问题描述

我的J2SE应用程序使用HttpsUrlConnection访问安全位置。它以前工作很好，直到我更新了我的JRE到1.7。现在我得到远程主机在握手时关闭连接SSLException。使用-Djavax.net.debug = ssl：handshake运行应用程序后，在JRE 1.6和JRE 1.7下，我的印象是，1.7以下缓存的客户端会话无法恢复。

My J2SE app uses HttpsUrlConnection to access a secure location. It used to work just fine until I updated my JRE to 1.7. Now I get the "Remote host closed connection during handshake" SSLException. After running the app using -Djavax.net.debug=ssl:handshake, both under JRE 1.6 and JRE 1.7, my impression is that under 1.7 the cached client session fails to resume.

更新：
我已经明白，在JRE 1.6下，我的客户端应用程序使用SSLv2Hello封装。但是它不会在JRE 1.7下执行，这很可能是导致异常的原因。我现在的问题是：如何为在JRE 1.7上运行的客户端启用SSLv2Hello封装？

UPDATE:I have come to understand that under JRE 1.6 my client app uses SSLv2Hello encapsulation. However it does not do that under JRE 1.7, which is most probably what causes the exception. My question is now this: how do I enable SSLv2Hello encapsulation for clients running on JRE 1.7?

更新＃2 ：
SSLv2Hello通过System.setProperty（https.protocols，TLSv1，SSLv2Hello）在JRE 7上完成。然而，这并没有使握手异常消失。事实证明，异常的真正原因是密码套件。在JRE 6上，服务器从客户端的选项中选择SSL_RSA_WITH_RC4_128_MD5，而在JRE 7上，它始终与TLS_DHE_RSA_WITH_AES_128_CBC_SHA一起使用。由于某些原因，服务器无法使用TLS_DHE_RSA_WITH_AES_128_CBC_SHA恢复缓存的会话。使用System.setProperty（https.cipherSuites，suggestCipherSuites）修补的问题，其中suggestCipherSuits始终以SSL_RSA_WITH_RC4_128_MD5开头。这种方法的任何缺点？

UPDATE #2:SSLv2Hello accomplished on JRE 7 via System.setProperty("https.protocols", "TLSv1,SSLv2Hello"). However this didn't make the handshake exception go away. Turns out that the true reason for the exception is the cipher suite. On JRE 6 the server picks SSL_RSA_WITH_RC4_128_MD5 out of the client's options, while on JRE 7 it always goes with TLS_DHE_RSA_WITH_AES_128_CBC_SHA. For some reason the server can't resume cached sessions using TLS_DHE_RSA_WITH_AES_128_CBC_SHA. Problem patched using System.setProperty("https.cipherSuites", suggestedCipherSuites) where suggestedCipherSuites always starts with SSL_RSA_WITH_RC4_128_MD5. Any downsides with this approach?

更新＃3 ：
客户端的SNI扩展使服务器烦恼。请参阅

推荐答案

最后证明这个问题与JSSE客户端1.7中的SNI扩展有关。
解决方案是在任何访问https位置之前禁用发送SNI记录：

In the end it turns out that the problem was related to the SNI extension in the JSSE client 1.7.The solution is to disable sending SNI records, before any access to an https location:

System.setProperty ("jsse.enableSNIExtension", "false");

非常感谢他的解决方案的eckes（见） 。

Many thanks to eckes for his solution (see SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0).

这篇关于握手期间的SSLException，同时恢复缓存会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！