java-7 - javax.net.ssl.SSLException：收到致命警报：Java7 中的意外消息

Question

我们有一个通过 ssl 连接到 web 服务的 https 客户端。这总是适用于 Java 1.6。

上周我们将客户端切换到使用 Java 1.7。不幸的是，客户端不再能够连接到 Web 服务。我想知道是什么原因造成的以及如何解决？

客户端抛出以下异常：

    javax.net.ssl.SSLException: Received fatal alert: unexpected_message
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.

 java:1312)

    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82
  )

    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream
 (HttpConnection.java:827)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodB
ase.java:1975)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.j
ava:993)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Htt
  pMethodDirector.java:397)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMe
thodDirector.java:170)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.jav
  a:396)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.jav
  a:324)

这是详细的日志信息。

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256

Allow unsafe renegotiation: true

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

main, setSoTimeout(30000) called

main, setSoTimeout(30000) called

%% No cached client session

*** ClientHello, TLSv1

RandomCookie:  GMT: 1392263294 bytes = { 158, 254, 253, 221, 176, 200, 181, 30,

189, 167, 209, 227, 105, 106, 207, 196, 50, 6, 21, 179, 125, 69, 112, 158, 49, 2

34, 113, 10 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128

_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS

_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WI

TH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128

_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WI

TH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_E

DE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_

DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INF

O_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp19

2r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1

, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, s

ect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension server_name, server_name: [host_name: messaging.xxxxx.com]

***

[write] MD5 and SHA1 hashes:  len = 180

0000: 01 00 00 B0 03 01 53 FC   40 7E 9E FE FD DD B0 C8  ......S.@.......

0010: B5 1E BD A7 D1 E3 69 6A   CF C4 32 06 15 B3 7D 45  ......ij..2....E

0020: 70 9E 31 EA 71 0A 00 00   2A C0 09 C0 13 00 2F C0  p.1.q...*...../.

0030: 04 C0 0E 00 33 00 32 C0   07 C0 11 00 05 C0 02 C0  ....3.2.........

0040: 0C C0 08 C0 12 00 0A C0   03 C0 0D 00 16 00 13 00  ................

0050: 04 00 FF 01 00 00 5D 00   0A 00 34 00 32 00 17 00  ......]...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00 00 00 00   1B 00 19 00 00 16 6D 65  ..............me

00A0: 73 73 61 67 69 6E 67 2E   63 6F 76 69 73 69 6E 74  ssaging.xxxxx

00B0: 2E 63 6F 6D                                        .com

main, WRITE: TLSv1 Handshake, length = 180

[Raw write]: length = 185

0000: 16 03 01 00 B4 01 00 00   B0 03 01 53 FC 40 7E 9E  ...........S.@..

0010: FE FD DD B0 C8 B5 1E BD   A7 D1 E3 69 6A CF C4 32  ...........ij..2

0020: 06 15 B3 7D 45 70 9E 31   EA 71 0A 00 00 2A C0 09  ....Ep.1.q...*..

0030: C0 13 00 2F C0 04 C0 0E   00 33 00 32 C0 07 C0 11  .../.....3.2....

0040: 00 05 C0 02 C0 0C C0 08   C0 12 00 0A C0 03 C0 0D  ................

0050: 00 16 00 13 00 04 00 FF   01 00 00 5D 00 0A 00 34  ...........]...4

0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2..............

0070: 00 09 00 0A 00 18 00 0B   00 0C 00 19 00 0D 00 0E  ................

0080: 00 0F 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................

0090: 00 08 00 16 00 0B 00 02   01 00 00 00 00 1B 00 19  ................

00A0: 00 00 16 6D 65 73 73 61   67 69 6E 67 2E 63 6F 76  ...messaging.xxx

00B0: 69 73 69 6E 74 2E 63 6F   6D                       xx.com

[Raw read]: length = 5

0000: 15 03 01 00 02                                     .....

[Raw read]: length = 2

0000: 02 0A                                              ..

main, READ: TLSv1 Alert, length = 2

main, RECV TLSv1 ALERT:  fatal, unexpected_message

main, called closeSocket()

main, handling exception: javax.net.ssl.SSLException: Received fatal alert: unex

pected_message

main, called close()

main, called closeInternal(true)

main, called close()

main, called closeInternal(true)

main, called close()

main, called closeInternal(true)

score 1 · Accepted Answer

这个问题的解决方法是：

使用命令禁用黄道曲线：-Dcom.sun.net.ssl.enableECC=false
禁用服务器扩展名：-Djsse.enableSNIExtension=false

java-7 - javax.net.ssl.SSLException：收到致命警报：Java7 中的意外消息

1 回答 1

Related

Reference