SSL握手如何在Java 7与Java 8中协同工作

时间:2022-06-12 19:38:30

Recently while working with HttpClient for accessing 3rd party service (CURL Service) in Java application, I came across problem like:

最近在使用HttpClient访问Java应用程序中的第三方服务(CURL Service)时,我遇到了类似的问题:

javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
....

I got this problem in JDK 7. With some research on this problem I found 2 suggestions i.e.

我在JDK 7中遇到了这个问题。通过对这个问题的一些研究,我找到了2个建议,即

  • Add certificate of that particular 3rd party in your JDK 7 Truststore. [Which I tried but still got same issue]
  • 在JDK 7 Truststore中添加该特定第三方的证书。 [我试过但仍然有同样的问题]

  • Use JDK 8 instead of JDK 7 [Which I tried and it worked for me]
  • 使用JDK 8而不是JDK 7 [我试过,它对我有用]

So I am trying to understand like how SSL Handshaking takes place in Java 8 as compare to Java 7 or lower? And I can fix this issue in JDK7

所以我试图理解,与Java 7或更低版​​本相比,Java握手如何在Java 8中发生?我可以在JDK7中解决这个问题

Code Snnipet

public String getProduct(final String accessToken) throws IOException, ParseException {

    log.info("accessToken: " + accessToken);
    final String stringUrl = "https://api.molt.in/v1/products";
    HttpClient httpClient = HttpClientBuilder.create().build();
    HttpGet getRequest = new HttpGet(stringUrl);
    getRequest.setHeader("Authorization", "Bearer " + accessToken);
    HttpContext httpContext = new BasicHttpContext();
    HttpResponse response = httpClient.execute(getRequest, httpContext);
    log.info("Response Code : " + response.getStatusLine().getStatusCode());

    BufferedReader rd = new BufferedReader(new InputStreamReader(response.getEntity().getContent()));
    StringBuffer result = new StringBuffer();
    String line = "";
    while ((line = rd.readLine()) != null) {
        result.append(line);
    }
    log.info("result: " + result);

    rd.close();
    return result.toString();
}

~Regards,

Chandan

1 个解决方案

#1


2  

The server closes the handshake because the client uses an unsupported protocol. See this question, where it's suggested to launch Java 7 with:

服务器关闭握手,因为客户端使用不受支持的协议。看到这个问题,建议用以下方法启动Java 7:

-Dhttps.protocols=TLSv1.1,TLSv1.2

You'd get an error from your client (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed) if the server certificate were not trusted, and it works this way: the Java client checks the server's certificate to be sure that the machine it is talking to is actually who it claims to be, in your example "api.molt.in". The check works like this:

如果服务器证书不受信任,您的客户端会收到错误(javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败),并且它以这种方式工作:Java客户端检查服务器的证书,以确保它正在与之交谈的机器实际上是它声称的那个,在您的示例中为“api.molt.in”。检查的工作方式如下:

  • if the certificate is self signed, it is trusted if found in the default trust store
  • 如果证书是自签名的,则在默认信任库中找到该证书

  • if the certificate is signed by an authority, it is trusted if the authority's certificate is found in the default trust store.
  • 如果证书由授权机构签名,则在默认信任库中找到授权机构的证书时,将对其进行信任。

The list of trusted parties may be updated in every Java minor release. For example certificates generated with Let's encrypt are only trusted by Java 8 since the 101 update.

可以在每个Java次要版本中更新可信方列表。例如,自从101更新以来,使用Let的加密生成的证书仅受Java 8信任。

#1


2  

The server closes the handshake because the client uses an unsupported protocol. See this question, where it's suggested to launch Java 7 with:

服务器关闭握手,因为客户端使用不受支持的协议。看到这个问题,建议用以下方法启动Java 7:

-Dhttps.protocols=TLSv1.1,TLSv1.2

You'd get an error from your client (javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed) if the server certificate were not trusted, and it works this way: the Java client checks the server's certificate to be sure that the machine it is talking to is actually who it claims to be, in your example "api.molt.in". The check works like this:

如果服务器证书不受信任,您的客户端会收到错误(javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败),并且它以这种方式工作:Java客户端检查服务器的证书,以确保它正在与之交谈的机器实际上是它声称的那个,在您的示例中为“api.molt.in”。检查的工作方式如下:

  • if the certificate is self signed, it is trusted if found in the default trust store
  • 如果证书是自签名的,则在默认信任库中找到该证书

  • if the certificate is signed by an authority, it is trusted if the authority's certificate is found in the default trust store.
  • 如果证书由授权机构签名,则在默认信任库中找到授权机构的证书时,将对其进行信任。

The list of trusted parties may be updated in every Java minor release. For example certificates generated with Let's encrypt are only trusted by Java 8 since the 101 update.

可以在每个Java次要版本中更新可信方列表。例如,自从101更新以来,使用Let的加密生成的证书仅受Java 8信任。