我已经通过使用ApacheCXF(v3.0.4)实现了JAX-WS客户端,并且一切正常,但是当我想在Java 8(jdk1.8.0_25)中使用安全连接(SSL / TLS)时出现了问题。
我在日志(-Djavax.net.debug = all)中看到以下异常:
main, handling exception: java.net.SocketException: Connection reset main, SEND TLSv1.2 ALERT: fatal, description = unexpected_message main, WRITE: TLSv1.2 Alert, length = 2 main, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error
经过depeer分析后,我发现问题是由于Java 8不会发送server_name(SNI),而Java 7却发送了server_name,并且Web服务调用成功进行了。
Java 8日志(-Djavax.net.debug = all):缺少“扩展名server_name”
[...] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA *** [...]
Java 7日志(-Djavax.net.debug = all)(有效):设置了“扩展server_name”
[...] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA Extension server_name, server_name: [host_name: testeo.hostname.es] *** [...]
可以看出,在Java 7中,已设置扩展server_name,server_name:[host_name:testeo.hostname.es],然后Web服务调用成功进行。
Java 8为什么不像Java 7那样设置server_name?这是Java配置问题吗?
如前所述,原因与JDK错误有关,在JDK错误中,使用setHostnameVerifier()会破坏SNI(扩展名server_name)。 https://bugs.openjdk.java.net/browse/JDK-8144566
解决方法:经过测试,我们发现将连接的SSLSocketFactory设置为默认值几乎可以解决所有问题。
这不起作用: HttpsURLConnection.setSSLSocketFactory((SSLSocketFactory) SSLSocketFactory.getDefault());
HttpsURLConnection.setSSLSocketFactory((SSLSocketFactory) SSLSocketFactory.getDefault());
这确实有效: HttpsURLConnection.setSSLSocketFactory(new SSLSocketFactoryFacade());
HttpsURLConnection.setSSLSocketFactory(new SSLSocketFactoryFacade());
因此,要为JAX-WS客户端修复它,可以执行以下操作:
bindingProvider.getRequestContext().put("com.sun.xml.internal.ws.transport.https.client.SSLSocketFactory", new SSLSocketFactoryFacade());
我们的SSLSocketFactory外观:(请注意,它实际上什么都不做)
public class SSLSocketFactoryFacade extends SSLSocketFactory { SSLSocketFactory sslsf; public SSLSocketFactoryFacade() { sslsf = (SSLSocketFactory) SSLSocketFactory.getDefault();; } @Override public String[] getDefaultCipherSuites() { return sslsf.getDefaultCipherSuites(); } @Override public String[] getSupportedCipherSuites() { return sslsf.getSupportedCipherSuites(); } @Override public Socket createSocket(Socket socket, String s, int i, boolean b) throws IOException { return sslsf.createSocket(socket, s, i, b); } @Override public Socket createSocket(String s, int i) throws IOException, UnknownHostException { return sslsf.createSocket(s, i); } @Override public Socket createSocket(String s, int i, InetAddress inetAddress, int i1) throws IOException, UnknownHostException { return sslsf.createSocket(s, i, inetAddress, i1); } @Override public Socket createSocket(InetAddress inetAddress, int i) throws IOException { return createSocket(inetAddress, i); } @Override public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress1, int i1) throws IOException { return createSocket(inetAddress, i, inetAddress1, i1); } }
