背景介绍：

工作机器 MacBook Pro (Retina, 15-inch, Mid 2015)
jdk版本
java version "1.8.0_141"
Java(TM) SE Runtime Environment (build 1.8.0_141-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.141-b15, mixed mode)

最近在对接某个金融渠道接口，要求用https确保接口安全传输
流程是先要请求授权接口(https://***.oktapreview.com)，拿到授权token后请求业务接口（https://****.yewu.com）
授权接口请求没有问题，但是业务接口请求时一直报错：

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

解决过程：

报了ssl异常，我感到很奇怪，两个都是https请求，相同的写法，相同的环境，按理说不会出现某一个出问题，要不就是同时出问题，
遇到问题不用慌，先Google一波看看有没有前辈解决过此问题

网上说法
1、有人建议把https换成http就可以。。。
这种做法直接放弃，http请求当然可以成功，但是不能保证传输安全性
2、有说可能是client的SSL协议版本和server端不一致导致的问题，需要使用相同版本
我们可以在jvm启动时加上参数-Djavax.net.debug=all启动网络debug模式
局部日志
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1593161682 bytes = { 151, 175, 201, 95, 23, 183, 229, 206, 157, 48, 75, 117, 3, 71, 122, 216, 203, 184, 58, 95, 208, 62, 104, 85, 187, 86, 151, 185 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
......
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)

由上面日志可以发现发送端和接收端使用的都是TLSv1.2版本，因此不是SSL协议版本不一致问题
从Cipher Suites属性中发现发送端的密码套接字仅支持AES_128，Compression Methods: { 0 } 意思是密码套接字匹配数为0 没有符合的自然就握手失败了

TLS握手过程：

client1：TLS版本号+所支持加密套件列表+希望使用的TLS选项

Server1:选择一个客户端的加密套件+自己的公钥+自己的证书+希望使用的TLS选项+（要求客户端证书）；

Client2:(自己的证书)+使用服务器公钥和协商的加密套件加密一个对称秘钥（自己生成的一个随机值）；

Server2:使用私钥解密出对称秘钥（随机值）后，发送加密的Finish消息，表明完成握手

以上过程任何一步失败都会handshake_failure

Linux环境可以用nmap查看服务端SSL版本
安装nmap命令sudo yum install nmap

nmap --script ssl-enum-ciphers -p 44 <域名>

***.oktapreview.com 扫描结果：

Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-07 13:48 CST
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 21.37 seconds

****.yewu.com 扫描结果：

tarting Nmap 6.40 ( http://nmap.org ) at 2021-01-07 13:49 CST
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.1: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 5.87 seconds

从以上两个域名的扫描结果来看
***.oktapreview.com支持TLSv1.2版本的AES128和AES256，****.yewu.com仅支持TLSv1.2版本的AES256，而我们客户端只能支持TLSv1.2的AES128，这也就解释了为什么授权接口可以，而业务接口报错了

现在我们知道了是密码套接字不支持的问题，由网络debug日志可以看到我们使用的jdk8仅能支持TLSv1.2的AES128，所以我们需要对jdk8的security包做拓展来支持TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
解决方法：
jdk7：下载javase-jce7.jar http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
jdk8：下载javase-jce8.jar https://www.oracle.com/java/technologies/javase-jce8-downloads.html
下载解压后将两个jar放在{JAVA_HOME}/jre/lib/security 目录下覆盖替换即可

Linux一键脚本

curl -q -L -C - -b "oraclelicense=accept-securebackup-cookie" -o /tmp/jce_policy-8.zip \
       -O http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \
    && unzip -oj -d ${JAVA_HOME}/jre/lib/security /tmp/jce_policy-8.zip \*/\*.jar \
    && rm /tmp/jce_policy-8.zip

总结：

https请求出现Received fatal alert:handshake_failure异常时，有可能是TSL版本不一致问题，还有可能密码套接字不支持，jdk8默认使用TLSv1.2版本，套接字不支持手动添加对应jar包来拓展即可