java - 如何在 Java 6 上启用 TLSv1.2(TLSv1.2 + Bouncycastle + Java 1.6_45)
问题描述
我的应用程序当前在 java 1.6_45 和 OSGI 3.2 上运行。
我应该适配 TLSv1.2,因为服务器从现在开始只支持 TLSv1.2。
我仍然收到 bad_record_mac 错误。
谁能帮我?
我尝试了以下****
// Installiere Bouncy Castle und TLS 1.2
if (Security.getProvider(BouncyCastleJsseProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleJsseProvider());
}
....
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
System.out.println("TLSv1.2 ist vorhanden.");
......
sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[] { defaultTrustManager }, null);
// Create SSLConnectionSocketFactory with TLSv1.2
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.2" }, null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
// Create clients
HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();
// Set UnirestClient
Unirest.setHttpClient(httpClient);
....
// Unirest Httpclient get request
HttpResponse<String> response = Unirest.get(url.toString()).basicAuth(<username>, <pass>).header("Accept-Language", "de").asString();
我得到以下异常***
1559 [SpringOsgiExtenderThread-10] INFO org.bouncycastle.jsse.provider.ProvTlsClient - Client raised fatal(2) bad_record_mac(20) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: bad_record_mac(20)
at org.bouncycastle.tls.crypto.impl.TlsAEADCipher.decodeCiphertext(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.RecordStream.decodeAndVerify(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) [httpclient-4.5.3.jar:4.5.3]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) [httpclient-4.5.3.jar:4.5.3]
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) [httpclient-4.5.3.jar:4.5.3]
at
Caused by: java.lang.IllegalStateException: javax.crypto.BadPaddingException: mac check in GCM failed
at org.bouncycastle.tls.crypto.impl.jcajce.JceAEADCipherImpl.doFinal(Unknown Source) [bctls-jdk15on-160.jar:1.60.0.0]
... 51 common frames omitted
Caused by: javax.crypto.BadPaddingException: mac check in GCM failed
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$AEADGenericBlockCipher.doFinal(Unknown Source) [bcprov-jdk15on-160.jar:1.60.0]
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source) [bcprov-jdk15on-160.jar:1.60.0]
at javax.crypto.Cipher.doFinal(DashoA13*..) [na:1.6]
... 52 common frames omitted
解决方案
我找到了一个新的解决方案,如下所示
public class TLSSocketConnectionFactory extends SSLSocketFactory {
// ******************Adding Custom BouncyCastleProvider*********************//
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
Security.addProvider(new BouncyCastleProvider());
}
// ******************HANDSHAKE LISTENER*********************//
public class TLSHandshakeListener implements HandshakeCompletedListener {
@Override
public void handshakeCompleted(HandshakeCompletedEvent event) {
}
}
private SecureRandom _secureRandom = new SecureRandom();
// ******************Adding Custom BouncyCastleProvider*********************//
@Override
public Socket createSocket(Socket socket, final String host, int port, boolean arg3) throws IOException {
if (socket == null) {
socket = new Socket();
}
if (!socket.isConnected()) {
socket.connect(new InetSocketAddress(host, port));
}
final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), _secureRandom);
return _createSSLSocket(host, tlsClientProtocol);
}
// ******************SOCKET FACTORY METHODS*********************//
@Override
public String[] getDefaultCipherSuites() {
return null;
}
@Override
public String[] getSupportedCipherSuites() {
return null;
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return null;
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return null;
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return null;
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return null;
}
// ******************SOCKET CREATION*********************//
private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
private java.security.cert.Certificate[] peertCerts;
@Override
public InputStream getInputStream() throws IOException {
return tlsClientProtocol.getInputStream();
}
@Override
public OutputStream getOutputStream() throws IOException {
return tlsClientProtocol.getOutputStream();
}
@Override
public synchronized void close() throws IOException {
tlsClientProtocol.close();
}
@Override
public void addHandshakeCompletedListener(HandshakeCompletedListener arg0) {
}
@Override
public boolean getEnableSessionCreation() {
return false;
}
@Override
public String[] getEnabledCipherSuites() {
// return null;
return new String[] { "" };
}
@Override
public String[] getEnabledProtocols() {
// return null;
return new String[] { "" };
}
@Override
public boolean getNeedClientAuth() {
return false;
}
@Override
public SSLSession getSession() {
return new SSLSession() {
@Override
public int getApplicationBufferSize() {
return 0;
}
@Override
public String getCipherSuite() {
return "";
}
@Override
public long getCreationTime() {
throw new UnsupportedOperationException();
}
@Override
public byte[] getId() {
throw new UnsupportedOperationException();
}
@Override
public long getLastAccessedTime() {
throw new UnsupportedOperationException();
}
@Override
public java.security.cert.Certificate[] getLocalCertificates() {
throw new UnsupportedOperationException();
}
@Override
public Principal getLocalPrincipal() {
return null;
}
@Override
public int getPacketBufferSize() {
throw new UnsupportedOperationException();
}
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
return null;
}
@Override
public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
return peertCerts;
}
@Override
public String getPeerHost() {
throw new UnsupportedOperationException();
}
@Override
public int getPeerPort() {
return 0;
}
@Override
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
return null;
// throw new UnsupportedOperationException();
}
@Override
public String getProtocol() {
return "";
}
@Override
public SSLSessionContext getSessionContext() {
throw new UnsupportedOperationException();
}
@Override
public Object getValue(String arg0) {
throw new UnsupportedOperationException();
}
@Override
public String[] getValueNames() {
throw new UnsupportedOperationException();
}
@Override
public void invalidate() {
throw new UnsupportedOperationException();
}
@Override
public boolean isValid() {
throw new UnsupportedOperationException();
}
@Override
public void putValue(String arg0, Object arg1) {
throw new UnsupportedOperationException();
}
@Override
public void removeValue(String arg0) {
throw new UnsupportedOperationException();
}
};
}
@Override
public String[] getSupportedProtocols() {
return null;
}
@Override
public boolean getUseClientMode() {
return false;
}
@Override
public boolean getWantClientAuth() {
return false;
}
@Override
public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) {
}
@Override
public void setEnableSessionCreation(boolean arg0) {
}
@Override
public void setEnabledCipherSuites(String[] arg0) {
}
@Override
public void setEnabledProtocols(String[] arg0) {
}
@Override
public void setNeedClientAuth(boolean arg0) {
}
@Override
public void setUseClientMode(boolean arg0) {
}
@Override
public void setWantClientAuth(boolean arg0) {
}
@Override
public String[] getSupportedCipherSuites() {
return null;
}
@Override
public void startHandshake() throws IOException {
tlsClientProtocol.connect(new DefaultTlsClient() {
@Override
public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
if (clientExtensions == null) {
clientExtensions = new Hashtable<Integer, byte[]>();
}
// Add host_name
byte[] host_name = host.getBytes();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final DataOutputStream dos = new DataOutputStream(baos);
dos.writeShort(host_name.length + 3); // entry size
dos.writeByte(0); // name type = hostname
dos.writeShort(host_name.length);
dos.write(host_name);
dos.close();
clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
return clientExtensions;
}
@Override
public TlsAuthentication getAuthentication() throws IOException {
return new TlsAuthentication() {
@Override
public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
for (org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
certs.add(cf.generateCertificate(new ByteArrayInputStream(c.getEncoded())));
}
peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
} catch (CertificateException e) {
System.out.println("Failed to cache server certs" + e);
throw new IOException(e);
}
}
@Override
public TlsCredentials getClientCredentials(CertificateRequest arg0) throws IOException {
return null;
}
};
}
});
}
};// Socket
}
}
并创建新的 http 客户端,如下所示
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(new TLSSocketConnectionFactory(), new String[] { "TLSv1.2" }, null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
// Create clients
HttpClient httpClient = HttpClientBuilder.create().setSSLSocketFactory(sf).build();
// Set UnirestClient
Unirest.setHttpClient(httpClient);
现在效果很好:)
推荐阅读
- scala - Spark:获得最大连续减少值
- vue.js - 分页组件中的错误惯性链接
- ajax - 同一网络中其他PC上的Laravel Ajax路由不起作用返回404
- python - 覆盖列表中的元素
- javascript - 有没有办法允许左侧(或负 x 轴)溢出 html 元素?
- regex - 匹配所有字符,直到集合中的任何字符
- azure - 如何将 Business Central 部署中包含的 TestToolKit 部署到 Azure?
- keycloak - 在keycloak中注销时如何配置“client_id”
- c - 从 C 中的函数原型返回多个值。结果是多个产品
- inno-setup - SQLEXPR 安装程序返回码 -2068578304 是什么意思?