问题描述
我们在 Java 11 中开发了一个服务器应用程序,它接受来自客户端的传入 HTTPS 连接。直到/包括 Java 11.0.10 (AdoptOpenJDK),一切都运行良好。
在升级到 Java 11.0.11 后,我们遇到了来自 Chrome 客户端的连接的连接握手问题(javax.net.ssl.SSLProtocolException: No common named group)。 Firefox 客户端没有问题。
启用 SSL 日志(-Djavax.net.debug=ssl:handshake)后,我们可以看到两个版本之间的差异:
使用 11.0.11:
Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)
Ignore unsupported named group: x25519
Consumed extension: key_share
使用 11.0.10:
Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)
Consumed extension: key_share
新的 Java 版本似乎忽略了对 x25519 的请求。
两个 Java 运行时都未从 AdaptOpenJDK 下载。
这里有一些更详细的日志:
Chrome for Java 11.0.11 失败:
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unkNown or unsupported extension (
"unkNown extension (64,250)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unkNown or unsupported extension (
"session_ticket (35)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unkNown or unsupported extension (
"signed_certificate_timestamp (18)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unkNown or unsupported extension (
"unkNown extension (27)": {
0000: 02 00 02 ...
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unkNown or unsupported extension (
"unkNown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unkNown or unsupported extension (
"unkNown extension (60,138)": {
0000: 00 .
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.387 CEST|null:-1|Ignore unkNown or unsupported extension (
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.399 CEST|null:-1|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2","random" : "E0 14 47 3E 55 DE 2D 30 FF 5C CE E1 D1 27 3D 4B F4 CB 42 EE 3E 22 14 C7 BE 16 1A FA BF 35 EE DD","session id" : "D7 59 27 6A 00 46 84 3A AB 32 FD 30 79 AD C4 DE 11 55 52 D5 07 1F 66 B0 7D 7E 80 A6 6F 95 2D 2B","cipher suites" : "[UNKNowN-CIPHER-SUITE(0x2A2A)(0x2A2A),TLS_AES_128_GCM_SHA256(0x1301),TLS_AES_256_GCM_SHA384(0x1302),TLS_CHACHA20_poly1305_SHA256(0x1303),TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),UNKNowN-CIPHER-SUITE(0xCCA9)(0xCCA9),UNKNowN-CIPHER-SUITE(0xCCA8)(0xCCA8),TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C),TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D),TLS_RSA_WITH_AES_128_CBC_SHA(0x002F),TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)]","compression methods" : "00","extensions" : [
"unkNown extension (64,250)": {
},"server_name (0)": {
type=host_name (0),value=local.3dmapping.cloud
},"extended_master_secret (23)": {
<empty>
},"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
},"supported_groups (10)": {
"versions": [UNDEFINED-NAMED-GROUP(31354),x25519,secp256r1,secp384r1]
},"ec_point_formats (11)": {
"formats": [uncompressed]
},"session_ticket (35)": {
},"application_layer_protocol_negotiation (16)": {
[h2,http/1.1]
},"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256,rsa_pss_rSAE_sha256,rsa_pkcs1_sha256,ecdsa_secp384r1_sha384,rsa_pss_rSAE_sha384,rsa_pkcs1_sha384,rsa_pss_rSAE_sha512,rsa_pkcs1_sha512]
},"signed_certificate_timestamp (18)": {
},"key_share (51)": {
"client_shares": [
{
"named group": UNDEFINED-NAMED-GROUP(31354)
"key_exchange": {
0000: 00
}
},{
"named group": x25519
"key_exchange": {
0000: AA F1 CE 3D 91 DD 66 C1 50 6F 5F B6 21 B3 EC 15 ...=..f.Po_.!...
0010: A9 56 23 C7 3C 33 22 7B EC 6C 3F 0C 37 C4 B6 45 .V#.<3"..l?.7..E
}
},]
},"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},"supported_versions (43)": {
"versions": [(D)TLS-10.10,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1]
},"unkNown extension (27)": {
0000: 02 00 02 ...
},"unkNown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
},"unkNown extension (60,138)": {
0000: 00 .
},"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
]
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.400 CEST|null:-1|Consumed extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.401 CEST|null:-1|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.402 CEST|null:-1|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.403 CEST|null:-1|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|no server name matchers,ignore server name indication
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.404 CEST|null:-1|Consumed extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.406 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: status_request
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.407 CEST|null:-1|Consumed extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.408 CEST|null:-1|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.409 CEST|null:-1|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.410 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.417 CEST|null:-1|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.418 CEST|null:-1|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.419 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.420 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(31354)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.421 CEST|null:-1|Ignore unsupported named group: x25519
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Consumed extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.422 CEST|null:-1|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:00:46.423 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|ERROR|19|PortServer:Http1111|2021-07-14 10:00:46.426 CEST|null:-1|Fatal (UNEXPECTED_MESSAGE): No common named group (
"throwable" : {
javax.net.ssl.SSLProtocolException: No common named group
at java.base/sun.security.ssl.Alert.createSSLException(UnkNown Source)
at java.base/sun.security.ssl.Alert.createSSLException(UnkNown Source)
at java.base/sun.security.ssl.TransportContext.fatal(UnkNown Source)
at java.base/sun.security.ssl.TransportContext.fatal(UnkNown Source)
at java.base/sun.security.ssl.TransportContext.fatal(UnkNown Source)
at java.base/sun.security.ssl.KeyShareExtension$HRRKeyShareProducer.produce(UnkNown Source)
at java.base/sun.security.ssl.SSLExtension.produce(UnkNown Source)
at java.base/sun.security.ssl.SSLExtensions.produce(UnkNown Source)
at java.base/sun.security.ssl.ServerHello$T13HelloRetryRequestProducer.produce(UnkNown Source)
at java.base/sun.security.ssl.SSLHandshake.produce(UnkNown Source)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goHelloRetryRequest(UnkNown Source)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(UnkNown Source)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(UnkNown Source)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(UnkNown Source)
at java.base/sun.security.ssl.SSLHandshake.consume(UnkNown Source)
at java.base/sun.security.ssl.HandshakeContext.dispatch(UnkNown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(UnkNown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(UnkNown Source)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(UnkNown Source)
at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.a(SourceFile:1505)
at core.toolx/com.orbitgis.toolx.network.server.server2.SSLSocketChannel.read(SourceFile:653)
at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.e(SourceFile:502)
at core.toolx/com.orbitgis.toolx.network.server.server2.PortServer2.run(SourceFile:951)
at java.base/java.lang.Thread.run(UnkNown Source)}
)
Chrome for Java 11.0.10 的成功:
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unkNown or unsupported extension (
"unkNown extension (31,354)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.904 CEST|null:-1|Ignore unkNown or unsupported extension (
"session_ticket (35)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.905 CEST|null:-1|Ignore unkNown or unsupported extension (
"signed_certificate_timestamp (18)": {
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.906 CEST|null:-1|Ignore unkNown or unsupported extension (
"unkNown extension (27)": {
0000: 02 00 02 ...
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unkNown or unsupported extension (
"unkNown extension (17,513)": {
0000: 00 03 02 68 32 ...h2
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.907 CEST|null:-1|Ignore unkNown or unsupported extension (
"unkNown extension (10,794)": {
0000: 00 .
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.908 CEST|null:-1|Ignore unkNown or unsupported extension (
"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.916 CEST|null:-1|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2","random" : "F0 2C 2D B7 E0 B2 5C 59 20 66 E7 61 53 6A F5 3F AC FB 8B 14 22 51 D2 8E 7D 1D 52 17 A4 C1 33 E3","session id" : "12 91 36 9A BD 16 00 CA 84 5D 3D 40 61 5C A1 1F 65 2C DD 91 96 D5 E8 B8 21 09 31 76 DC B2 11 CB","cipher suites" : "[UNKNowN-CIPHER-SUITE(0xCACA)(0xCACA),"extensions" : [
"unkNown extension (31,354)": {
},"supported_groups (10)": {
"versions": [UNDEFINED-NAMED-GROUP(6682),"key_share (51)": {
"client_shares": [
{
"named group": UNDEFINED-NAMED-GROUP(6682)
"key_exchange": {
0000: 00
}
},{
"named group": x25519
"key_exchange": {
0000: D8 DB B4 6D 69 D4 44 C2 21 7C 59 8C 3F EB 18 20 ...mi.D.!.Y.?..
0010: B5 13 73 41 2C 57 18 2E 1C DB 03 64 50 57 0B 6B ..sA,W.....dPW.k
}
},"supported_versions (43)": {
"versions": [(D)TLS--6.-6,"unkNown extension (10,794)": {
0000: 00 .
},"client_certificate_type (21)": {
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
}
]
}
)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.917 CEST|null:-1|Consumed extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|no server name matchers,ignore server name indication
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: status_request
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(6682)
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Consumed extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.918 CEST|null:-1|Ignore unsupported extension: renegotiation_info
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.935 CEST|null:-1|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.938 CEST|null:-1|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.939 CEST|null:-1|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.942 CEST|null:-1|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.943 CEST|null:-1|Ignore impact of unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.944 CEST|null:-1|Ignore unavailable extension: cookie
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.945 CEST|null:-1|Ignore impact of unsupported extension: psk_key_exchange_modes
javax.net.ssl|WARNING|19|PortServer:Http1111|2021-07-14 10:22:25.946 CEST|null:-1|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.947 CEST|null:-1|use cipher suite TLS_AES_128_GCM_SHA256
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.949 CEST|null:-1|Ignore,context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|19|PortServer:Http1111|2021-07-14 10:22:25.950 CEST|null:-1|Produced ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2","random" : "59 39 C8 98 37 AF C6 72 50 DF 02 74 43 DF 4C 29 F6 65 CE 97 66 79 E2 69 6F 8C B1 E4 1B B6 65 54","cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)","extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
},"key_share (51)": {
"server_share": {
"named group": x25519
"key_exchange": {
0000: 3A 89 E5 8E E2 1E 7D 48 E2 FE 44 92 BD 03 EE BA :......H..D.....
0010: 27 08 8E 06 06 86 D8 7D 8E 74 D3 BF A7 55 5D 03 '........t...U].
}
},}
]
}
)
Java 11.0.11 似乎放弃了对 TLSv1 和 TLSv1.1 的开箱即用支持,但我不确定这是否相关。启用这些并不能解决问题。
知道为什么不再支持 x25519 了吗?或者如何启用它?
解决方法
问题的原因是模块路径中的单个 jar 文件。 jar 本身与网络、加密或安全无关,它用于更改 UI 外观。罐子是7年前签的,以前没出过什么问题。 用未签名的副本替换这个 jar 可以解决所有问题,并使 Java 11.0.11 再次完全运行,并提供预期的安全提供程序列表(13 个而不是 4 个)。
为什么这个问题只发生在 Java 11.0.11 上仍然是个谜。我没有看到来自 Java 类加载器的任何错误消息。