Fatal编程技术网
  • java/
  • 最新Java Zulu 8.0.252的SSLException

最新Java Zulu 8.0.252的SSLException

java

最新Java Zulu 8.0.252的SSLException,java,payara,azul-zulu,Java,Payara,Azul Zulu,使用最新的JavaZulu8.0.252和Payara5服务器,我无法再读取任何HTTPS URL。降级到8.0.251后,一切又恢复正常 javax.net.ssl.SSLException at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:133) at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:3

使用最新的JavaZulu8.0.252和Payara5服务器,我无法再读取任何HTTPS URL。降级到8.0.251后,一切又恢复正常

javax.net.ssl.SSLException
at org.openjsse.sun.security.ssl.Alert.createSSLException(Alert.java:133)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:352)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:295)
at org.openjsse.sun.security.ssl.TransportContext.fatal(TransportContext.java:290)
at org.openjsse.sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1330)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:424)
at org.openjsse.sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at org.openjsse.sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at org.openjsse.sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:730)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:705)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:295)
Caused by: java.lang.NullPointerException
at org.openjsse.sun.security.ssl.CertificateAuthorityExtension$CHCertificateAuthoritiesProducer.produce(CertificateAuthorityExtension.java:185)
at org.openjsse.sun.security.ssl.SSLExtension.produce(SSLExtension.java:560)
at org.openjsse.sun.security.ssl.SSLExtensions.produce(SSLExtensions.java:253)
at org.openjsse.sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:649)
at org.openjsse.sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:515)
at org.openjsse.sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:107)
at org.openjsse.sun.security.ssl.TransportContext.kickstart(TransportContext.java:259)
at org.openjsse.sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
... 97 more
为了避免这个错误,我在Payara中禁用了TLS1.3支持

通过替换以下内容禁用domain.xml中对Java 1.8.0u252及更高版本的TLS 1.3支持:

<jvm-options>[Azul-1.8.0u222|1.8.0u500]-XX:+UseOpenJSSE</jvm-options>

    <jvm-options>[1.8.0u191|1.8.0u500]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>

[Azul-1.8.0u222 | 1.8.0u500]-XX:+UseOpenJSSE
与:

[Azul-1.8.0u222 | 1.8.0u251]-XX:+UseOpenJSSE
并使用不需要TLS 1.3的兼容grizzly库,替换:

<jvm-options>[Azul-1.8.0u222|1.8.0u500]-XX:+UseOpenJSSE</jvm-options>

    <jvm-options>[1.8.0u191|1.8.0u500]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar</jvm-options>

[1.8.0u191 | 1.8.0u500]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar
与:

[1.8.0u191 | 1.8.0u251]-Xbootclasspath/p:${com.sun.aas.installRoot}/lib/grizzly-npn-bootstrap-1.8.1.jar
[1.8.0u252 | 1.8.0u500]-Xbootclasspath/a:${com.sun.aas.installRoot}/lib/grizzly-npn-api.jar
看起来您的应用程序或库使用了自定义的不安全信任管理器

此自定义信任管理器实现X509TrustManager类,并从
X509TrustManager.getAcceptedAssuers()
方法返回null

根据java规范
getAcceptedAssuers()
必须返回“可接受CA颁发者证书的非null(可能为空)数组”,但在提供的堆栈跟踪
getAcceptedAssuers()
中返回null。它导致NPE

请参见

这可能有助于TLS 1.3支持:是的,没错,我已经在考虑这种可能性,但没有时间检查它。