我试图找出一个问题,在8u60中使用SSL时,我们的应用程序会中断,但在以前的Java版本中则不会。在8u60中,当尝试建立HTTPS连接时,我们得到javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)并将断点放置在适当的位置,我看到密码套件的列表确实为空,而当我使用相同的代码时,它填充的是我期望的值。在8u45或更早版本中运行。

一个显示此行为的SSCCE(假设您在正确的相对路径中有证书密钥库...)我在SSCCE中使用Jetty 9.3.0,但我们的应用程序使用9.2.x,如下所示:

public class HelloWorldSSL extends AbstractHandler {
    private static final int HTTP_PORT = 9999;
    private static final int SSL_PORT = 9998;

    public void handle(String s, Request request, HttpServletRequest httpServletRequest,
            HttpServletResponse httpServletResponse) throws IOException, ServletException {
        httpServletResponse.setContentType("text/html;charset=utf-8");
        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
        request.setHandled(true);
        httpServletResponse.getWriter().println("<h1>Hello World</h1>");
    }

    public static void main(String[] args) throws Exception
    {
        Server server = new Server();

        // HTTP Configuration
        HttpConfiguration httpConfig = new HttpConfiguration();
        httpConfig.setSecureScheme("https");
        httpConfig.setSecurePort(SSL_PORT);

        // HTTP Connector
        ServerConnector httpConnector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
        httpConnector.setPort(HTTP_PORT);
        server.addConnector(httpConnector);

        // SSL Configuration
        String keystorePath = "src/main/resources/keystore.jks";
        File keyStoreFile = new File(keystorePath);
        if (keyStoreFile.exists()) {
            SslContextFactory sslContextFactory = new SslContextFactory(keystorePath);
            sslContextFactory.setKeyStorePassword("123456");

            String[] defaultCiphers = new String[] { "TLS_RSA_WITH_RC4_128_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
                    "SSL_RSA_WITH_RC4_128_MD5", "SSL_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-AES256-SHA384",
                    "AES256-SHA-256", "SSL_RSA_WITH_RC4_128_SHA", "TLS_KRB5_WITH_RC4_128_SHA" };
            sslContextFactory.setIncludeCipherSuites(defaultCiphers);
            HttpConfiguration sslConfig = new HttpConfiguration(httpConfig);
            sslConfig.addCustomizer(new SecureRequestCustomizer());
            ServerConnector sslConnector = new ServerConnector(server, sslContextFactory,
                    new HttpConnectionFactory(sslConfig));
            sslConnector.setPort(SSL_PORT);
            sslConnector.setAcceptQueueSize(5);
            server.addConnector(sslConnector);

        }
        HandlerList handlers = new HandlerList();
        handlers.addHandler(new HelloWorldSSL());
        server.setHandler(handlers);

        server.start();
        server.join();
    }
}


有什么明显的我们正在做错的事情可以解释为什么它在8u45而不是8u60中起作用?查看8u60更改日志没有帮助。 (尝试浏览关于Jetty的错误报告真是一场噩梦。

[编辑]
阅读Java错误报告使我尝试删除sslContextFactory.setIncludeCipherSuites(defaultCiphers);行,现在代码在8u60中可用。仍然希望有人对此有何见解...

最佳答案

通过实验和码头人的一些帮助找到了答案。看起来Java的可接受密码列表已从8u45更改为8u60,并且上面数组中的所有密码都不在新的可接受列表上,从而导致空白的可接受密码列表。

从添加默认密码列表更改为添加默认协议(TLSv1.2),使所有功能都可以在8u60和早期版本中使用,并且引导更安全。

09-25 21:05