httpclient访问https网站失败(peer not authenticated)的解决办法

摘要: 这个问题困扰了好几天，终于在今天成功解决了，和代码一点关系都没有。但是原理还是不是太明白。有明白的大牛来解释下吧。

最近一个订购数据的爬虫出现了问题，问题报错peer not authenticated

百度搜索，各种解决方案，但大都是一个思路，忽略证书验证。但是我的代码里已经做了相关的证书忽略的步骤。

为什么还是出现这个错误？百思不得其解。

随后尝试了导入本地证书，还有各种版本的证书忽略版本的尝试。均以失败告终。

一个现象引起了我的注意：就是这个爬虫在我的linux mint环境下运行正常。而在windows 7下运行不正常。有可能是环境的问题。linux 下装的是openjdk7 win7下安装的jdk7 1.7.0_79。而服务器上安装的是jdk 1.7.0_55

难不成真实jdk 的问题？

随后在代码中开启了debug 的模式，

System.setProperty("javax.net.debug", "ssl");

在Linux下调试的运行的结果：

true
adding as trusted cert:
Subject: 证书内容略去

trigger seeding of SecureRandom
done seeding SecureRandom
executing requestGET     HTTP/1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client sess

win7下调试内容

true
adding as trusted cert:
证书内容略去

trigger seeding of SecureRandom
done seeding SecureRandom
executing requestGET    HTTP/1.1
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
……

main, WRITE: TLSv1 Handshake, length = 181
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

对比很明显，win7下忽略的加密套件更多一些，估计就是这个问题。

在stack overflow看到一个提问，大概是说，因为客户端的加密机制太简单，服务器认为不安全，握手失败。

这个错误：

RECV TLSv1 ALERT: fatal, handshake_failure

这样目标就很明确了。随后找到一个这个帖子，和我的问题一样一样的。

http://www.e2college.com/blogs/java_security/ssl_handshake_failure_due_to_unsupported_cipher_su.html

SSL Handshake failure due to unsupported cipher suite
In my program which tried to open HTTPS connection to a remote server I got the following handshake error:
2014-09-19 11:33:55,649 [JBOSS-F] INFO [stdout] http--0.0.0.0-8081-2, RECV TLSv1 ALERT: fatal, handshake_failure
A further dump of the log showed that it is because the 256 bit ciphers are not supported:
2014-09-19 11:33:55,549 [JBOSS-F] INFO [stdout] Opening connection to 172.17.3.45:443...
2014-09-19 11:33:55,550 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
2014-09-19 11:33:55,550 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
2014-09-19 11:33:55,550 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
2014-09-19 11:33:55,550 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
2014-09-19 11:33:55,551 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
2014-09-19 11:33:55,551 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2014-09-19 11:33:55,551 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
2014-09-19 11:33:55,551 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
2014-09-19 11:33:55,551 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2014-09-19 11:33:55,552 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
2014-09-19 11:33:55,552 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
2014-09-19 11:33:55,552 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
2014-09-19 11:33:55,552 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
2014-09-19 11:33:55,553 [JBOSS-F] INFO [stdout] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
The problem is that to run encryption stronger than 128-bit, you will need to download and install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" from Java SE http://www.oracle.com/technetwork/java/javase/downloads/index.html. For JDK7, it is named UnlimitedJCEPolicyJDK7.zip. To install, you will need to unzip this file, and put the 2 files inside: local_policy.jar and US_export_policy.jar, into your <JVM home>/lib/security.
Then restart the java program, and the handshake failure probelm is resolved.

解决办法里面说的很清楚了。需要一个

UnlimitedJCEPolicyJDK7.zip

去

http://www.oracle.com/technetwork/java/javase/downloads/index.html

下载就好了。我下载的jdk7的，里面包含了两个jar.

在你的

<JVM home>/lib/security

貌似这个文件夹在jre下

替换后，重新运行爬虫，不再报错了。成功的获取了订单号。

早上一来竟然解决了昨天晚上搞了一晚上没有解决的问题，我也是醉了。。。