发表新帖
发表新帖

How do I set SSL protocol version in java? And how do I know which one? javax.net.ssl.SSLException: Received fatal alert: protocol_version

后端 未结
关注
4 1486
执念已碎
执念已碎 2021-02-02 05:03

I am using Apache HttpClient 4.3 to interact with the API of hubic.com. My minimal reproducable example is just a one liner:

<
4条回答
  • 轮回少年
    轮回少年 (楼主)
    2021-02-02 05:25

    I see from the debug that Java does a TLS1.2 handshake instead of the more common SSLv23 handshake:

    main, WRITE: TLSv1.2 Handshake, length = 225
[Raw write]: length = 230
0000: 16 03 03 00
         ^^^^^ - TLS1.2 (SSL3.3)

    The server itself can do only TLS1.0 and fails to just announce this older version. I'm not familiar with Java, but you either need set the protocol version to TLSv1 or SSLv23 to speak with this server.

    The following code would set only TLSv1 with Apache HttpClient:

    HttpClientBuilder
  .create()
  .setSslcontext(SSLContexts.custom().useProtocol("TLSv1").build())
  .build()
  .execute(new HttpGet("https://hubic.com"));

    EDIT to include question from comment:

    If you say that the server "fails to just announce this older version", does that mean that the server is misconfigured? In this case, why don't Firefox&Chromium have any problems?

    If the client announces TLS1.2 in the ClientHello and the server can do only TLS1.0 it should announce this, i.e. reply with TLS1.0. The client can then close the connection if TLS1.0 is not good enough or continue with TLS1.0. But, in this case the server just told the client that it does not like this version and closed the connection. Firefox and others instead do a SSLv23 announcement, where they do a TLS1.0 handshake but also announce the best protocol version they support. This usually works good for older servers starting from SSL3.0 but also for newer servers.

    You can check the behavior of the server with a recent Perl/IO::Socket::SSL and this script.

    $ perl analyze-ssl.pl hubic.com
-- hubic.com port 443
 * maximum SSL version  : TLSv1 (SSLv23)
 * supported SSL versions with handshake used and preferred cipher(s):
   * handshake protocols ciphers
   * SSLv23    TLSv1     AES256-SHA
   * TLSv1_2   FAILED: SSL connect attempt failed error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
   * TLSv1_1   FAILED: SSL connect attempt failed error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
   * TLSv1     TLSv1     AES256-SHA
   * SSLv3     FAILED: SSL connect attempt failed because of handshake problems error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version

    Here you can see, that the hosts supports SSLv23 and TLSv1 handshakes, but not the used TLSv1_2 handshake.

    0 讨论(0)
 看不清?
提交回复
热议问题