我试图找出一个问题,在8u60中使用SSL时,我们的应用程序会中断,但在以前的Java版本中则不会。在8u60中,当尝试建立HTTPS连接时,我们得到javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
并将断点放置在适当的位置,我看到密码套件的列表确实为空,而当我使用相同的代码时,它填充的是我期望的值。在8u45或更早版本中运行。
一个显示此行为的SSCCE(假设您在正确的相对路径中有证书密钥库...)我在SSCCE中使用Jetty 9.3.0,但我们的应用程序使用9.2.x,如下所示:
public class HelloWorldSSL extends AbstractHandler {
private static final int HTTP_PORT = 9999;
private static final int SSL_PORT = 9998;
public void handle(String s, Request request, HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse) throws IOException, ServletException {
httpServletResponse.setContentType("text/html;charset=utf-8");
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
request.setHandled(true);
httpServletResponse.getWriter().println("<h1>Hello World</h1>");
}
public static void main(String[] args) throws Exception
{
Server server = new Server();
// HTTP Configuration
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.setSecureScheme("https");
httpConfig.setSecurePort(SSL_PORT);
// HTTP Connector
ServerConnector httpConnector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
httpConnector.setPort(HTTP_PORT);
server.addConnector(httpConnector);
// SSL Configuration
String keystorePath = "src/main/resources/keystore.jks";
File keyStoreFile = new File(keystorePath);
if (keyStoreFile.exists()) {
SslContextFactory sslContextFactory = new SslContextFactory(keystorePath);
sslContextFactory.setKeyStorePassword("123456");
String[] defaultCiphers = new String[] { "TLS_RSA_WITH_RC4_128_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-AES256-SHA384",
"AES256-SHA-256", "SSL_RSA_WITH_RC4_128_SHA", "TLS_KRB5_WITH_RC4_128_SHA" };
sslContextFactory.setIncludeCipherSuites(defaultCiphers);
HttpConfiguration sslConfig = new HttpConfiguration(httpConfig);
sslConfig.addCustomizer(new SecureRequestCustomizer());
ServerConnector sslConnector = new ServerConnector(server, sslContextFactory,
new HttpConnectionFactory(sslConfig));
sslConnector.setPort(SSL_PORT);
sslConnector.setAcceptQueueSize(5);
server.addConnector(sslConnector);
}
HandlerList handlers = new HandlerList();
handlers.addHandler(new HelloWorldSSL());
server.setHandler(handlers);
server.start();
server.join();
}
}
有什么明显的我们正在做错的事情可以解释为什么它在8u45而不是8u60中起作用?查看8u60更改日志没有帮助。 (尝试浏览关于Jetty的错误报告真是一场噩梦。
[编辑]
阅读Java错误报告使我尝试删除
sslContextFactory.setIncludeCipherSuites(defaultCiphers);
行,现在代码在8u60中可用。仍然希望有人对此有何见解... 最佳答案
通过实验和码头人的一些帮助找到了答案。看起来Java的可接受密码列表已从8u45更改为8u60,并且上面数组中的所有密码都不在新的可接受列表上,从而导致空白的可接受密码列表。
从添加默认密码列表更改为添加默认协议(TLSv1.2),使所有功能都可以在8u60和早期版本中使用,并且引导更安全。