java - 从 1.6 升级到 Java 1.7 引入的 SSL 错误

Question

你好stackoverflow上的好人，这是我第一次问问题。

反正。我遇到了一些相当基本的 SSL 代码的问题。该代码使用 java 1.4、java 1.5 和 java 1.6 工作，但不使用 java 1.7。

我已经完成了我的研究，并且遇到了许多来源要求我禁用 Eclipic Curve 拟合并禁用 SNIExtension，但他们都没有解决我的问题。我得到的错误是握手早期的非法参数。

这里给出了相关的代码部分：

URL url = new URL("https", host, port, resource);

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();

conn.setSSLSocketFactory(sslsocketfactory);

conn.setDoOutput(true);
conn.setDoInput(true);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "text/xml");
conn.setRequestProperty("Content-Length", "" + messageText.length());

OutputStreamWriter or = new OutputStreamWriter(conn.getOutputStream());

or.write(messageText);
or.flush();
or.close();

int responseCode = conn.getResponseCode();
String responseMessage = conn.getResponseMessage();

System.out.println("Reply received response code " + responseCode + " responseMessage " + responseMessage);

在 Java 1.7 之前，这一直是一种享受

我已经完成了 SSL 调试，这是 1.7 中我收到错误的第一个部分。

X:\SSL\Tester>c:\Java\JDK\1.7.0.21\bin\java.exe SkeletonSender sender.properties

keyStore is : TestClient.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : testclient
chain [0] = [
[
Version: V3
Subject: CN=TestClient, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk

Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 2048 bits
modulus: 281894743229814461433893659220337859518021808823877257886407468105662
51330817923461778159711290344934663005953455721569991088782892620298012641942067
77805800430782696400229604864155930289923131905403029352638836959843309439854495
87331858650015325696991324509157525262176922281654196445116037002097887156430840
85949229379224382478196384496094476326657439099652977679729641033790208122196386
05203036582912502162345141108565771874943895332553671804696249672777873222598786
23332810117778242147872943219464736907949646815206160841408282899310447529636472
69441413231852845198075704757502067162138114022617996914563346457287
public exponent: 65537
Validity: [From: Thu Mar 14 14:58:30 GMT 2013,
To: Fri Mar 14 14:58:30 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    0113]

Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E   53 53 4C 20 47 65 6E 65  ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65   72 74 69 66 69 63 61 74  rated Certificat
0020: 65                                                 e


[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0A E4 E8 CB E1 49 24 A9   01 C3 C5 6D 38 C7 52 02  .....I$....m8.R.
0010: 2E 10 6B AA                                        ..k.
]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: ED CA A2 FE 22 32 3F DB   27 95 FD 22 DE DD 36 42  ...."2?.'.."..6B
0010: 86 EA 34 6D                                        ..4m
]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 83 19 31 C2 07 4C 71 39   93 46 F7 CD 53 90 A8 40  ..1..Lq9.F..S..@
0010: 18 E3 15 19 63 9E 52 A2   5E 15 88 3B F9 09 87 E5  ....c.R.^..;....
0020: 58 87 E3 41 F1 D6 29 94   B5 26 D2 25 01 3C 34 55  X..A..)..&.%.<4U
0030: 43 1C 14 41 84 35 C2 97   1E 37 BA AA 96 1F A8 6B  C..A.5...7.....k
0040: 4C A1 6D 9A E7 70 9D C4   B4 22 22 35 47 90 70 46  L.m..p...""5G.pF
0050: 69 C7 69 1D 21 70 93 73   B7 EF 65 E9 E2 13 FF 26  i.i.!p.s..e....&
0060: CB E9 13 CD 63 75 9C DA   40 F2 09 BF C7 3F DA E7  ....cu..@....?..
0070: BE DA CD F0 B5 0C B9 23   02 CB B0 EC 04 C1 A0 3E  .......#.......>

]
chain [1] = [
[
Version: V3
Subject: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 1024 bits
modulus: 137292299507742706455767925967434456010895301904994564655627248322086
79595075315060425271513055101225808439401132512497814137099409782308869951604757
75858424606779754354741939707591463190368767278933757202872347784963445709252549
21352147964171767665208155530131632206401400598219922514054338623977470391109401

public exponent: 65537
Validity: [From: Wed Mar 13 10:19:32 GMT 2013,
To: Thu Mar 13 10:19:32 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    fdfbbcec a1e69dad]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0A E4 E8 CB E1 49 24 A9   01 C3 C5 6D 38 C7 52 02  .....I$....m8.R.
0010: 2E 10 6B AA                                        ..k.
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0A E4 E8 CB E1 49 24 A9   01 C3 C5 6D 38 C7 52 02  .....I$....m8.R.
0010: 2E 10 6B AA                                        ..k.
]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: B6 A1 A4 14 7F F6 5A 2B   63 06 B7 13 0E 7E 68 A4  ......Z+c.....h.
0010: F8 DF 9E 75 1E 69 55 2A   0D 56 B7 51 62 95 AF F5  ...u.iU*.V.Qb...
0020: E2 2F 18 B3 47 B1 13 6A   21 10 0E 45 08 97 28 88  ./..G..j!..E..(.
0030: CF 45 DB 19 60 BE 95 7A   C3 34 2B D1 A5 54 93 30  .E..`..z.4+..T.0
0040: FB 51 0C 4D 1B 33 F8 EF   81 24 39 86 A5 B9 F4 8D  .Q.M.3...$9.....
0050: 4B 98 55 DD 82 B1 1E FE   98 18 94 40 4D 8E EC B7  K.U........@M...
0060: AE E7 D6 8A A3 BD B9 17   6D 6E 60 B4 03 C4 76 C8  ........mn`...v.
0070: 75 5F 69 F8 DE 8A 02 D3   4B 67 EE 2F 00 57 7F 5C  u_i.....Kg./.W.\

]
***
trustStore is: TestClient.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Issuer:  EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Algorithm: RSA; Serial number: 0xfdfbbceca1e69dad
Valid from Wed Mar 13 10:19:32 GMT 2013 until Thu Mar 13 10:19:32 GMT 2014

adding as trusted cert:
Subject: CN=TestClient, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk

Issuer:  EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Algorithm: RSA; Serial number: 0x113
Valid from Thu Mar 14 14:58:30 GMT 2013 until Fri Mar 14 14:58:30 GMT 2014

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1352376204 bytes = { 132, 114, 229, 238, 17, 49, 224, 49, 14
0, 237, 195, 202, 95, 198, 110, 197, 51, 146, 26, 207, 218, 224, 249, 197, 202,
139, 82, 202 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128
_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS
_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WI
TH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128
_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WI
TH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_E
DE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_
DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INF
O_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp19
2r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1
, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, s
ect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: myserver.mydomain.com]
***
main, WRITE: TLSv1 Handshake, length = 191
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, illegal_parameter
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1090)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at SkeletonSender.main(SkeletonSender.java:133)

这是在 Java 1.6 中正常工作的相同调试信息。

X:\SSL\Tester>c:\Java\JDK\1.6.0.26\bin\java.exe SkeletonSender sender.properties 
keyStore is : TestClient.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : testclient
chain [0] = [
[
Version: V3
Subject: CN=TestClient, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk

Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 2048 bits
modulus: <<REMOVED to save characters>>
public exponent: 65537
Validity: [From: Thu Mar 14 14:58:30 GMT 2013,
To: Fri Mar 14 14:58:30 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    0113]

Certificate Extensions: 4
<<REMOVED>

]
Algorithm: [SHA1withRSA]
<<REMOVED>>

]
chain [1] = [
[
Version: V3
Subject: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 1024 bits
modulus: <<REMOVED>>

public exponent: 65537
Validity: [From: Wed Mar 13 10:19:32 GMT 2013,
To: Thu Mar 13 10:19:32 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    fdfbbcec a1e69dad]

Certificate Extensions: 3
<<REMOVED>>
]
Algorithm: [SHA1withRSA]
<<REMOVED>>

]
***
trustStore is: TestClient.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Issuer:  EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Algorithm: RSA; Serial number: 0xfdfbbceca1e69dad
Valid from Wed Mar 13 10:19:32 GMT 2013 until Thu Mar 13 10:19:32 GMT 2014

adding as trusted cert:
Subject: CN=TestClient, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk

Issuer:  EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Algorithm: RSA; Serial number: 0x113
Valid from Thu Mar 14 14:58:30 GMT 2013 until Fri Mar 14 14:58:30 GMT 2014

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1352375984 bytes = { 147, 36, 31, 138, 140, 6, 38, 60, 187,
73, 231, 64, 69, 240, 225, 86, 56, 186, 15, 182, 255, 247, 214, 58, 187, 230, 24
8, 85 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH
_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC
_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_
DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SH
A, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_
WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WI
TH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, READ: TLSv1 Handshake, length = 58
*** ServerHello, TLSv1
RandomCookie:  GMT: 1352375955 bytes = { 205, 0, 202, 103, 5, 247, 206, 74, 171,
147, 120, 157, 32, 180, 225, 119, 45, 1, 70, 149, 255, 12, 8, 170, 233, 253, 93
, 194 }
Session ID:  {71, 126, 127, 231, 211, 122, 75, 124, 20, 27, 248, 53, 27, 194, 15
3, 51}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
main, READ: TLSv1 Handshake, length = 1736
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=myserver.mydomain.com, OU=ICT, O=ICT, L=Glasgow, ST=Lanarkshire, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 2048 bits
modulus: <<REMOVED>>
public exponent: 65537
Validity: [From: Wed Mar 13 10:22:53 GMT 2013,
To: Thu Mar 13 10:22:53 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    0110]

Certificate Extensions: 4
<<REMOVED>>

]
Algorithm: [SHA1withRSA]
<<REMOVED>>

]
chain [1] = [
[
Version: V3
Subject: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 1024 bits
<<REMOVED>>

public exponent: 65537
Validity: [From: Wed Mar 13 10:19:32 GMT 2013,
To: Thu Mar 13 10:19:32 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    fdfbbcec a1e69dad]

Certificate Extensions: 3
<<REMOVED>>    

]
Algorithm: [SHA1withRSA]
<<REMOVED>>

]
***
Found trusted certificate:
[
[
Version: V3
Subject: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 1024 bits
<<REMOVED>>

public exponent: 65537
Validity: [From: Wed Mar 13 10:19:32 GMT 2013,
To: Thu Mar 13 10:19:32 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    fdfbbcec a1e69dad]

Certificate Extensions: 3
<<REMOVED>>

]
Algorithm: [SHA1withRSA]
<<REMOVED>>    

]
main, READ: TLSv1 Handshake, length = 1337
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
<OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US>
<CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
<CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US>
<CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US>
<CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net>
<CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net>
<EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk>
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
matching alias: testclient
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=TestClient, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk

Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 2048 bits
<<REMOVED>>
public exponent: 65537
Validity: [From: Thu Mar 14 14:58:30 GMT 2013,
To: Fri Mar 14 14:58:30 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    0113]

Certificate Extensions: 4
<<REMOVED>>
]
Algorithm: [SHA1withRSA]
<<REMOVED>>

]
chain [1] = [
[
Version: V3
Subject: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key:  Sun RSA public key, 1024 bits
<<REMOVED>>

public exponent: 65537
Validity: [From: Wed Mar 13 10:19:32 GMT 2013,
To: Thu Mar 13 10:19:32 GMT 2014]
Issuer: EMAILADDRESS=Lambert.Behnke@gmail.com, CN=DryRunCA, OU=ICT, O=ICT, L=Glasgow, ST=Scotland, C=uk
SerialNumber: [    fdfbbcec a1e69dad]

Certificate Extensions: 3
<<REMOVED>>

]
Algorithm: [SHA1withRSA]
<<REMOVED>>

]
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 1962
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 7E 35 CB 8C 5B 95   48 74 C8 37 77 6B CD 08  ...5..[.Ht.7wk..
0010: C4 BC 67 4B 8D ED 3F 46   02 D3 CD F6 C8 7A AC 8D  ..gK..?F.....z..
0020: 55 F5 0E D3 9B 15 07 76   4E FA B5 CC 66 56 BB 00  U......vN...fV..
CONNECTION KEYGEN:
Client Nonce:
0000: 51 9C 9F B0 93 24 1F 8A   8C 06 26 3C BB 49 E7 40  Q....$....&<.I.@
0010: 45 F0 E1 56 38 BA 0F B6   FF F7 D6 3A BB E6 F8 55  E..V8......:...U
Server Nonce:
0000: 51 9C 9F 93 CD 00 CA 67   05 F7 CE 4A AB 93 78 9D  Q......g...J..x.
0010: 20 B4 E1 77 2D 01 46 95   FF 0C 08 AA E9 FD 5D C2   ..w-.F.......].
Master Secret:
0000: 8B CE 95 83 1A 02 4E A4   78 4D 69 EE 60 B4 9B C2  ......N.xMi.`...
0010: F9 43 0C 78 99 80 25 02   D4 0B 6E AA 37 6C A8 73  .C.x..%...n.7l.s
0020: 9D 6B D1 B5 2D 6A C5 AE   D8 8E E2 80 A7 31 11 4B  .k..-j.......1.K
Client MAC write Secret:
0000: 26 BE B8 6D 90 9E 27 19   68 B8 58 89 96 66 ED 47  &..m..'.h.X..f.G
Server MAC write Secret:
0000: 58 AF 92 80 64 BF D9 98   C9 45 8A 66 14 FB C5 EC  X...d....E.f....
Client write key:
0000: CD 82 8F A8 D6 C9 F9 8A   4C 08 C4 37 F0 F1 33 28  ........L..7..3(
Server write key:
0000: 2D 0B B4 42 38 04 78 43   D5 49 6B 2E 51 F9 7C 00  -..B8.xC.Ik.Q...
... no IV used for this cipher
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 262
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 90, 148, 85, 204, 107, 42, 185, 36, 22, 147, 214, 238 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data:  { 65, 186, 83, 65, 42, 203, 31, 52, 5, 161, 220, 82 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, WRITE: TLSv1 Application Data, length = 261
main, WRITE: TLSv1 Application Data, length = 424
main, READ: TLSv1 Application Data, length = 753
Reply received response code 200 responseMessage OK

我做了一些挖掘，相信也许我正在使用不安全的密码套件，但我看到 1.6 使用的密码套件仍在 1.7 的列表中。也许它首先尝试了一个不同的套件，这会导致错误，因此它永远不会到达可以工作的那个。无论如何，我希望有人在过去遇到过类似的问题，或者发现我正在做的一些愚蠢的事情。

非常感谢您的时间，

兰伯特

PS：由于正文限制为 30000 个字符，我删除了模数、证书扩展块和算法签名。如果它们很重要，我可以将它们重新添加。

score 2 · Accepted Answer

我注意到不可用的密码套件都涉及 256 位或更高的加密。无限加密策略文件可能未安装在您的{jdk.home}/jre/lib/security目录中。

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7从http://www.oracle.com/technetwork/java/javase/downloads/index.html下载，解压下载，将两个 jar 文件（local_policy.jar和US_export_policy.jar）复制到{jdk.home}/jre/lib/security目录中，覆盖现有的 jar 文件。

java - 从 1.6 升级到 Java 1.7 引入的 SSL 错误

1 回答 1

Related

Reference