SSLHandshakeException:没有共同的密码套件

2022-01-25 00:00:00 authentication ssl ssl-certificate java

按照此处的说明操作并重新创建了我之前的证书错误地创建.我现在看到 javax.net.ssl.SSLHandshakeException: no cipher suites in commonjavax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 发生了一些变化代码>在客户端.而不是错误this question

Followed the instructions here and recreated certificates that I previously incorrectly created. Something has changed as I am now seeing javax.net.ssl.SSLHandshakeException: no cipher suites in common on the server and javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure on the client. Instead of the errors this question

服务器是 ClassFileServer.java 和相应的客户端 SSLSocketClientWithClientAuth.java

The server is ClassFileServer.java and the respective client SSLSocketClientWithClientAuth.java

关于让两端很好玩的任何提示,请注意我使用的是 localhost,所以我假设密码功能是相同的.

Any tips on getting the two ends to play nicely, note that I am using localhost so I would assume the cipher capabilities are the same.

更新:

这是我用来生成文件的步骤,我可能会混淆密钥和信任库.:

Here are the steps I have used to generate the files, I may be confusing the key and truststore.:

在服务器上(接下来是 this指南):

On the server (following by this guide):

$ keytool -genkey -alias serverkey -keyalg RSA -keypass p@ssw0rd-storepass p@ssw0rd -keystore keystore.jks

$ keytool -export -alias serverkey -storepass p@ssw0rd -fileserver.cer -keystore keystore.jks

$ keytool -import -v -trustcacerts -alias clientkey -file../client/client.cer -keystore cacerts.jks -keypass p@ssw0rd-storepass p@ssw0rd

在客户端(由 this 指南):

On the client-side (by this guide):

$ keytool -genkey -alias clientkey -keyalg RSA -keypass changeit-storepass changeit -keystore keystore.jks

$ keytool -export -alias clientkey -storepass changeit -fileclient.cer -keystore keystore.jks

$ keytool -import -v -trustcacerts -alias serverkey -file../server/server.cer -keystore cacerts.jks -keypass changeit-storepass changeit

由于调试超出了本站的正文限制,不得不使用其他媒体:

Had to use another medium as the debugging exceeded the body limit of this site:

客户端调试错误: http://pastebin.com/mHCmEqAk

服务器调试错误: http://pastebin.com/YZbh7H8f

推荐答案

javax.net.ssl.SSLHandshakeException: no cipher suites in common

这有两个原因:

  1. 服务器没有私钥和证书,可能根本没有密钥库.在这种情况下,它只能使用默认禁用的不安全匿名密码套件,并且应该保持这种状态.因此,它没有可以同意与客户端一起使用的密码套件.

  1. The server doesn't have a private key and certificate, and possibly doesn't have a keystore at all. In such a case it can only use the insecure anonymous cipher suites, which are disabled by default, and should stay that way. So there is no cipher suite that it can agree to use with the client.

客户端或服务器或两者都对密码套件施加过多限制,从而无法达成协议.

Excessive restrictions on cipher suites imposed by client or server or both such that there can be no agreement.

关于您的密钥库和信任库,看起来一切正常,只是您执行了四个导入步骤,而您只需要两个.您不需要将服务器的证书导入服务器自己的信任库,或者将客户端的证书导入客户端的信任库.你只需要这个:

Re your keystores and truststores, that all looks OK except that you are doing four import steps where you only need two. You don't need to import the server's certificate into the server's own truststore, or the client's certificate into the client's truststore. You only need this:

服务器:

$ keytool -import -v -trustcacerts -alias clientkey -file ../client/client.cer -keystore cacerts.jks -keypass p@ssw0rd -storepass p@ssw0rd

客户:

$ keytool -import -v -trustcacerts -alias serverkey -file ../server/server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

您只需要它,因为您使用的是自签名证书.简单的解决方案:不要.使用 CA 签名的证书,该证书受 Java 附带的默认信任库信任.

and you only need it because you're using a self-signed certificate. Simple solution: don't. Use a CA-signed certificate, which is trusted by the default truststore shipped with Java.

相关文章