问题描述:
CertificateManagement : Server is not trusted.Received fatal alert: handshake_failure. Now installing certificates
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
当升级BMC CLM至4.6后,调用部分webservice会出现这个问题,该问题的主要原因是:Tomcat 7 getting SSLv2Hello is disabled error when trying to make client server ssl authntication,Java 6 uses an SSLv2Hello pseudo message to encapsulate the Client Hello message. By default,
Java 7 rejects handshake requests that use the SSLv2Hello pseudo message. This is what is causing the SSL/TLS handshake to fail.
所以解决办法有两种:1修改tomcat7配置文件,允许SSLv2Hello,2修改tomcat6配置文件,禁用SSLv2Hello
解决方案1
1 修改tomcat7配置文件server.xml,修改为如下内容
<!-- 修改前 --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> <!--修改后 --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" />
如果这些配置都在catalina.properties文件配置的话,那就需要改这个文件,不用改上面的了。
下面只是修改完成后的示例
# Connector HTTPS (SSL) enabled protocols # Default=TLSv1,TLSv1.,TLSv1. # bna.connector.sslEnabledProtocols=TLSv1,TLSv1.,TLSv1.,SSLv2Hello
解决方案2
1 禁用SSLv2Hello握手协议
修改java启动选项参数。打开tomcat,在java tab页下最后一行添加如下参数:
java -Dhttps.protocols="SSLv2Hello"
如果还是不行,建议升级到同一版本吧
注意:修改前请停掉tomcat服务,修改完再启动
参考
Tomcat 7 getting SSLv2Hello is disabled error when trying to make client server ssl authntication