logo标签列表

使用Java版本"1.7.0_79"时SSL握手失败

javassltls1.2
3

我正在使用Apache HttpClient在Java中与主机之一通信,但出现了handshake_failure错误。完整的跟踪如下:

trigger seeding of SecureRandom done seeding SecureRandom Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session * ClientHello, TLSv1 RandomCookie: GMT: 1477593324 bytes = { 140, 171, 214, 217, 33, 165, 60, 228, 102, 207, 88, 112, 29, 40, 198, 242, 159, 61, 172, 89, 116, 98, 7, 195, 182, 144, 159, 226 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension server_name, server_name: [host_name: integration.swiggy.com] [write] MD5 and SHA1 hashes: len = 180 0000: 01 00 00 B0 03 01 58 12 49 EC 8C AB D6 D9 21 A5 ......X.I.....!. 0010: 3C E4 66 CF 58 70 1D 28 C6 F2 9F 3D AC 59 74 62 <.f.Xp.(...=.Ytb 0020: 07 C3 B6 90 9F E2 00 00 2A C0 09 C0 13 00 2F C0 ............./. 0030: 04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 ....3.2......... 0040: 0D 00 16 00 13 C0 07 C0 11 00 05 C0 02 C0 0C 00 ................ 0050: 04 00 FF 01 00 00 5D 00 0A 00 34 00 32 00 17 00 ......]...4.2... 0060: 01 00 03 00 13 00 15 00 06 00 07 00 09 00 0A 00 ................ 0070: 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F 00 10 00 ................ 0080: 11 00 02 00 12 00 04 00 05 00 14 00 08 00 16 00 ................ 0090: 0B 00 02 01 00 00 00 00 1B 00 19 00 00 16 69 6E ..............in 00A0: 74 65 67 72 61 74 69 6F 6E 2E 73 77 69 67 67 79 tegration.swiggy 00B0: 2E 63 6F 6D
.com main, WRITE: TLSv1 Handshake, length = 180 [Raw write]: length = 185 0000: 16 03 01 00 B4 01 00 00 B0 03 01 58 12 49 EC 8C ...........X.I.. 0010: AB D6 D9 21 A5 3C E4 66 CF 58 70 1D 28 C6 F2 9F ...!.<.f.Xp.(... 0020: 3D AC 59 74 62 07 C3 B6 90 9F E2 00 00 2A C0 09 =.Ytb........*.. 0030: C0 13 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 .../.....3.2.... 0040: 00 0A C0 03 C0 0D 00 16 00 13 C0 07 C0 11 00 05 ................ 0050: C0 02 C0 0C 00 04 00 FF 01 00 00 5D 00 0A 00 34 ...........]...4 0060: 00 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 .2.............. 0070: 00 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E ................ 0080: 00 0F 00 10 00 11 00 02
00 12 00 04 00 05 00 14 ................ 0090: 00 08 00 16 00 0B 00 02 01 00 00 00 00 1B 00 19 ................ 00A0: 00 00 16 69 6E 74 65 67 72 61 74 69 6F 6E 2E 73 ...integration.s 00B0: 77 69 67 67 79 2E 63 6F 6D wiggy.com Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at HttpURLConnectionExample.sendGet1(HttpURLConnectionExample.java:83) at HttpURLConnectionExample.main(HttpURLConnectionExample.java:48) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144) [Raw read]: length = 5 0000: 15 03 01 00 02
..... [Raw read]: length = 2 0000: 02 28
.( main, READ: TLSv1 Alert, length = 2 main, RECV TLSv1 ALERT: fatal, handshake_failure main, called closeSocket() main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

我尝试了很多方法,但无法确定问题的确切原因。
1
Java 7不支持自动TLS v1.2。请参见http://superuser.com/questions/747377/enable-tls-1-1-and-1-2-for-clients-on-java-7。 - kichik
对方使用的SSL/TLS版本是什么?自从Java 7u75以来,SSLv3默认已被禁用,请参见:Oracle信息 - Jesper
还有来自Oracle的一些有用信息:诊断TLS、SSL和HTTPS - Jesper
你是正确的,我已经在启动参数中添加了“-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1”,但问题仍然存在。另一方面是 https://www.ssllabs.com/ssltest/analyze.html?d=integration.swiggy.com 。 - Madhur Ahuja
2个回答
11
你的问题是integration.swiggy.com和Java 7之间没有任何共同的密码套件。启用TLSv1.2不会有帮助。
你可以从http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html下载Java 7的JCE无限强度管辖政策文件,并将下载包中的两个JAR文件(local_policy.jar, US_export_policy.jar)替换到JRE的lib/security目录下。这将添加额外(更强大)的密码套件,你应该能够连接而无需更改代码或启用TLSv1.2。
参考资料,以下是Java 7 (1.7.0_79)中可用的密码套件:
Default Cipher
        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_DES_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
        SSL_DH_anon_WITH_DES_CBC_SHA
        SSL_DH_anon_WITH_RC4_128_MD5
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_EXPORT_WITH_RC4_40_MD5
*       SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_RSA_WITH_NULL_MD5
        SSL_RSA_WITH_NULL_SHA
*       SSL_RSA_WITH_RC4_128_MD5
*       SSL_RSA_WITH_RC4_128_SHA
*       TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*       TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
        TLS_DH_anon_WITH_AES_128_CBC_SHA
        TLS_DH_anon_WITH_AES_128_CBC_SHA256
*       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
*       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        TLS_ECDHE_ECDSA_WITH_NULL_SHA
*       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
*       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
*       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        TLS_ECDHE_RSA_WITH_NULL_SHA
*       TLS_ECDHE_RSA_WITH_RC4_128_SHA
*       TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
*       TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*       TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
        TLS_ECDH_ECDSA_WITH_NULL_SHA
*       TLS_ECDH_ECDSA_WITH_RC4_128_SHA
*       TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
*       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
*       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
        TLS_ECDH_RSA_WITH_NULL_SHA
*       TLS_ECDH_RSA_WITH_RC4_128_SHA
        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_ECDH_anon_WITH_AES_128_CBC_SHA
        TLS_ECDH_anon_WITH_NULL_SHA
        TLS_ECDH_anon_WITH_RC4_128_SHA
*       TLS_EMPTY_RENEGOTIATION_INFO_SCSV
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
        TLS_KRB5_EXPORT_WITH_RC4_40_MD5
        TLS_KRB5_EXPORT_WITH_RC4_40_SHA
        TLS_KRB5_WITH_3DES_EDE_CBC_MD5
        TLS_KRB5_WITH_3DES_EDE_CBC_SHA
        TLS_KRB5_WITH_DES_CBC_MD5
        TLS_KRB5_WITH_DES_CBC_SHA
        TLS_KRB5_WITH_RC4_128_MD5
        TLS_KRB5_WITH_RC4_128_SHA
*       TLS_RSA_WITH_AES_128_CBC_SHA
*       TLS_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_NULL_SHA256

这是使用无限字符串权限策略文件后的结果:

Default Cipher
        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_DES_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
        SSL_DH_anon_WITH_DES_CBC_SHA
        SSL_DH_anon_WITH_RC4_128_MD5
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
        SSL_RSA_EXPORT_WITH_RC4_40_MD5
*       SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_RSA_WITH_NULL_MD5
        SSL_RSA_WITH_NULL_SHA
*       SSL_RSA_WITH_RC4_128_MD5
*       SSL_RSA_WITH_RC4_128_SHA
*       TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*       TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*       TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*       TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
        TLS_DH_anon_WITH_AES_128_CBC_SHA
        TLS_DH_anon_WITH_AES_128_CBC_SHA256
        TLS_DH_anon_WITH_AES_256_CBC_SHA
        TLS_DH_anon_WITH_AES_256_CBC_SHA256
*       TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
*       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
*       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        TLS_ECDHE_ECDSA_WITH_NULL_SHA
*       TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
*       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
*       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        TLS_ECDHE_RSA_WITH_NULL_SHA
*       TLS_ECDHE_RSA_WITH_RC4_128_SHA
*       TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
*       TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*       TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
*       TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*       TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
        TLS_ECDH_ECDSA_WITH_NULL_SHA
*       TLS_ECDH_ECDSA_WITH_RC4_128_SHA
*       TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
*       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
*       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
*       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
*       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
        TLS_ECDH_RSA_WITH_NULL_SHA
*       TLS_ECDH_RSA_WITH_RC4_128_SHA
        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_ECDH_anon_WITH_AES_128_CBC_SHA
        TLS_ECDH_anon_WITH_AES_256_CBC_SHA
        TLS_ECDH_anon_WITH_NULL_SHA
        TLS_ECDH_anon_WITH_RC4_128_SHA
*       TLS_EMPTY_RENEGOTIATION_INFO_SCSV
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
        TLS_KRB5_EXPORT_WITH_RC4_40_MD5
        TLS_KRB5_EXPORT_WITH_RC4_40_SHA
        TLS_KRB5_WITH_3DES_EDE_CBC_MD5
        TLS_KRB5_WITH_3DES_EDE_CBC_SHA
        TLS_KRB5_WITH_DES_CBC_MD5
        TLS_KRB5_WITH_DES_CBC_SHA
        TLS_KRB5_WITH_RC4_128_MD5
        TLS_KRB5_WITH_RC4_128_SHA
*       TLS_RSA_WITH_AES_128_CBC_SHA
*       TLS_RSA_WITH_AES_128_CBC_SHA256
*       TLS_RSA_WITH_AES_256_CBC_SHA
*       TLS_RSA_WITH_AES_256_CBC_SHA256
        TLS_RSA_WITH_NULL_SHA256

integration.swiggy.com 提供的密码套件有:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS    256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS    128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS  256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS  128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS    256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS  256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS 256

在Java 7的标准加密套件中并没有这些加密套件,但是通过无限制强度权限策略文件可以添加最后4个套件。

已将两个JAR文件添加到jre/lib/security中,但预期的魔法并未发生。有其他替代方案吗? - Shambhu
1

补充Anand Bhat的回答,我展示了下载Oracle JDK7无限制强度策略JAR文件时启用的客户端密码差异。然而,一些服务器即使在TLSv1.2下也只同意使用更新的密码套件。特别是,最新公开可用的JDK 7版本80不支持“GCM密码套件”,导致javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8180834

$ diff -U 1000000 -u ciphers-jdk7-80-orig.txt ciphers-jdk7-80-unlimited.txt
--- ciphers-jdk7-80-orig.txt    2019-01-17 16:03:52.328738900 -0500
+++ ciphers-jdk7-80-unlimited.txt       2019-01-17 16:05:37.783770600 -0500
@@ -1,64 +1,81 @@
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ TLS_RSA_WITH_AES_256_CBC_SHA256
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ TLS_RSA_WITH_AES_256_CBC_SHA
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  TLS_RSA_WITH_AES_128_CBC_SHA256
  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_RSA_WITH_3DES_EDE_CBC_SHA
  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  TLS_ECDHE_RSA_WITH_RC4_128_SHA
  SSL_RSA_WITH_RC4_128_SHA
  TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  TLS_ECDH_RSA_WITH_RC4_128_SHA
  SSL_RSA_WITH_RC4_128_MD5
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+ TLS_DH_anon_WITH_AES_256_CBC_SHA256
+ TLS_ECDH_anon_WITH_AES_256_CBC_SHA
+ TLS_DH_anon_WITH_AES_256_CBC_SHA
  TLS_DH_anon_WITH_AES_128_CBC_SHA256
  TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  TLS_DH_anon_WITH_AES_128_CBC_SHA
  TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
  SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
  TLS_ECDH_anon_WITH_RC4_128_SHA
  SSL_DH_anon_WITH_RC4_128_MD5
  SSL_RSA_WITH_DES_CBC_SHA
  SSL_DHE_RSA_WITH_DES_CBC_SHA
  SSL_DHE_DSS_WITH_DES_CBC_SHA
  SSL_DH_anon_WITH_DES_CBC_SHA
  SSL_RSA_EXPORT_WITH_RC4_40_MD5
  SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
  TLS_RSA_WITH_NULL_SHA256
  TLS_ECDHE_ECDSA_WITH_NULL_SHA
  TLS_ECDHE_RSA_WITH_NULL_SHA
  SSL_RSA_WITH_NULL_SHA
  TLS_ECDH_ECDSA_WITH_NULL_SHA
  TLS_ECDH_RSA_WITH_NULL_SHA
  TLS_ECDH_anon_WITH_NULL_SHA
  SSL_RSA_WITH_NULL_MD5
  TLS_KRB5_WITH_3DES_EDE_CBC_SHA
  TLS_KRB5_WITH_3DES_EDE_CBC_MD5
  TLS_KRB5_WITH_RC4_128_SHA
  TLS_KRB5_WITH_RC4_128_MD5
  TLS_KRB5_WITH_DES_CBC_SHA
  TLS_KRB5_WITH_DES_CBC_MD5
  TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
  TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
  TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  TLS_KRB5_EXPORT_WITH_RC4_40_MD5


import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
import java.security.KeyManagementException;

import java.io.InputStream;
import java.io.OutputStream;
import java.io.IOException;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
    public static void main(String[] args) throws IOException, NoSuchAlgorithmException, KeyManagementException {
        if (args.length != 2) {
            System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
            System.exit(1);
        }
        InputStream in = null;
        OutputStream out = null;
        try {
            SSLSocketFactory sslSocketFactory;
            if (true) {
                // https://www.baeldung.com/java-7-tls-v12
                SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
                sslContext.init(null, null, new SecureRandom());

                sslSocketFactory = sslContext.getSocketFactory();
            } else {
                sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
                // This will cause an exception on connecting to a TLSv1.2-only server,
                // Exception in thread "main" javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
                //         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:953)
                //         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
                //         at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
                //         at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
                //         at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:136)
                //         at SSLPoke.main(SSLPoke.java:66)
                // Caused by: java.io.EOFException: SSL peer shut down incorrectly
                //         at sun.security.ssl.InputRecord.read(InputRecord.java:482)
                //         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
                //         ... 5 more
            }
            SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(args[0], Integer.parseInt(args[1]));

            // https://gist.github.com/lanimall/cb808a11a058f7fb620a#file-gistfile1-java
            String[] protocols = sslSocket.getSupportedProtocols();

            System.out.println("Supported Protocols: " + protocols.length);
            for(int i = 0; i < protocols.length; i++)
            {
                System.out.println(" " + protocols[i]);
            }

            protocols = sslSocket.getEnabledProtocols();

            System.out.println("Enabled Protocols: " + protocols.length);
            for(int i = 0; i < protocols.length; i++)
            {
                System.out.println(" " + protocols[i]);
            }

            String[] ciphers = sslSocket.getSupportedCipherSuites();
            System.out.println("Enabled Ciphers: " + ciphers.length);
            for(int i = 0; i < ciphers.length; i++)
            {
                System.out.println(" " + ciphers[i]);
            }

            in = sslSocket.getInputStream();
            out = sslSocket.getOutputStream();

            // Write a test byte to get a reaction :)
            out.write(1);

            while (in.available() > 0) {
                System.out.print(in.read());
            }
            System.out.println("Successfully connected");

        } finally {
            if (in != null) {
                in.close();
            }
            if (out != null) {
                out.close();
            }
        }
    }
}
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接