java - Java SSL：服务主体名称无效

Question

在我的游戏的 Java 服务器上，我运行了“sudo yum update”，现在尝试通过我的游戏客户端连接时出现以下错误：

[2015-07-26 01:58:12] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-26 01:58:12] [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-07-26 01:58:12] [Thread-2] INFO -    Remote port = 34215
[2015-07-26 01:58:12] [Thread-2] INFO -    Local socket address = /192.168.1.4:59805
[2015-07-26 01:58:12] [Thread-2] INFO -    Local address = /192.168.1.4
[2015-07-26 01:58:12] [Thread-2] INFO -    Local port = 59805
[2015-07-26 01:58:12] [Thread-2] INFO -    Need client authentication = false
[2015-07-26 01:58:17] [Thread-2] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-07-26 01:58:17] [Thread-2] INFO -    Protocol = NONE
[2015-07-26 01:58:17] [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.jayavon.game.client.an.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
    at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
    ... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    ... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
    at sun.security.krb5.Realm.getDefault(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 15 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 19 more

5天前，这是我从客户端连接到我的游戏服务器时看到的：

[2015-07-21 00:07:34] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-21 00:07:34] [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-07-21 00:07:34] [Thread-2] INFO -    Remote port = 34215
[2015-07-21 00:07:34] [Thread-2] INFO -    Local socket address = /192.168.1.4:61480
[2015-07-21 00:07:34] [Thread-2] INFO -    Local address = /192.168.1.4
[2015-07-21 00:07:34] [Thread-2] INFO -    Local port = 61480
[2015-07-21 00:07:34] [Thread-2] INFO -    Need client authentication = false
[2015-07-21 00:07:34] [Thread-2] INFO -    Cipher suite = TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-07-21 00:07:34] [Thread-2] INFO -    Protocol = TLSv1.2

我以为是我的 keystore.jks 文件的证书已过期，但我什至尝试用刚刚用startssl更新的证书进行更新，但无济于事。任何帮助将不胜感激。

理想情况下，我想解决这个问题（这样我就可以继续更新我的 EC2 服务器）。

编辑

我使用以下命令在上次更新列表中找到了以下 java 更新： rpm -qa --last

java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.x86_64 Sun 26 Jul 2015 12:23:17 AM EDT

编辑2

客户：

[2015-08-04 08:32:16] 15 [main] INFO - java.version: 1.8.0_20
[2015-08-04 08:32:17] 1028 [AWT-EventQueue-0] DEBUG - conf/
[2015-08-04 08:32:17] 1185 [main] INFO - Contacting Download Server...
...
[2015-08-04 08:32:57] 40786 [main] INFO - Finished updating game files!
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_NULL_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Remote port = 34215
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local socket address = /192.168.1.8:56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local address = /192.168.1.8
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local port = 56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Need client authentication = false
[2015-08-04 08:33:12] 55873 [Thread-2] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-08-04 08:33:12] 55873 [Thread-2] INFO -    Protocol = NONE
[2015-08-04 08:33:12] 55889 [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.jayavon.game.client.an.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
    at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
    ... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    ... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
    at sun.security.krb5.Realm.getDefault(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 15 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 19 more

服务器：

65795 [main] DEBUG - handleConnections thread started
65795 [main] DEBUG - Server is running on port 34215
124540 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
124543 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
125142 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
125152 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126102 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
126105 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126107 [connectionHandlerThread] INFO - Server socket class: class sun.security.ssl.SSLServerSocketImpl
126107 [connectionHandlerThread] INFO -    Socket address = 0.0.0.0/0.0.0.0
126107 [connectionHandlerThread] INFO -    Socket port = 34215
126108 [connectionHandlerThread] INFO -    Need client authentication = false
126108 [connectionHandlerThread] INFO -    Want client authentication = false
126108 [connectionHandlerThread] INFO -    Use client mode = false
126108 [connectionHandlerThread] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
126108 [connectionHandlerThread] INFO -    Remote address = /173.54.54.76
126108 [connectionHandlerThread] INFO -    Remote port = 56729
126108 [connectionHandlerThread] INFO -    Local socket address = /172.31.25.254:34215
126108 [connectionHandlerThread] INFO -    Local address = /172.31.25.254
126108 [connectionHandlerThread] INFO -    Local port = 34215
126109 [connectionHandlerThread] INFO -    Need client authentication = false
131889 [connectionHandlerThread] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
131889 [connectionHandlerThread] INFO -    Protocol = NONE
131890 [connectionHandlerThread] FATAL - Socket connection could not be made!!
131890 [connectionHandlerThread] ERROR - client bad connection
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508)
        at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
        at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4770)
        at com.jayavon.game.server.MyServer.access$0(MyServer.java:4739)
        at com.jayavon.game.server.MyServer$1.run(MyServer.java:435)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1098)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
        at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2233)
        at com.jayavon.game.server.MyServer.printSocketInfo(MyServer.java:4725)
        at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4758)
        ... 3 more

score 7 · Accepted Answer

最初（即在您通过更新系统之前），您使用了没有 Diffie-Hellman Key-Exchange 身份验证rpm的密码套件。TLS_DH_anon_WITH_AES_128_CBC_SHA256（注：容易受到中间人攻击的协议）

根据Red Hat Customer Portal和Amazon Linux AMI 安全中心的说法）最近发布了一个关键的 java-1.7.0-openjdk 安全更新。由于此问题，您肯定会遇到上述问题，如下所述：

在 TLS 协议组成 Diffie-Hellman (DH) 密钥交换的方式中发现了一个缺陷。中间人攻击者可以利用此漏洞在密钥交换期间强制使用弱 512 位出口级密钥，从而允许他们解密所有流量。(CVE-2015-4000)

注意：此更新强制 OpenJDK 中的 TLS/SSL 客户端实现拒绝低于 768 位的 DH 密钥大小，从而防止会话降级为导出级密钥。有关此更改的更多详细信息，请参阅参考资料部分中链接的 Red Hat Bugzilla 错误 1223211。

这解释了 - 至少在某种程度上 - 为什么你现在得到了Cipher suite = SSL_NULL_WITH_NULL_NULL，因为原来的密码套件似乎在你的系统上不再可用（或者它现在已被禁用）。这也得到以下支持：Protocol = NONE在您提供的输出中。

' Java 平台标准版 7 的 Java Cryptography Architecture Oracle Providers Documentation '概述文档在Default Disabled Cipher Suites列表中也包含您的原始密码套件。所以我认为 OpenJDK 实现确实相应地解决了这个安全问题（参见上面的 URL 参考）。

一般来说，Java 的这个安全修复与所谓的Logjam 攻击有关，建议是：

确保您使用的任何 TLS 库都是最新的，您维护的服务器使用 2048 位或更大的素数，并且您维护的客户端拒绝小于 1024 位的 Diffie-Hellman 素数

作为一个解决方案，也许您可以更改游戏应用程序（客户端和/或服务器）的 SSL/加密设置以使用非DH-anon密码套件？

查看 Oracle 提供的文档中的默认启用密码套件，或查看@dolmen 提供的用于检测Ubuntu OpenJDK 7 上启用密码的简单而有效的工具。

编辑1：

看看这个StackOverflow 帖子和@EJP 的答案它看起来与您的 StackTrace 非常相似（*hooray！）。看来你更...

不要弄乱启用的密码套件。取出该代码并重新测试。您已启用匿名套件，通过它在任何方向都没有任何身份验证。

因此，您可以将代码更改为不setEnabledCipherSuites(..)显式使用，因为它启用了默认未启用的密码套件（“DH-anon”...）。如果你按照描述的那样取出这些代码行，试着检查结果是什么。

也许可以TLS_ECDH_anon_WITH_AES_128_CBC_SHA作为密码套件（这里没有经典的 DH 参数）。但是，因此您应该在服务器端更新到 OpenJDK 8 或 Oracle JRE/JDK 8，因为这在 OpenJDK 7 中不可用（请参阅您的服务器调试日志输出）。

希望能帮助到你。

java - Java SSL：服务主体名称无效

1 回答 1

Related

Reference