SSLHandshakeException 使用 t3s weblogic

Question

我已经完成了 t3s 的设置和配置。现在，当我尝试拨打电话时遇到异常。请大家帮忙。

试过steps Enterprise Software Development with Java: WebLogic Server SSL (https/t3s) and Java Web Start提到的url

以及根据Configuring Transport-Level Security 包含以下代码

System.setProperty("weblogic.security.SSL.ignoreHostnameVerification","true");  
System.setProperty("java.protocol.handler.pkgs", "weblogic.net");  
System.setProperty("weblogic.security.TrustKeyStore","CustomTrust");  
System.setProperty("weblogic.security.CustomTrustKeyStoreFileName","TRUST_STORE_LOCATION");
System.setProperty("weblogic.security.CustomTrustKeyStorePassPhrase","TRUST_STORE_PASSWORD");
System.setProperty("weblogic.security.CustomTrustKeyStoreType","JKS");

例外：

[java] <Feb 25, 2014 1:14:22 AM EST> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>   
[java] <Feb 25, 2014 1:14:22 AM EST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>   
[java] <Feb 25, 2014 1:14:22 AM EST> <Info> <Security> <BEA-090908> <Using the default WebLogic SSL Hostname Verifier implementation.>   
[java]   
[java] TYPE_PARAM = ERROR  
[java] CODE_PARAM = null  
[java] MESSAGE_PARAM = null  
[java]   
[java]  
[java] at junit.extensions.jfunc.SALQATestCase.runBare(SALQATestCase.java:111)  
[java] at junit.extensions.jfunc.SALQATestCase$1.protect(SALQATestCase.java:96)  
[java] at junit.framework.TestResult.runProtected(TestResult.java:124)  
[java] at junit.extensions.jfunc.SALQATestCase.run(SALQATestCase.java:99)  
[java] at junit.framework.TestSuite.runTest(TestSuite.java:208)  
[java] at junit.framework.TestSuite.run(TestSuite.java:203)  
[java] at junit.extensions.jfunc.textui.SALQARunner.doRun(SALQARunner.java:69)  
[java] at junit.extensions.jfunc.textui.SALQARunner.run(SALQARunner.java:314)  
[java]  Caused by: javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://xxxxxxxxxx.com:7002: Destination xx.xx.xx.xx, 7002 unreachable; nested exception is:   
[java] javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination]  
[java] at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)  
[java] at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:808)  
[java] at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:363)  
[java] at weblogic.jndi.Environment.getContext(Environment.java:319)  
[java] at weblogic.jndi.Environment.getContext(Environment.java:288)  
[java] at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:117)  
[java] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)  
[java] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)  
[java] at javax.naming.InitialContext.init(InitialContext.java:223)  
[java] at javax.naming.InitialContext.<init>(InitialContext.java:197)  
[java]  
[java] Caused by: java.net.ConnectException: t3s://xxxxxxxxxx.com:7002: Destination xx.xx.xx.xx, 7002 unreachable; nested exception is:   
[java] javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination  
[java] at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:216)  
[java] at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:169)  
[java] at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:165)  
[java] at weblogic.jndi.WLInitialContextFactoryDelegate$1.run(WLInitialContextFactoryDelegate.java:342)  
[java] at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)  
[java] at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)  
[java] at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:337)  
[java] ... 21 more  
[java] Caused by: java.rmi.ConnectException: Destination xx.xx.xx.xx, 7002 unreachable; nested exception is:   
[java] javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination  
[java] at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:490)  
[java] at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:328)  
[java] at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:267)  
[java] at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:204)  
[java] at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:238)  
[java] at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:200)

---

在 netstat 得到以下列表。我在监听模式下看到 7002。对不对？

$ netstat -tulpn | grep :7002
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp        0      0 xxxxxxxxxxxxxxxxxxxxxx:7002 :::*                        LISTEN      25657/java
tcp        0      0 ::xxxx:127.0.0.1:7002       :::*                        LISTEN      25657/java
tcp        0      0 xxxx::xxxxxxxxxxxxxxxx:7002 :::*                        LISTEN      25657/java
tcp        0      0 ::xxxx:xx.xxx.xx.xx:7002  :::*                        LISTEN      25657/java

Answer 1

你得到的错误不是 SSLHandshake 错误，它说

" java.net.ConnectException: t3s://xxxxxxxxxx.com:7002: Destination xx.xx.xx.xx, 7002 unreachable"

1) 检查您提供的网址。

2) 在DNS 端口上进行远程登录

3) 确保没有防火墙阻止请求。

4) 如果您的管理服务器的端口为 7002（我假设您在域中只有 1 台服务器），则尝试访问 https://DNS:7002/console 并首先查看是否加载正常。

Answer 2

SSL 错误通常具有误导性。 SSLHandshakeException 通常是证书问题（无法验证 SSL 连接是否受信任）。

您的服务器可能使用 自签名证书 进行签名，通常需要将其添加到您的 cacerts 密钥库中以允许 SSL 信任它。即，您需要将 SSL 证书从 Weblogic 服务器添加到您的 JDK/JRE 密钥库。请参阅此问题的答案：

How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default

如果您在 UNIX 上，上面链接中的命令按原样工作。如果您在 Windows 上，您需要的所有 UNIX 实用程序（openssl、sed）都秘密包含在 GIT 安装中，或者您可以使用 cygwin。我所要做的就是使用 openssl 获取证书，然后使用 keytool（JDK 的一部分）将其添加到我的 JDK 的 cacerts 文件中。 (%JAVA_HOME%\jre\lib\security\cacerts)

注意：如果您将证书导入您的 ~/.keystore，（在 Windows 上：%userprofile%.keystore），文件仍然会失败，但您可能会遇到不同的异常：

javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination

连接成功后，如下所示：

Connecting to t3s://*********:7001 with userid ********...
<Jul 23, 2014 4:00:25 PM EDT> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
<Jul 23, 2014 4:00:25 PM EDT> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>
<Jul 23, 2014 4:00:25 PM EDT> <Info> <Security> <BEA-090908> <Using the default WebLogic SSL Hostname Verifier implementation.>
Successfully connected to Admin Server "AdminServer" that belongs to domain "******".

另一个有关检索和添加 SSL 密钥（通过 java）的相关帖子：Java keytool easy way to add server cert from url/port