java https 报错,Java 服务请求 https 接口报错 connection reset 问题

问题现象：

和客户对接时，客户请求我们的 https 接口报错 java.net.SocketException：Connection reset。

原因分析：

根据客户提供的服务异常信息，可以大略猜到是 SSL 的问题。

我们这边的 Nginx SSL 配置为 ：

ssl_protocols TLSv1.1 TLSv1.2;

或者使用命令 nmap --script ssl-enum-ciphers -p 443 foobar.com 查看：

# nmap --script ssl-enum-ciphers -p 443 foobar.com

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-06 14:12 CST

Nmap scan report for foobar.com (120.77.XXX.XXX)

Host is up (0.00025s latency).

PORT STATE SERVICE

443/tcp open https

| ssl-enum-ciphers:

| TLSv1.1:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| compressors:

| NULL

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong

| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong

| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| compressors:

| NULL

|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

从客户那边了解到他们服务的 JDK 版本为 1.7 版本。

经过网上搜索发现 JDK 7 默认支持的 TLS 版本为 TLSv1 。

https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https

我们的 Nginx 没有启用 TLSv1 ，所以使用 JDK 7 的 Java 服务在请求我们的 https 接口时，在 TLS 握手阶段，就被 Nginx 断开连接了。

解决办法

1、修改 Nginx 配置添加 TLSv1 版本的支持。

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

使用 nmap --script ssl-enum-ciphers -p 443 foobar.com 验证结果，可以查看支持了 TLSv1.0 。

# nmap --script ssl-enum-ciphers -p 443 foobar.com

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-06 11:34 CST

Nmap scan report for foobar.com (120.77.XXX.XXX)

Host is up (0.0032s latency).

PORT STATE SERVICE

443/tcp open https

| ssl-enum-ciphers:

| SSLv3: No supported ciphers found

| TLSv1.0:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| compressors:

| NULL

| TLSv1.1:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| compressors:

| NULL

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong

| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong

| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| compressors:

| NULL

|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

2、Java 服务启动时加上 JVM 参数：

-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

参考：