我尝试使用 Apache HTTP Client 5.4.1 和 Java 17.0.8.1 连接 TLSv1.3 到
dnug.collab.cloud当我设置
jdk.tls.client.protocols=TLSv1.2有人可以解释一下可能出了什么问题吗?
代码
System.out.println(System.getProperty("java.version"));
try (CloseableHttpClient client = HttpClients.createDefault()) {
final HttpGet request1 = new HttpGet(
"https://dnug.collab.cloud/profiles/atom/[email protected]");
client.execute(request1, response -> {
return null;
});
} catch (Exception e) {
e.printStackTrace();
}
使用
javax.net.debug=ssl:handshake17.0.8.1
javax.net.ssl|DEBUG|2024-12-12 17:00:53.028 CET|SSLCipher.java:466|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|2024-12-12 17:00:53.075 CET|SSLCipher.java:466|jdk.tls.keyLimits: entry = ChaCha20-Poly1305 KeyUpdate 2^37. CHACHA20-POLY1305:KEYUPDATE = 137438953472
javax.net.ssl|WARNING|2024-12-12 17:00:57.306 CET|NamedGroup.java:297|No AlgorithmParameters for x25519 (
"throwable" : {
java.security.NoSuchAlgorithmException: Algorithm x25519 not available
at java.base/javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:194)
...
)
javax.net.ssl|WARNING|2024-12-12 17:00:57.316 CET|NamedGroup.java:297|No AlgorithmParameters for x448 (
"throwable" : {
java.security.NoSuchAlgorithmException: Algorithm x448 not available
at java.base/javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:194)
...
)
javax.net.ssl|WARNING|2024-12-12 17:00:57.322 CET|SignatureScheme.java:296|Signature algorithm, Ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|2024-12-12 17:00:57.323 CET|SignatureScheme.java:296|Signature algorithm, Ed448, is not supported by the underlying providers
javax.net.ssl|INFO|2024-12-12 17:00:57.445 CET|AlpnExtension.java:182|No available application protocols
javax.net.ssl|DEBUG|2024-12-12 17:00:57.446 CET|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2024-12-12 17:00:57.447 CET|SessionTicketExtension.java:408|Stateless resumption supported
javax.net.ssl|DEBUG|2024-12-12 17:00:57.450 CET|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|2024-12-12 17:00:57.755 CET|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|2024-12-12 17:00:57.756 CET|PreSharedKeyExtension.java:661|No session to resume.
javax.net.ssl|DEBUG|2024-12-12 17:00:57.756 CET|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|2024-12-12 17:00:57.789 CET|ClientHello.java:641|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "AD7E649F326AE997D6BCF2B2BAE7D019A665797892B091C0CF90F8F60A64399C",
"session id" : "F475C1E0041E5A8BDC270BE3252E06EFC7CD830A18A6C61A1319BD84C34603D4",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=dnug.collab.cloud
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"session_ticket (35)": {
<empty>
},
"signature_algorithms (13)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"signature_algorithms_cert (50)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
},
"key_share (51)": {
"client_shares": [
{
"named group": ffdhe2048
"key_exchange": {
0000: CA 1D A2 35 A2 7A 8A A6 DD 8F 8B 96 C3 76 D6 4D ...5.z.......v.M
0010: D7 3E 20 B8 E8 B3 72 2B B0 DF A8 E2 47 FB 8B 96 .> ...r+....G...
0020: 66 4E 7F 9A A8 82 84 BF 45 45 3A 28 1D 77 BC F0 fN......EE:(.w..
0030: 92 B3 1C 64 52 94 B5 EE 43 FC C9 0B 52 26 AE 59 ...dR...C...R&.Y
0040: AE 1E 89 E7 C2 DB 35 C7 9B 83 0F C7 89 37 33 0C ......5......73.
0050: CE CB A3 E4 01 EB 7C 1B D9 3A F1 FE 2F D1 CA 71 .........:../..q
0060: D1 2C 1A 8A CF 11 82 E3 81 73 E4 D3 B9 5B EA 7E .,.......s...[..
0070: 23 A5 E3 B0 25 8D 31 21 4C 63 68 DD F9 01 E2 75 #...%.1!Lch....u
0080: DC 34 01 AA D4 3B 89 88 E3 05 86 9F 52 DB 76 07 .4...;......R.v.
0090: 33 CF 43 34 01 3C E9 30 4B 71 5D AC 65 6E F4 07 3.C4.<.0Kq].en..
00A0: 1E D6 32 49 74 3F 29 DC 39 0F 4E 07 A1 7B EC C8 ..2It?).9.N.....
00B0: BC F6 5B 46 97 5C 9E B9 AD 6D D7 D8 16 12 DB 36 ..[F.\...m.....6
00C0: BA 1A CD 91 7B 34 DD 75 B7 A9 2A 0A 24 53 F6 E7 .....4.u..*.$S..
00D0: 19 E3 65 E3 1F BD FB 83 EF DD CC 2D FA E4 EA 21 ..e........-...!
00E0: 8A 74 0C A3 B6 71 34 0A D6 C6 8A DF F5 31 B0 B3 .t...q4......1..
00F0: 51 6A 7F 97 A4 A7 7C 50 AE 8E 7E 80 20 13 B9 B8 Qj.....P.... ...
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|2024-12-12 17:00:57.811 CET|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|2024-12-12 17:00:57.814 CET|TransportContext.java:370|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
...
)
javax.net.ssl|DEBUG|2024-12-12 17:00:57.815 CET|SSLSocketImpl.java:1759|close the underlying socket
javax.net.ssl|DEBUG|2024-12-12 17:00:57.815 CET|SSLSocketImpl.java:1785|close the SSL connection (passive)
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
...
编辑: 该问题出现在 HCL Notes 14.0.0(无修订包)及其在 Notes 代理中执行的 JVM 17.0.8.1 中。 如果代码在 HCL Notes 外部使用相同的 JVM 执行,则它会按预期工作。 (见评论)
将 Fix Pack 3 应用到 HCL Notes 14 解决了该问题。可以按预期使用 TLSv1.3 建立连接。 JVM 还通过 Fix Pack 更新为 IBM Semeru Runtime Open Edition 17.0.12.1(内部版本 17.0.12+7)。 我不知道更新的 JVM 或 HCL Notes 14 中的其他内容是否是问题的根本原因。