Linux上运行的Java应用程序在某些网站上出现SSL握手错误_Java_Linux_Amazon Web Services_Ssl

Linux上运行的Java应用程序在某些网站上出现SSL握手错误

java linux amazon-web-services ssl

Linux上运行的Java应用程序在某些网站上出现SSL握手错误,java,linux,amazon-web-services,ssl,Java,Linux,Amazon Web Services,Ssl,我有一个Java应用程序正试图通过HTTPS连接到web应用程序。当我在我的Windows机器上运行它时，一切都很好，但是在AWS Linux机器上，我得到了一个握手错误。以下是我正在使用的软件版本： Windows Java java版本“1.8.0_101” Java（TM）SE运行时环境（build 1.8.0_101-b13） Java热点（TM）客户端虚拟机（构建25.101-b13，混合模式，共享） AWS Linux Java openjdk版本“1.8.0_91” Open

我有一个Java应用程序正试图通过HTTPS连接到web应用程序。当我在我的Windows机器上运行它时，一切都很好，但是在AWS Linux机器上，我得到了一个握手错误。以下是我正在使用的软件版本：

Windows Java

java版本“1.8.0_101”
Java（TM）SE运行时环境（build 1.8.0_101-b13）
Java热点（TM）客户端虚拟机（构建25.101-b13，混合模式，共享）

AWS Linux Java

openjdk版本“1.8.0_91”
OpenJDK运行时环境（build 1.8.0_91-b14）
OpenJDK 64位服务器虚拟机（构建25.91-b14，混合模式）

我最初的猜测是这个问题是SNI造成的，因为我连接的网络应用程序就是这样设置的。但是，当我查看调试日志时，我发现在Linux上它说：

Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]

这让我觉得SNI得到了妥善处理

我开始认为问题的根源在于我的客户机和服务器无法就密码套件达成一致，这会导致握手失败。我看到在Windows TLS_ECDHE_ECDSA_和_AES_128_GCM_SHA256上正在使用。我还看到Linux上似乎没有这个密码套件

我真的不确定我是否完全理解调试转储中发生的所有事情，所以希望有人能证实我的怀疑，并建议如何完全解决这个问题

下面是Linux上发生的情况，它会因握手异常而失败

2016/08/26 22:52:35:882 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:52:35:891 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:52:35:893 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:52:35:907 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.abus      eipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:52:35:937 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:52:36:038 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455489140 bytes = { 189, 42, 2, 83, 215, 159, 170, 114, 166, 145, 86, 76, 205, 19, 222, 103, 15, 89, 159, 24      , 126, 130, 219, 181, 48, 109, 132, 79 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RS      A_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_      DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_      SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES      _256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_R      SA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV      ]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withE      CDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 143
pool-1-thread-1, READ: TLSv1.2 Alert, length = 2
pool-1-thread-1, RECV TLSv1.2 ALERT:  fatal, handshake_failure
pool-1-thread-1, called closeSocket()
pool-1-thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016/08/26 22:52:36:199 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Shutdown connection
2016/08/26 22:52:36:200 EDT [DEBUG] MainClientExec - -Connection discarded
2016/08/26 22:52:36:200 EDT [DEBUG] DefaultManagedHttpClientConnection - -http-outgoing-0: Close connection
2016/08/26 22:52:36:200 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection released: [id: 0][route: {s}->https://www.ab      useipdb.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
Error: Received fatal alert: handshake_failure
Elapsed Time: 356 ms
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager is shutting down
2016/08/26 22:52:36:202 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection manager shut down

以下是在工作正常的Windows上发生的情况：

2016/08/26 22:59:27:224 EDT [DEBUG] RequestAddCookies - -CookieSpec selected: best-match
2016/08/26 22:59:27:228 EDT [DEBUG] RequestAuthCache - -Auth cache not set in the context
2016/08/26 22:59:27:228 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection request: [route: {s}->https://www.abuseipd
b.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
2016/08/26 22:59:27:258 EDT [DEBUG] PoolingHttpClientConnectionManager - -Connection leased: [id: 0][route: {s}->https://www.ab
useipdb.com:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
2016/08/26 22:59:27:286 EDT [DEBUG] MainClientExec - -Opening connection {s}->https://www.abuseipdb.com:443
2016/08/26 22:59:27:362 EDT [DEBUG] HttpClientConnectionManager - -Connecting to www.abuseipdb.com/104.31.74.222:443
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1455489551 bytes = { 69, 36, 118, 201, 252, 93, 212, 32, 99, 181, 94, 8, 249, 138, 165, 81, 11, 108, 104, 8
7, 246, 104, 115, 107, 240, 195, 111, 25 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256
, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DS
S_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_S
HA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_
AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA25
6, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_D
SS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_C
BC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DS
S_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1
, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp
192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256wit
hECDSA, SHA256withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=www.abuseipdb.com]
***
pool-1-thread-1, WRITE: TLSv1.2 Handshake, length = 215
pool-1-thread-1, READ: TLSv1.2 Handshake, length = 93
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -1114532124 bytes = { 84, 54, 245, 62, 187, 242, 188, 165, 192, 49, 29, 203, 96, 228, 212, 99, 190, 50, 149
, 219, 193, 146, 98, 47, 55, 155, 153, 148 }
Session ID:  {215, 1, 126, 144, 1, 117, 237, 244, 231, 139, 61, 205, 198, 118, 31, 104, 79, 113, 148, 163, 72, 102, 159, 154, 7
9, 160, 201, 174, 102, 35, 3, 107}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

根据网站要求的ECDHE密码。linux客户端不支持这些密码，而windows客户端支持这些密码

表明这可能是OpenJDK与Oracle JDK之间的问题。

我无法强调这个答案的正确性，我已经研究这个问题很长时间了。正如链接所暗示的，可以通过安装Bouncy Castle来修复，然后一切都会神奇地工作。