场景
java程序使用https方式调用nessus接口时,使用jdk1.7返回如下内容:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
使用jdk1.8返回正常
{"token":"f360654233f65d964ed220914ec10916fe206a3d1b1c1b41"}
使用浏览器访问正常,debug发现发现:
协议版本:TLSv1.2 密码组合:TLS_RSA_WITH_AES_128_CBC_SHA
百度后发现
原因很明显 因为jdk1.7默认支持的TLS是V1 ,jdk1.8默认支持的是v1.2
解决方案使用第三方的Bouncy Castle 代码如下:
建立一个TLSSocketConnectionFactory
import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.DataOutputStream; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.Socket; import java.net.UnknownHostException; import java.security.KeyStore; import java.security.Principal; import java.security.SecureRandom; import java.security.Security; import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateFactory; import java.util.Hashtable; import java.util.LinkedList; import java.util.List; import javax.net.ssl.HandshakeCompletedListener; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSessionContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import javax.security.cert.X509Certificate; import org.bouncycastle.crypto.tls.*; import org.bouncycastle.crypto.tls.Certificate; import org.bouncycastle.jce.provider.BouncyCastleProvider; /** * Created by hzlizhou on 2016/9/9. */ public class TLSSocketConnectionFactory extends SSLSocketFactory { static { if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) { Security.addProvider(new BouncyCastleProvider()); } } @Override public Socket createSocket(Socket socket, final String host, int port, boolean arg3) throws IOException { if (socket == null) { socket = new Socket(); } if (!socket.isConnected()) { socket.connect(new InetSocketAddress(host, port)); } final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom()); return _createSSLSocket(host, tlsClientProtocol); } @Override public String[] getDefaultCipherSuites() { return null; } @Override public String[] getSupportedCipherSuites() { return null; } @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { throw new UnsupportedOperationException(); } @Override public Socket createSocket(InetAddress host, int port) throws IOException { throw new UnsupportedOperationException(); } @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return null; } @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { throw new UnsupportedOperationException(); } private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) { return new SSLSocket() { private java.security.cert.Certificate[] peertCerts; @Override public InputStream getInputStream() throws IOException { return tlsClientProtocol.getInputStream(); } @Override public OutputStream getOutputStream() throws IOException { return tlsClientProtocol.getOutputStream(); } @Override public synchronized void close() throws IOException { tlsClientProtocol.close(); } @Override public void addHandshakeCompletedListener(HandshakeCompletedListener arg0) { } @Override public boolean getEnableSessionCreation() { return false; } @Override public String[] getEnabledCipherSuites() { return null; } @Override public String[] getEnabledProtocols() { return null; } @Override public boolean getNeedClientAuth() { return false; } @Override public SSLSession getSession() { return new SSLSession() { @Override public int getApplicationBufferSize() { return 0; } @Override public String getCipherSuite() { throw new UnsupportedOperationException(); } @Override public long getCreationTime() { throw new UnsupportedOperationException(); } @Override public byte[] getId() { throw new UnsupportedOperationException(); } @Override public long getLastAccessedTime() { throw new UnsupportedOperationException(); } @Override public java.security.cert.Certificate[] getLocalCertificates() { throw new UnsupportedOperationException(); } @Override public Principal getLocalPrincipal() { throw new UnsupportedOperationException(); } @Override public int getPacketBufferSize() { throw new UnsupportedOperationException(); } @Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { return null; } @Override public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { return peertCerts; } @Override public String getPeerHost() { throw new UnsupportedOperationException(); } @Override public int getPeerPort() { return 0; } @Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return null; } @Override public String getProtocol() { throw new UnsupportedOperationException(); } @Override public SSLSessionContext getSessionContext() { throw new UnsupportedOperationException(); } @Override public Object getValue(String arg0) { throw new UnsupportedOperationException(); } @Override public String[] getValueNames() { throw new UnsupportedOperationException(); } @Override public void invalidate() { throw new UnsupportedOperationException(); } @Override public boolean isValid() { throw new UnsupportedOperationException(); } @Override public void putValue(String arg0, Object arg1) { throw new UnsupportedOperationException(); } @Override public void removeValue(String arg0) { throw new UnsupportedOperationException(); } }; } @Override public String[] getSupportedProtocols() { return null; } @Override public boolean getUseClientMode() { return false; } @Override public boolean getWantClientAuth() { return false; } @Override public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) { } @Override public void setEnableSessionCreation(boolean arg0) { } @Override public void setEnabledCipherSuites(String[] arg0) { } @Override public void setEnabledProtocols(String[] arg0) { } @Override public void setNeedClientAuth(boolean arg0) { } @Override public void setUseClientMode(boolean arg0) { } @Override public void setWantClientAuth(boolean arg0) { } @Override public String[] getSupportedCipherSuites() { return null; } @Override public void startHandshake() throws IOException { tlsClientProtocol.connect(new DefaultTlsClient() { @SuppressWarnings("unchecked") @Override public Hashtable<Integer, byte[]> getClientExtensions() throws IOException { Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions(); if (clientExtensions == null) { clientExtensions = new Hashtable<Integer, byte[]>(); } //Add host_name byte[] host_name = host.getBytes(); final ByteArrayOutputStream baos = new ByteArrayOutputStream(); final DataOutputStream dos = new DataOutputStream(baos); dos.writeShort(host_name.length + 3); dos.writeByte(0); dos.writeShort(host_name.length); dos.write(host_name); dos.close(); clientExtensions.put(ExtensionType.server_name, baos.toByteArray()); return clientExtensions; } @Override public TlsAuthentication getAuthentication() throws IOException { return new TlsAuthentication() { @Override public void notifyServerCertificate(Certificate serverCertificate) throws IOException { try { KeyStore ks = _loadKeyStore(); CertificateFactory cf = CertificateFactory.getInstance("X.509"); List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>(); boolean trustedCertificate = false; for (org.bouncycastle.asn1.x509.Certificate c : ((org.bouncycastle.crypto.tls.Certificate) serverCertificate).getCertificateList()) { java.security.cert.Certificate cert = cf.generateCertificate(new ByteArrayInputStream(c.getEncoded())); certs.add(cert); String alias = ks.getCertificateAlias(cert); if (alias != null) { if (cert instanceof java.security.cert.X509Certificate) { try { ((java.security.cert.X509Certificate) cert).checkValidity(); trustedCertificate = true; } catch (CertificateExpiredException cee) { // Accept all the certs! } } } else { // Accept all the certs! } } if (!trustedCertificate) { // Accept all the certs! } peertCerts = certs.toArray(new java.security.cert.Certificate[0]); } catch (Exception ex) { ex.printStackTrace(); throw new IOException(ex); } } @Override public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException { return null; } private KeyStore _loadKeyStore() throws Exception { FileInputStream trustStoreFis = null; try { KeyStore localKeyStore = null; String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType") != null ? System.getProperty("javax.net.ssl.trustStoreType") : KeyStore.getDefaultType(); String trustStoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider") != null ? System.getProperty("javax.net.ssl.trustStoreProvider") : ""; if (trustStoreType.length() != 0) { if (trustStoreProvider.length() == 0) { localKeyStore = KeyStore.getInstance(trustStoreType); } else { localKeyStore = KeyStore.getInstance(trustStoreType, trustStoreProvider); } char[] keyStorePass = null; String str5 = System.getProperty("javax.net.ssl.trustStorePassword") != null ? System.getProperty("javax.net.ssl.trustStorePassword") : ""; if (str5.length() != 0) { keyStorePass = str5.toCharArray(); } localKeyStore.load(trustStoreFis, keyStorePass); if (keyStorePass != null) { for (int i = 0; i < keyStorePass.length; i++) { keyStorePass[i] = 0; } } } return localKeyStore; } finally { if (trustStoreFis != null) { trustStoreFis.close(); } } } }; } }); } // startHandshake }; } }
发送一个map格式的post请求
import javax.net.ssl.HttpsURLConnection; import com.alibaba.fastjson.JSON; import java.io.BufferedReader; import java.io.DataOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.OutputStreamWriter; import java.net.HttpURLConnection; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; import java.net.URLConnection; public class HttpsUrlConnectionForTLS { public HttpURLConnection createConnection(URI uri) throws IOException { URL url = uri.toURL(); URLConnection connection = url.openConnection(); HttpsURLConnection httpsURLConnection = (HttpsURLConnection) connection; httpsURLConnection.setSSLSocketFactory(new TLSSocketConnectionFactory()); return httpsURLConnection; } public static void main(String[] args) { HttpsUrlConnectionForTLS httpsUrlConnectionMessageSender = new HttpsUrlConnectionForTLS(); String loginUrl = "https://192.168.186.73/session"; String data = "username=xiaomi&password=Ultrasafe_123"; HttpURLConnection connection; try { connection = httpsUrlConnectionMessageSender.createConnection(new URI(loginUrl )); connection.setDoOutput(true); connection.setDoInput(true); connection.setRequestMethod("POST"); connection.setUseCaches(false); connection.setInstanceFollowRedirects(true); connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded"); connection.connect(); //POST请求 OutputStreamWriter os = null; String json=""; os = new OutputStreamWriter(connection.getOutputStream()); os.write(data); os.flush(); json=getResponse(connection); System.out.println(json); if (connection != null) { connection.disconnect(); } } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (URISyntaxException e) { // TODO Auto-generated catch block e.printStackTrace(); } } public static String getResponse(HttpURLConnection Conn) throws IOException { InputStream is; if (Conn.getResponseCode() >= 400) { is = Conn.getErrorStream(); } else { is = Conn.getInputStream(); } String response = ""; byte buff[] = new byte[512]; int b = 0; while ((b = is.read(buff, 0, buff.length)) != -1) { response += new String(buff, 0, b); } is.close(); System.out.println(response); return response; } }
OK 搞定
相关推荐
Jdk1.7补丁 支持 TLS1.2 For JRE 1.7.0_131-b31 in Oracle site : TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 ...
jdk1.7补丁 支持 TLS1.2 For JRE 1.7.0_131-b31 in Oracle site : TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 ...
3、改进的安全性:JDK 7提供了更多的安全性特性,包括支持TLS 1.2协议和强密码算法。 4、对动态语言的支持:JDK 7增强了对动态语言的支持,并提供了一个新的字节码指令invokedynamic,以提高动态语言的性能。 5、...
jdk1.7补丁 支持 TLS1.2 For JRE 1.7.0_131-b31 in Oracle site : TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 ...
如果服务器不支持HTTP/2,OkHttp会自动回退到HTTP/1.1,并尝试使用SPDY,这是一种前向兼容的协议,旨在解决HTTP/1.1的问题。 3. **缓存机制**:OkHttp内置了智能的缓存系统,可以根据响应头自动判断是否将资源缓存...
##### 1.7 解决 WebLogic 启动问题 - **调整 Java 安全设置**:修改 `$JAVA_HOME/jre/lib/security/java.security` 文件中的 `securerandom.source` 参数,将其设置为 `file:/dev/./urandom` 以提高启动速度。 ####...
对于Tomcat 6.0,建议使用JDK 1.6或1.7版本。 - **Linux 6.1 64位操作系统**:确保操作系统为64位版本,以利用64位处理器的优势。 ### 2. 安装步骤 #### 2.1 安装Linux 6.1 - **在VMware中进行安装引导**:这通常...
- **2.4.2 SSL/TLS支持**:内置SSL/TLS加密支持,保护数据安全。 - **2.4.3 HTTP实现**:内置HTTP服务器和客户端,方便处理HTTP请求。 - **2.4.4 Google Protocol Buffer集成**:支持Google Protocol Buffers,...
##### 1.7 解决 WebLogic 启动问题 - **修改 Java 安全设置**:编辑 `$JAVA_HOME/jre/lib/security/java.security` 文件,将 `securerandom.source=file:/dev/urandom` 更改为 `securerandom.source=file:/dev/./...
- **什么是ABA问题**:在CAS操作中可能出现的问题,通过版本号或使用AtomicStampedReference解决。 - **乐观锁的业务场景及实现方式**:通过版本号或时间戳实现。 - **Java8并法包下常见的并发类**:...