开发者

Java: problem with SSL authentication/SSL debug

I'm currently trying to develop a small utility that sends an http request to a given https url. I have tried debugging by means of setting the system property "java.net.debug" to "ssl". However, I would like to know if there is a way of knowing who is on the other side of the connection. This is important so that I might find out if my problems are due to the proxy (which I must use) or to the target itself. Is this possible?

I will gladly make available any other information that might be necessary to help to solve this issue. (this has already taken me some large hours and I would very much like to see it behind me)

Also, I'll post an extract of my error output below (with the "ssl" debug flag when trying my connection through the proxy).

Thanks to anyone who might help with ideas, tips, resources, etc.

Error output (extract):
trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1315387357 bytes = { 204, 54, 224, 210, 62, 4, 115, 194, 63, 143, 61, 163, 43, 167, 63, 217, 104, 166, 123, 152, 32, 226, 42, 143, 191, 249, 183, 192 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 75
0000: 01 00 00 47 03 01 4E 67   38 DD CC 36 E0 D2 3E 04  ...G..Ng8..6..>.
0010: 73 C2 3F 8F 3D A3 2B A7   3F D9 68 A6 7B 98 20 E2  s.?.=.+.?.h... .
0020: 2A 8F BF F9 B7 C0 00 00   20 00 04 00 05 00 2F 00  *....... ...../.
0030: 33 00 32 00 0A 00 16 00   13 00 09 00 15 00 12 00  3.2.............
0040: 03 00 08 00 14 00 11 00   FF 01 00                 ...........
main, WRITE: TLSv1 Handshake, length = 75
[write] MD5 and SHA1 hashes:  len = 101
0000: 01 03 01 00 3C 00 00 00   20 00 00 04 01 00 80 00  ....<... .......
0010: 00 0开发者_如何转开发5 00 00 2F 00 00 33   00 00 32 00 00 0A 07 00  ..../..3..2.....
0020: C0 00 00 16 00 00 13 00   00 09 06 00 40 00 00 15  ............@...
0030: 00 00 12 00 00 03 02 00   80 00 00 08 00 00 14 00  ................
0040: 00 11 00 00 FF 4E 67 38   DD CC 36 E0 D2 3E 04 73  .....Ng8..6..>.s
0050: C2 3F 8F 3D A3 2B A7 3F   D9 68 A6 7B 98 20 E2 2A  .?.=.+.?.h... .*
0060: 8F BF F9 B7 C0                                     .....
main, WRITE: SSLv2 client hello message, length = 101
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT:  fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, IOException in getSession():  javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
    at <my.fqdn.class>.run(EisRequestResponseMonitor.java:193)
    at <my.fqdn.class>.main(EisRequestResponseMonitor.java:81)

UPDATE: Since my post I was able to get some more information. My problem seems to be tied to the proxy indeed. I'm getting a 407 HTTP code which I was missing when I looked at my debug information (this error was written to the log and I missed it). I'm using Apache's httpclient component (latest version at this date which is 4.1.2) and now I'm struggling to correctly "attach" my credentials provider. I say "struggling" because all examples I find are for version 3.x and the api has changed since then.

UPDATE.V2: Well, after a lot more tests I found out that the machine I was working on could not access the proxy as I was told to do. However, this information came directly from the security people. Other than them, everyone else thought it was possible.


Very odd trace. Both a TLSv1 and an SSLv2 ClientHello message are being written, and the peer is definitely not accepting the latter, which you can fix by removing SSLv2ClientHello from the enabled protocols. But why both are there is a mystery.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜