 0 05  ................
00A0: 03 05 01 04 03 04 01 03   03 03 01 02 03 02 01 02  ................
00B0: 02 01 01 00 00 00 1C 00   1A 00 00 17 70 6F 73 74  ............post
00C0: 70 72 6F 64 31 2E 72 61   74 65 74 69 67 65 72 2E  prod1.ratetiger.
00D0: 63 6F 6D                                           com
4 00 32 00  ......../.....2.
0050: 13 00 0A 01 00 00 7C 00   0A 00 34 00 32 00 17 00  ..........4.2...
0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................
0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  qtp11284997-17, WRITE: TLSv1.2 Handshake, length = 211
.........[Raw write]: length = 216
......0.0
0000: 168 030 0: 113 0 000 D 023 0 010 0 120 00  040 000    05   00C 14F 0 030 0 083 00  165 007   6.0. .E6. .3.A. .7.1. . ..........
.0.0.9.0.: .W`0.:qB
 000 020 011 000 0: D70 4 0D0 00  0  1A8 00  183 06F 03  06F 01F 05  9 C. .3.2. .9.C. .  .F.1. .E.5. .2.3
00A0 : 031 056 0 6F1 E 047 0 193 4 046 01  0 3.@ .  03? 0.3.2 01. 02. 0.#3.o 02. 01. F02
 0 0.2.0.: .A.4. .4.D. .0.E. .B.5. .7E
 9F0 980 6FB 0  D: D02 FE 01  3B01  0000  0000  2A00  001C  3300     1A. M00. 00. 1.7..o .7.;0. .*6.3F
0030 : C07 043 0 740   1.6. .0.0. .0.5. .C.0. .post0
300C0 : 70   C072  6F1 641 3 C0 02 C0 07 C0 13  ................
0040: C0 08 C0 0C 00 FF C0 0D   C0 0E C0 09 00 2F C0 12  ............./..
0050: 00 04 00 32 00 13 00 0A   01 00 00 7C 00 0A 00 34  ...2...........4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ...1. .2...........
0090: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 1A 00 18  ................
00A0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ............E 72 61   74 65 74 69 67 65 72 2E  prod1.ratetiger.
00D0: 63 6F 6D                                           com
qtp11284997-18, WRITE: TLSv1.2 Handshake, length = 211
[Raw write]: length = 216
0000: 16 03 03 00 D3 01 00 00   CF 03 03 57 60 E6 3A 9C  ...........W`.:.
0010: 5B 20 DF AA F4 12 F1 A9   A0 0F CC 1C CB F2 77 01  [ ..............
00B0: 02 03 02 01 02 02 01 01   00 00 00 1C 00 1A 00 00  ................
00C0: 17 70 6F 73 74 70 72 6F   64 31 2E 72 61 74 65 74  .postprod1.ratet
00D0: 69 67 65 72 2E 63 6F 6D                            iger.com
..w.
0020: 13 A4 51 03 3F B0 FF 2A   17 FC A4 00 00 2A 00 33  ..Q.?..*.....*.3
0030: C0 04 00 16 00 05 C0 03   C0 11 C0 02 C0 07 C0 13  ................
0040: C0 08 C0 0C 00 FF C0 0D   C0 0E C0 09 00 2F C0 12  ............./..
0050: 00 04 00 32 00 13 00 0A   01 00 00 7C 00 0A 00 34  ...2...........4
0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............
0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................
0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................
0090: 00 08 00 16 00 0B 00 02   01 00 00 0D 00 1A 00 18  ................
00A0: 06 03 06 01 05 03 05 01   04 03 04 01 03 03 03 01  ................
00B0: 02 03 02 01 02 02 01 01   00 00 00 1C 00 1A 00 00  ................
00C0: 17 70 6F 73 74 70 72 6F   64 31 2E 72 61 74 65 74  .postprod1.ratet
00D0: 69 67 65 72 2E 63 6F 6D                            iger.com
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
[Raw read]: length = 5
0000: 02000 280 : 15       03 03       00    02                                                            .(   
    ..qtp11284997-17, READ: TLSv1.2 Alert, length = 2
..qtp11284997-17, RECV TLSv1 ALERT:  fatal, handshake_failure
.
[Raw read]: length = 2
0000: 02 28qtp11284997-17, called closeSocket()
                           qtp11284997-17, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
                   qtp11284997-17, called close()
.(qtp11284997-17, called closeInternal(true)

qtp11284997-18, READ: TLSv1.2 Alert, length = 2
qtp11284997-18, RECV TLSv1 ALERT:  fatal, handshake_failure
2016-06-15 10:53:06,722 WARN  [ride.intermediate.connect.ratetiger.ConnectRateTiger] -- Exception in InputStream Close--java.lang.NullPointerException
qtp11284997-17, called close()
qtp11284997-17, called closeInternal(true)
qtp11284997-18, called closeSocket()
qtp11284997-18, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
qtp11284997-18, called close()
qtp11284997-18, called closeInternal(true)

回答1:


If you test the URL with SSLLabs, the website allow 4 ciphers :

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

But if you read ciphers list for Java 7, no cipher is not supported (can be seen in the debug message also). Even by enabling TLS 1.2 for Java 7, I think it doesn't find any valid ciphers. The site had to change its configuration.




回答2:


Without upgrading to Java 8, you can upgrade your Java 7 version to 1.7.0_131-b31

For JRE 1.7.0_131-b31 in Oracle site :

TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.



回答3:


I also faced the similar kind of problem while starting our swing based application. It seems that in some version of java 7, TLS1.2 is not enabled by default. I enabled it and then it worked fine.

You may enable it from Java Control Panel -> Advanced -> Click 'Use TLS 1.2'

Hopefully, it should work in your case also.



来源:https://stackoverflow.com/questions/37806743/tls-1-2-was-supported-in-java-8-but-not-in-java-7

标签
java
java-8
java-7
tls1.2
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!