工程部署在阿里云,如果直连internet的话https访问 api.weixin.qq.com / api.weixin.qq.com 都是正常的
但是如果通过出网NGINX做4层转发的话,则 https访问 api.weixin.qq.com正常,但是访问 api.weixin.qq.com则报握手失败
日志如附件。JDK里面 java.security 中 jdk.tls.disabledAlgorithms 去掉 SSLv3选项后 问题依旧
日志如下,限于篇幅,二进制内容被删除了
连 api.weixin.qq.com 握手错误:
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=api.weixin.qq.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes: len = 228
pool-6-thread-8, WRITE: TLSv1.2 Handshake, length = 228
[write] MD5 and SHA1 hashes: len = 179
pool-6-thread-8, WRITE: SSLv2 client hello message, length = 179
[Raw write]: length = 181
pool-6-thread-8, received EOFException: error
pool-6-thread-8, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
pool-6-thread-8, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
连 api.weixin.qq.com 正常,日志只取到server_hello2后一点
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=api.mch.weixin.qq.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes: len = 232
pool-6-thread-3, WRITE: TLSv1.2 Handshake, length = 232
[Raw write]: length = 237
[Raw read]: length = 5
[Raw read]: length = 93
pool-6-thread-3, READ: TLSv1.2 Handshake, length = 93
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie: GMT: -1648444189 bytes = { 232, 221, 60, 60, 69, 105, 67, 25, 127, 166, 248, 7, 163, 0, 161, 15, 95, 50, 239, 244, 164, 2, 148, 39, 160, 100, 107, 213 }
Session ID: {149, 115, 170, 109, 46, 167, 220, 223, 249, 252, 230, 2, 122, 202, 23, 133, 233, 184, 9, 178, 206, 153, 41, 158, 253, 36, 220, 84, 29, 57, 82, 159}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension server_name, server_name:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized: [Session-18, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
[read] MD5 and SHA1 hashes: len = 93
[Raw read]: length = 5
[Raw read]: length = 4455
pool-6-thread-3, READ: TLSv1.2 Handshake, length = 4455
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=payapp.weixin.qq.com, O=Shenzhen Tencent Computer Systems Company Limited, L=Shenzhen, ST=Guangdong Province, C=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 16649982029016282961479286768115742811847492435017295634389041289962042289399303849377125921789869284452016801518213794490645956198281416909749021127914645074807906308211243146855860176334131738623490506505183746832566627335699759299043668215563836604578830180597046276349689398152327659294769653857894446521442613537476876293121381457114577957484625710969983831522393729298176612947875606820370360637896968183435663791974879715522667085433555700971120498581058434701019023769350390115948165543682721571956209578434811978440016294561556929797436273640160750546489951752791473640583428814211171085554943350688922895551
public exponent: 65537
Validity: [From: Tue Jan 05 08:00:00 CST 2021,
To: Sat Feb 05 07:59:59 CST 2022]
Issuer: CN=DigiCert Secure Site CN CA G3, O=DigiCert Inc, C=US
SerialNumber: [ 0b9941dd 7c2406e9 b098d88c 550cf8e8]
强力驱动