java https 请求 javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

最近联调https接口时，请求https 一直报handshake_failure 握手失败。在网上百度了几天，验证了很多方法，一直没有解决我的问题。

我把我的解决方法，分析一下，供大家参考

http-nio-8084-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

HTTPS 专用检测工具网站

https://myssl.com/

HTTPS 安全评估、ATS 检测、证书链补全工具、HTTP/2 支持检测

解决方法1：设置https.protocols

System.setProperty("https.protocols", "TLSv1.2,TLSv1.1,SSLv3");

设置输出网络日志

System.setProperty("javax.net.debug", "all");

然后看到下面的输出：

0000: 16 03 03 00 89 01 00 00 85 03 03 5F 6A C2 08 7C ..........._j...
0010: A9 2A 33 9A C9 B7 D2 11 CA A4 49 2F CD CB 74 14 .*3.......I/..t.
0020: 09 BB 6F 4B 0C 7A 81 82 62 D1 7A 00 00 26 00 3D ..oK.z..b.z..&.=
0030: 00 6B 00 6A 00 35 00 39 00 38 00 3C 00 67 00 40 .k.j.5.9.8.<.g.@
0040: 00 2F 00 33 00 32 00 9D 00 9F 00 A3 00 9C 00 9E ./.3.2..........
0050: 00 A2 00 FF 01 00 00 36 00 0D 00 1C 00 1A 06 03 .......6........
0060: 06 01 05 03 05 01 04 03 04 01 04 02 03 03 03 01 ................
0070: 03 02 02 03 02 01 02 02 00 00 00 12 00 10 00 00 ................
0080: 0D 61 70 69 2E 39 39 35 31 32 30 2E 63 6E .api.995120.cn

0000: 15 03 03 00 02 .....

0000: 02 28 .(
http-nio-8084-exec-1, READ: TLSv1.2 Alert, length = 2
http-nio-8084-exec-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
http-nio-8084-exec-1, called closeSocket()
http-nio-8084-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1950)
at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1945)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1944)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1514)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at com.hipee.web.hour24ecg.controller.TestController.saveBinary(TestController.java:39)
at com.hipee.web.hour24ecg.controller.TestController.versionInfo(TestController.java:25)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

解决方法2：替换JCE包
因为我的服务器是jdk8版本,下载后解压，可以看到local_policy.jar和US_export_policy.jar以及readme.txt，
替换${java_home}/jre/lib/security/ 下面的local_policy.jar和US_export_policy.jar即可
JDK7: https://www.jianshu.com/go-wild?ac=2&url=https%3A%2F%2Fwww.oracle.com%2Ftechnetwork%2Fjava%2Fjavase%2Fdownloads%2Fjce-7-download-432124.html
JDK8: https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
但我的jdk版本格式如上

[developer@143-196 security]$ pwd

/usr/java/jdk1.8.0_231/jre/lib/security
[developer@143-196 security]$ ll
total 160
-rw-r--r-- 1 10 143 4054 Oct 5 2019 blacklist
-rw-r--r-- 1 10 143 1273 Oct 5 2019 blacklisted.certs
-rw-r--r-- 1 10 143 100515 Oct 5 2019 cacerts
-rw-r--r-- 1 10 143 2466 Oct 5 2019 java.policy
-rw-r--r-- 1 10 143 44261 Oct 5 2019 java.security
-rw-r--r-- 1 10 143 98 Oct 5 2019 javaws.policy
drwxr-xr-x 4 10 143 38 Oct 5 2019 policy
-rw-r--r-- 1 10 143 0 Oct 5 2019 trusted.libraries
[developer@143-196 security]$ tree policy/
policy/
├── limited
│   ├── local_policy.jar
│   └── US_export_policy.jar
└── unlimited

├── local_policy.jar
└── US_export_policy.jar

因为从Java 1.8.0_151版本开始，java公司为JVM启用无限制强度管辖策略，则不能使用AES-256。把java.security文件的第826行的注释去掉即可

crypto.policy=unlimited

重新启动项目，还是失败
linux服务器错误日志：

keyStore is :

keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-nio-8084-exec-1, setSoTimeout(0) called
http-nio-8084-exec-1, the previous server name in SNI (type=host_name (0), value=api.995120.cn) was replaced with (type=host_name (0), value=api.995120.cn)
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session

win本地环境正常日志

Allow unsafe renegotiation: true

Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
qtp1971495275-19, setSoTimeout(0) called
qtp1971495275-19, the previous server name in SNI (type=host_name (0), value=api.995120.cn) was replaced with (type=host_name (0), value=api.995120.cn)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1

发现确实*SHA384

解决方法3：BouncyCastle配置
BouncyCastle是一款开源的密码包，其中包含了大量的密码算法，使用BouncyCastle的目的就是为了扩充算法支持
(1) 将bcprov-jdk15on-162.jar文件导入相关工程
(2) 在需要使用加密的代码中导入以下两个类

import java.security.Security;

import org.bouncycastle.jce.provider.BouncyCastleProvider;

(3) 在初始化密钥工厂、密钥生成器等引擎前调用如下代码：
加入BouncyCastleProvider的支持

Security.add.addProvider(new BouncyCastleProviderrr());

或者使用以下方式

MessageDigest md = MessageDigest.getInstant("MD4","BC");

//每个提供者都有简称，Bouncy Castle提供者的简称为BC

    <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-jdk15on</artifactId>
        <version>1.66</version>
    </dependency>
    <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-ext-jdk15on</artifactId>
        <version>1.66</version>
    </dependency>

最终解决