Jetty 9.3.8.v20160314 拒绝 TLSv1 和 TLSv1.1 但不拒绝 TLSv1.2 连接
Jetty 9.3.8.v20160314 rejects TLSv1 and TLSv1.1 but not TLSv1.2 connections
Ubuntu 14.04.4 LTS(GNU/Linux 3.13.0-91-通用 x86_64)
java 版本“1.8.0_91”
Java(TM) SE 运行时环境(build 1.8.0_91-b14)
Java HotSpot(TM) 64 位服务器 VM(内部版本 25.91-b14,混合模式)
Jetty 9.3.8.v2016031 连接器配置如下:
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(sslKeystore);
sslContextFactory.setKeyStorePassword(SystemUtils.getEnvOrThrow("SERVER_SSL_PASSWORD"));
sslContextFactory.setKeyManagerPassword(SystemUtils.getEnvOrThrow("SERVER_SSL_KEY_PASSWORD"));
HttpConfiguration https_config = new HttpConfiguration();
https_config.setOutputBufferSize(32768);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(
server,
new SslConnectionFactory(sslContextFactory, "http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(Integer.valueOf(SystemUtils.getEnvOrThrow("SERVER_SSL_PORT")));
https.setIdleTimeout(60000);
server.setConnectors(new Connector[] { https });
我可以建立 TLSv1.2 连接:
curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.2
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
但是当我尝试使用 TLSv1.0 或 TLSv1.1 时,我得到了这个:
curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.0
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* Server aborted the SSL handshake
启用和支持的协议列表为:
Enabled protocol: SSLv2Hello
Enabled protocol: TLSv1
Enabled protocol: TLSv1.1
Enabled protocol: TLSv1.2
Supported protocol: SSLv2Hello
Supported protocol: SSLv3
Supported protocol: TLSv1
Supported protocol: TLSv1.1
Supported protocol: TLSv1.2
而且我不知道问题出在哪里。
我有一些客户端只能使用 TLSv1.0。
更新 1 - 添加了 sslscan 输出
Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA
Failed SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA
Failed SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA
Failed SSLv3 256 bits SRP-AES-256-CBC-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-SHA256
Failed SSLv3 256 bits DHE-DSS-AES256-SHA256
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected SSLv3 256 bits AECDH-AES256-SHA
Failed SSLv3 256 bits ADH-AES256-GCM-SHA384
Failed SSLv3 256 bits ADH-AES256-SHA256
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA
Failed SSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA
Failed SSLv3 256 bits AES256-GCM-SHA384
Failed SSLv3 256 bits AES256-SHA256
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 256 bits CAMELLIA256-SHA
Failed SSLv3 256 bits PSK-AES256-CBC-SHA
Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Failed SSLv3 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Failed SSLv3 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Failed SSLv3 168 bits SRP-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 168 bits AECDH-DES-CBC3-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA
Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDHE-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA
Failed SSLv3 128 bits SRP-DSS-AES-128-CBC-SHA
Failed SSLv3 128 bits SRP-RSA-AES-128-CBC-SHA
Failed SSLv3 128 bits SRP-AES-128-CBC-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA256
Failed SSLv3 128 bits DHE-DSS-AES128-SHA256
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-SEED-SHA
Rejected SSLv3 128 bits DHE-DSS-SEED-SHA
Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected SSLv3 128 bits AECDH-AES128-SHA
Failed SSLv3 128 bits ADH-AES128-GCM-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA256
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits ADH-SEED-SHA
Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA
Failed SSLv3 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA
Failed SSLv3 128 bits AES128-GCM-SHA256
Failed SSLv3 128 bits AES128-SHA256
Rejected SSLv3 128 bits AES128-SHA
Rejected SSLv3 128 bits SEED-SHA
Rejected SSLv3 128 bits CAMELLIA128-SHA
Failed SSLv3 128 bits PSK-AES128-CBC-SHA
Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA
Rejected SSLv3 128 bits AECDH-RC4-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Failed SSLv3 128 bits PSK-RC4-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA
Rejected SSLv3 0 bits AECDH-NULL-SHA
Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA
Failed SSLv3 0 bits NULL-SHA256
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDHE-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA
Failed TLSv1 256 bits SRP-DSS-AES-256-CBC-SHA
Failed TLSv1 256 bits SRP-RSA-AES-256-CBC-SHA
Failed TLSv1 256 bits SRP-AES-256-CBC-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-SHA256
Failed TLSv1 256 bits DHE-DSS-AES256-SHA256
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected TLSv1 256 bits AECDH-AES256-SHA
Failed TLSv1 256 bits ADH-AES256-GCM-SHA384
Failed TLSv1 256 bits ADH-AES256-SHA256
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA
Failed TLSv1 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA
Failed TLSv1 256 bits AES256-GCM-SHA384
Failed TLSv1 256 bits AES256-SHA256
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 256 bits CAMELLIA256-SHA
Failed TLSv1 256 bits PSK-AES256-CBC-SHA
Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Failed TLSv1 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Failed TLSv1 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Failed TLSv1 168 bits SRP-3DES-EDE-CBC-SHA
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 168 bits AECDH-DES-CBC3-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA
Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDHE-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA
Failed TLSv1 128 bits SRP-DSS-AES-128-CBC-SHA
Failed TLSv1 128 bits SRP-RSA-AES-128-CBC-SHA
Failed TLSv1 128 bits SRP-AES-128-CBC-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA256
Failed TLSv1 128 bits DHE-DSS-AES128-SHA256
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-SEED-SHA
Rejected TLSv1 128 bits DHE-DSS-SEED-SHA
Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected TLSv1 128 bits AECDH-AES128-SHA
Failed TLSv1 128 bits ADH-AES128-GCM-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA256
Rejected TLSv1 128 bits ADH-AES128-SHA
Rejected TLSv1 128 bits ADH-SEED-SHA
Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA
Failed TLSv1 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA
Failed TLSv1 128 bits AES128-GCM-SHA256
Failed TLSv1 128 bits AES128-SHA256
Rejected TLSv1 128 bits AES128-SHA
Rejected TLSv1 128 bits SEED-SHA
Rejected TLSv1 128 bits CAMELLIA128-SHA
Failed TLSv1 128 bits PSK-AES128-CBC-SHA
Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA
Rejected TLSv1 128 bits AECDH-RC4-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA
Rejected TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Failed TLSv1 128 bits PSK-RC4-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA
Rejected TLSv1 0 bits AECDH-NULL-SHA
Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA
Failed TLSv1 0 bits NULL-SHA256
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
更新 2 - 更详细的 curl 输出
* Hostname was NOT found in DNS cache
* Trying 123.45.67.890...
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to <hidden_hostname>:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to <hidden_hostname>:443
TLSv1.0 被认为是不安全和易受攻击的。
Jetty 上的默认配置(以及 Java 的某些版本)禁用了 TLS 1.0 所需的密码。
这是短期内解决问题的方法。
Note: once TLS 1.3 is a reality, and Java supports it, then even this short term fix will not be possible, as TLS 1.3 has plans to outright ban known vulnerable Ciphers from being present for any support level.
You really need to upgrade those clients soon, otherwise you'll be stuck on old java, old jetty, and even old OS installations with no valid option to upgrade any of those.
首先,您的 SslContextFactory 有一个 declared set of exclude ciphers,您需要调整这些排除项以尽可能适合您的环境。
您可以通过重新声明排除的密码来执行此操作。
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setExcludeCipherSuites(
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
如果这仍然不能帮助您,那么您可能还有 Java 级禁用密码。
检查 $JAVA_HOME/jre/lib/security/java.security 文件是否有任何禁用 "ciphers" 或 "algorithms" 的配置(名称可能因您选择的 JVM 而异)
Ubuntu 14.04.4 LTS(GNU/Linux 3.13.0-91-通用 x86_64)
java 版本“1.8.0_91” Java(TM) SE 运行时环境(build 1.8.0_91-b14) Java HotSpot(TM) 64 位服务器 VM(内部版本 25.91-b14,混合模式)
Jetty 9.3.8.v2016031 连接器配置如下:
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(sslKeystore);
sslContextFactory.setKeyStorePassword(SystemUtils.getEnvOrThrow("SERVER_SSL_PASSWORD"));
sslContextFactory.setKeyManagerPassword(SystemUtils.getEnvOrThrow("SERVER_SSL_KEY_PASSWORD"));
HttpConfiguration https_config = new HttpConfiguration();
https_config.setOutputBufferSize(32768);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(
server,
new SslConnectionFactory(sslContextFactory, "http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(Integer.valueOf(SystemUtils.getEnvOrThrow("SERVER_SSL_PORT")));
https.setIdleTimeout(60000);
server.setConnectors(new Connector[] { https });
我可以建立 TLSv1.2 连接:
curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.2
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
但是当我尝试使用 TLSv1.0 或 TLSv1.1 时,我得到了这个:
curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.0
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* Server aborted the SSL handshake
启用和支持的协议列表为:
Enabled protocol: SSLv2Hello
Enabled protocol: TLSv1
Enabled protocol: TLSv1.1
Enabled protocol: TLSv1.2
Supported protocol: SSLv2Hello
Supported protocol: SSLv3
Supported protocol: TLSv1
Supported protocol: TLSv1.1
Supported protocol: TLSv1.2
而且我不知道问题出在哪里。 我有一些客户端只能使用 TLSv1.0。
更新 1 - 添加了 sslscan 输出
Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA
Failed SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA
Failed SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA
Failed SSLv3 256 bits SRP-AES-256-CBC-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-SHA256
Failed SSLv3 256 bits DHE-DSS-AES256-SHA256
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected SSLv3 256 bits AECDH-AES256-SHA
Failed SSLv3 256 bits ADH-AES256-GCM-SHA384
Failed SSLv3 256 bits ADH-AES256-SHA256
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA
Failed SSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA
Failed SSLv3 256 bits AES256-GCM-SHA384
Failed SSLv3 256 bits AES256-SHA256
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 256 bits CAMELLIA256-SHA
Failed SSLv3 256 bits PSK-AES256-CBC-SHA
Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Failed SSLv3 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Failed SSLv3 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Failed SSLv3 168 bits SRP-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 168 bits AECDH-DES-CBC3-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA
Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDHE-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA
Failed SSLv3 128 bits SRP-DSS-AES-128-CBC-SHA
Failed SSLv3 128 bits SRP-RSA-AES-128-CBC-SHA
Failed SSLv3 128 bits SRP-AES-128-CBC-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA256
Failed SSLv3 128 bits DHE-DSS-AES128-SHA256
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-SEED-SHA
Rejected SSLv3 128 bits DHE-DSS-SEED-SHA
Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected SSLv3 128 bits AECDH-AES128-SHA
Failed SSLv3 128 bits ADH-AES128-GCM-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA256
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits ADH-SEED-SHA
Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA
Failed SSLv3 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA
Failed SSLv3 128 bits AES128-GCM-SHA256
Failed SSLv3 128 bits AES128-SHA256
Rejected SSLv3 128 bits AES128-SHA
Rejected SSLv3 128 bits SEED-SHA
Rejected SSLv3 128 bits CAMELLIA128-SHA
Failed SSLv3 128 bits PSK-AES128-CBC-SHA
Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA
Rejected SSLv3 128 bits AECDH-RC4-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Failed SSLv3 128 bits PSK-RC4-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA
Rejected SSLv3 0 bits AECDH-NULL-SHA
Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA
Failed SSLv3 0 bits NULL-SHA256
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDHE-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA
Failed TLSv1 256 bits SRP-DSS-AES-256-CBC-SHA
Failed TLSv1 256 bits SRP-RSA-AES-256-CBC-SHA
Failed TLSv1 256 bits SRP-AES-256-CBC-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-SHA256
Failed TLSv1 256 bits DHE-DSS-AES256-SHA256
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected TLSv1 256 bits AECDH-AES256-SHA
Failed TLSv1 256 bits ADH-AES256-GCM-SHA384
Failed TLSv1 256 bits ADH-AES256-SHA256
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA
Failed TLSv1 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA
Failed TLSv1 256 bits AES256-GCM-SHA384
Failed TLSv1 256 bits AES256-SHA256
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 256 bits CAMELLIA256-SHA
Failed TLSv1 256 bits PSK-AES256-CBC-SHA
Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Failed TLSv1 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Failed TLSv1 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Failed TLSv1 168 bits SRP-3DES-EDE-CBC-SHA
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 168 bits AECDH-DES-CBC3-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA
Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDHE-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA
Failed TLSv1 128 bits SRP-DSS-AES-128-CBC-SHA
Failed TLSv1 128 bits SRP-RSA-AES-128-CBC-SHA
Failed TLSv1 128 bits SRP-AES-128-CBC-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA256
Failed TLSv1 128 bits DHE-DSS-AES128-SHA256
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-SEED-SHA
Rejected TLSv1 128 bits DHE-DSS-SEED-SHA
Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected TLSv1 128 bits AECDH-AES128-SHA
Failed TLSv1 128 bits ADH-AES128-GCM-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA256
Rejected TLSv1 128 bits ADH-AES128-SHA
Rejected TLSv1 128 bits ADH-SEED-SHA
Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA
Failed TLSv1 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA
Failed TLSv1 128 bits AES128-GCM-SHA256
Failed TLSv1 128 bits AES128-SHA256
Rejected TLSv1 128 bits AES128-SHA
Rejected TLSv1 128 bits SEED-SHA
Rejected TLSv1 128 bits CAMELLIA128-SHA
Failed TLSv1 128 bits PSK-AES128-CBC-SHA
Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA
Rejected TLSv1 128 bits AECDH-RC4-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA
Rejected TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Failed TLSv1 128 bits PSK-RC4-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA
Rejected TLSv1 0 bits AECDH-NULL-SHA
Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA
Failed TLSv1 0 bits NULL-SHA256
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
更新 2 - 更详细的 curl 输出
* Hostname was NOT found in DNS cache
* Trying 123.45.67.890...
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to <hidden_hostname>:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to <hidden_hostname>:443
TLSv1.0 被认为是不安全和易受攻击的。
Jetty 上的默认配置(以及 Java 的某些版本)禁用了 TLS 1.0 所需的密码。
这是短期内解决问题的方法。
Note: once TLS 1.3 is a reality, and Java supports it, then even this short term fix will not be possible, as TLS 1.3 has plans to outright ban known vulnerable Ciphers from being present for any support level.
You really need to upgrade those clients soon, otherwise you'll be stuck on old java, old jetty, and even old OS installations with no valid option to upgrade any of those.
首先,您的 SslContextFactory 有一个 declared set of exclude ciphers,您需要调整这些排除项以尽可能适合您的环境。
您可以通过重新声明排除的密码来执行此操作。
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setExcludeCipherSuites(
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
如果这仍然不能帮助您,那么您可能还有 Java 级禁用密码。
检查 $JAVA_HOME/jre/lib/security/java.security 文件是否有任何禁用 "ciphers" 或 "algorithms" 的配置(名称可能因您选择的 JVM 而异)