最近项目遇到 jdk1.6使用https请求服务器,服务器明确做了协议要求,只支持tls1.2及以上协议。目前报错是Remote host closed connection during handshake , 通过查阅资料说jdk1.6版本只支持tls1.0 , ssl 3.0 协议,如果用jdk1.6请求tls1.2协议接口,需要引入第三方库,网上有很多关于调用第三方包重写协议工厂资料代码,但是会主动的抛出一个异常UnsupportedOperationException,主动抛出这些异常导致看不到真实的异常,需要替换主动异常为return null或return 0;
接下来就会看到真实异常了,我这里报的异常是:java.io.IOException: HTTPS hostname wrong: should be ,在提交请求时解决这个问题
引入依赖(jar包下载地址
https://mvnrepository.com/
)
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.54</version>
</dependency>
创建协议工厂
import org.bouncycastle.crypto.tls.*;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
import java.io.*;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.util.Hashtable;
import java.util.LinkedList;
import java.util.List;
public class TLSSocketConnectionFactory extends SSLSocketFactory {
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
@Override
public Socket createSocket(Socket socket, final String host, int port,
boolean arg3) throws IOException {
if (socket == null) {
socket = new Socket();
if (!socket.isConnected()) {
socket.connect(new InetSocketAddress(host, port));
final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom());
return _createSSLSocket(host, tlsClientProtocol);
@Override public String[] getDefaultCipherSuites() { return null; }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { return null; }
@Override public Socket createSocket(InetAddress host, int port) throws IOException { return null; }
@Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return null; }
@Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { return null; }
private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
private java.security.cert.Certificate[] peertCerts;
@Override public InputStream getInputStream() throws IOException { return tlsClientProtocol.getInputStream(); }
@Override public OutputStream getOutputStream() throws IOException { return tlsClientProtocol.getOutputStream(); }
@Override public synchronized void close() throws IOException { tlsClientProtocol.close(); }
@Override public void addHandshakeCompletedListener( HandshakeCompletedListener arg0) { }
@Override public boolean getEnableSessionCreation() { return false; }
@Override public String[] getEnabledCipherSuites() { return null; }
@Override public String[] getEnabledProtocols() { return null; }
@Override public boolean getNeedClientAuth() { return false; }
@Override
public SSLSession getSession() {
return new SSLSession() {
/*原本这些方法都是直接throw UnsupportedOperationException 导致看不到真实异常*/
@Override
public int getApplicationBufferSize() {
return 0;
@Override public String getCipherSuite() { return null; }
@Override public long getCreationTime() { return 0; }
@Override public byte[] getId() { return null; }
@Override public long getLastAccessedTime() { return 0; }
@Override public java.security.cert.Certificate[] getLocalCertificates() { return null; }
@Override public Principal getLocalPrincipal() { return null; }
@Override public int getPacketBufferSize() { return 0; }
@Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { return null; }
@Override public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { return peertCerts; }
@Override public String getPeerHost() { return null; }
@Override public int getPeerPort() { return 0; }
@Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return null; }
@Override public String getProtocol() { return null; }
@Override public SSLSessionContext getSessionContext() { return null; }
@Override public Object getValue(String arg0) { return null; }
@Override public String[] getValueNames() { return null; }
@Override public void invalidate() { return; }
@Override public boolean isValid() { return true; }
@Override public void putValue(String arg0, Object arg1) { return; }
@Override
public void removeValue(String arg0) {
return;
@Override public String[] getSupportedProtocols() { return null; }
@Override public boolean getUseClientMode() { return false; }
@Override public boolean getWantClientAuth() { return false; }
@Override public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) { }
@Override public void setEnableSessionCreation(boolean arg0) { }
@Override public void setEnabledCipherSuites(String[] arg0) { }
@Override public void setEnabledProtocols(String[] arg0) { }
@Override public void setNeedClientAuth(boolean arg0) { }
@Override public void setUseClientMode(boolean arg0) { }
@Override public void setWantClientAuth(boolean arg0) { }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override
public void startHandshake() throws IOException {
tlsClientProtocol.connect(new DefaultTlsClient() {
@SuppressWarnings("unchecked")
@Override
public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
if (clientExtensions == null) {
clientExtensions = new Hashtable<Integer, byte[]>();
//Add host_name
byte[] host_name = host.getBytes();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final DataOutputStream dos = new DataOutputStream(baos);
dos.writeShort(host_name.length + 3);
dos.writeByte(0);
dos.writeShort(host_name.length);
dos.write(host_name);
dos.close();
clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
return clientExtensions;
@Override
public TlsAuthentication getAuthentication() throws IOException {
return new TlsAuthentication() {
@Override
public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
try {
KeyStore ks = _loadKeyStore();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
boolean trustedCertificate = false;
for ( org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
java.security.cert.Certificate cert = cf.generateCertificate(new ByteArrayInputStream(c.getEncoded()));
certs.add(cert);
String alias = ks.getCertificateAlias(cert);
if(alias != null) {
if (cert instanceof java.security.cert.X509Certificate) {
try {
( (java.security.cert.X509Certificate) cert).checkValidity();
trustedCertificate = true;
} catch(CertificateExpiredException cee) {
// Accept all the certs!
} else {
// Accept all the certs!
if (!trustedCertificate) {
// Accept all the certs!
peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
} catch (Exception ex) {
ex.printStackTrace();
throw new IOException(ex);
@Override
public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
return null;
private KeyStore _loadKeyStore() throws Exception {
FileInputStream trustStoreFis = null;
try {
KeyStore localKeyStore = null;
String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType")!=null?System.getProperty("javax.net.ssl.trustStoreType"):KeyStore.getDefaultType();
String trustStoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider")!=null?System.getProperty("javax.net.ssl.trustStoreProvider"):"";
if (trustStoreType.length() != 0) {
if (trustStoreProvider.length() == 0) {
localKeyStore = KeyStore.getInstance(trustStoreType);
} else {
localKeyStore = KeyStore.getInstance(trustStoreType, trustStoreProvider);
char[] keyStorePass = null;
String str5 = System.getProperty("javax.net.ssl.trustStorePassword")!=null?System.getProperty("javax.net.ssl.trustStorePassword"):"";
if (str5.length() != 0) {
keyStorePass = str5.toCharArray();
localKeyStore.load(trustStoreFis, keyStorePass);
if (keyStorePass != null) {
for (int i = 0; i < keyStorePass.length; i++) {
keyStorePass[i] = 0;
return localKeyStore;
} finally {
if (trustStoreFis != null) {
trustStoreFis.close();
} // startHandshake
public String Send(String signData,String signURL,int[] errm) {
StringBuffer sb = new StringBuffer();
URL myurl = null;
try {
myurl = new URL(signURL);
} catch (MalformedURLException e1) {
System.out.println("myurl error:"+e1);
HttpsURLConnection con = null;
try {
con = (HttpsURLConnection) myurl.openConnection();
con.setSSLSocketFactory(new TLSSocketConnectionFactory());
/*用于解决host name wrong问题,重写主机验证方法,如果请求正常可以去掉*/
con.setHostnameVerifier(new HostnameVerifier(){
@Override
public boolean verify(String hostname, SSLSession session) {
// TODO Auto-generated method stub
return true;
System.setProperty("sun.net.client.defaultConnectTimeout","300000");
System.setProperty("sun.net.client.defaultReadTimeout", "300000");
con.setRequestMethod("POST");
con.setDoOutput(true);
con.setDoInput(true);
con.setUseCaches(false);
con.setInstanceFollowRedirects(true);
con.setRequestProperty("Content-type", "text/xml;charset=utf-8");
con.setRequestProperty("User-Agent", "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)");
System.out.println("start connect");
con.connect();
System.out.println("end connect");
} catch (IOException e1) {
System.err.println("HttpsURLConnection error:"+e1);
OutputStream out = null;
//OutputStreamWriter os = null;
try {
out = con.getOutputStream();
//os = new OutputStreamWriter(out);
out.write(signData.getBytes("utf-8"));
out.flush();
out.close();
//os.write(signData);
//os.flush();
} catch (IOException e1) {
System.out.println("IOException:"+e1);
}catch(Exception ex){
System.out.println("HTTPS Exception:"+ex);
System.out.println(ex.getStackTrace());
//接收响应
try {
System.out.println("responsecode="+con.getResponseCode());
BufferedReader reader = new BufferedReader(new InputStreamReader(con.getInputStream(), "utf-8"));
sb.append("");
String s = reader.readLine();
while(s!=null){
sb.append(s);
s=reader.readLine();
reader.close();
con.disconnect();
} catch (IOException ioex) {
System.err.println("https write file error:"+ioex);
return sb.toString();
最近项目遇到 jdk1.6使用https请求服务器,服务器明确做了协议要求,只支持tls1.2及以上协议。目前的报错是Remote host closed connection during handshake , 通过查阅资料说jdk1.6版本只支持tls1.0 , ssl 3.0 协议,如果用jdk1.6请求tls1.2协议的接口,需要引入第三方库,网上有很多关于调用第三方包重...
应用从DMZ迁移到内网后,就不能连接外网了,必须通过代理服务器才能调用第三方接口。使用Nginx作为代理服务器,HTTP的接口代理没有问题,HTPPS的接口代理Java后台总是报错,主要是因为项目使用的JDK1.6,不支持TLS1.2导致握手失败。通过BouncyCastle的第三方jar包可以解决这个问题。也可以使用Nginx的第三方模块ngx_http_proxy_module,配置Nginx作为HTTPS代理服务器解决,不过代码需要修改地方较多。
解压压缩包后文件说明:
\doc\conf\nginx.conf:Nginx的转发配置;
\doc\conf\haproxy.cfg:Haproxy的转发配置;
\doc\conf\proxy\nginx.conf:Nginx作为代理的配置;
\doc\gcc:安装Nginx的各个依赖包;
\doc\proxy:Nginx的一些源码包,Haproxy源码包,安装步骤可参考readme.txt文件。
Java6 真的不支持TLS1.2 吗?
有个老程序,用的是jdk6u20, 期间windows和SQL Server不断的升级.
Java 6 连SQL SSL 出错,但Java6不能升级,太多代码复杂的业务,第三方的组件。踏破铁鞋断定是TLS1.2的问题 .
https://www.oracle.com/technetwork/java/javase/overview-156328.html
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.*;
import java.security.cert.*;
imp...
在获取连接时会被远程主机断开连接。
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:980) ~[na:1.8.0_45]
package nc.impl.pub.filesystem;
import org.bouncycastle.crypto.tls.*;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import javax.net.ssl.*;
import javax...
java程序使用https方式调用nessus接口时,使用jdk1.7返回如下内容:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
使用jdk1.8返回正常
{"token":"f360654233f65d964ed220914ec10916fe206a3d1b1c1b...
本地jdk环境为1.7,访问HTTPS正常,部署到生产环境报Connect Rest错误,多方检查原来正式环境为jdk6,去访问别人的https时报错,下面是通过百度整理的解决方案;
首先要自己重写SSLSocketFactory这个类,
下面是自己重写的这个
package com.mln.frame;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataOut
jdk1.7默认是TSLv1, 可以支持TSLv1.1,TSLv1.2,
jdk1.8默认是TSLv1.2
假如服务器端设置是TSLv1.2,而客服端是TSLv1, 访问就会出现Remote host closed connection during handshake的错误.
**解决办法:**强制通过TLSv1.2或TLSv1通信,前提服务端也采用相应协议。
SSLContext ctx = SSLContext.getI..
