Fatal编程技术网
  • oracle/
  • Oracle 环回连接上的密码适配失败握手?

Oracle 环回连接上的密码适配失败握手?

oracle ssl java-8

Oracle 环回连接上的密码适配失败握手?,oracle,ssl,java-8,tls1.2,Oracle,Ssl,Java 8,Tls1.2,我在Windows7系统上使用带有“Java加密扩展(JCE)JDK/JRE 8的无限强度权限策略文件”的OracleJava8(8u112)。为了提高我对安全套接字的理解,我试图编写一个简单的程序,在线程上打开一个服务器套接字,然后连接到这个套接字 我想使用TLSv1.2和用JavaKeyTool生成的证书。我使用的是这个问题中的代码(SSLSocketFactoryEx):但我只指定要使用的密码(上面也提到了这些密码): 不幸的是,当我运行我的程序时,握手失败(参见下面的javax.debu

我在Windows7系统上使用带有“Java加密扩展(JCE)JDK/JRE 8的无限强度权限策略文件”的OracleJava8(8u112)。为了提高我对安全套接字的理解,我试图编写一个简单的程序,在线程上打开一个服务器套接字,然后连接到这个套接字

我想使用TLSv1.2和用JavaKeyTool生成的证书。我使用的是这个问题中的代码(SSLSocketFactoryEx):但我只指定要使用的密码(上面也提到了这些密码):

不幸的是,当我运行我的程序时,握手失败(参见下面的javax.debug.net=ssl输出)。如果我加上密码

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
一切正常运行。似乎只有带有DHE_DSS(而不是ECDHE_*)的密码才能工作??有人知道为什么以及如何修复它吗?JCE已经安装

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1469871576 bytes = { 114, 27, 128, 235, 21, 129, 252, 118, 108, 93, 245, 56, 159, 145, 94, 197, 161, 8, 37, 124, 4, 8, 58, 189, 102, 164, 83, 249 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 139
server, READ: TLSv1.2 Handshake, length = 139
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1469871576 bytes = { 114, 27, 128, 235, 21, 129, 252, 118, 108, 93, 245, 56, 159, 145, 94, 197, 161, 8, 37, 124, 4, 8, 58, 189, 102, 164, 83, 249 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
server, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
...
原来是我的证书出了问题。要创建允许ECDHE的证书,您需要生成如下证书:

keytool -genkeypair -keystore localhostECDHE.jks -alias localhost -keyalg EC -keysize 256 -validity 30 -sigalg SHA512withECDSA
相关,请参见 
keytool -genkeypair -keystore localhostECDHE.jks -alias localhost -keyalg EC -keysize 256 -validity 30 -sigalg SHA512withECDSA