java
protocol_error
ai_generated
partial
javax.net.ssl.SSLException:没有可用的算法
javax.net.ssl.SSLException: No available algorithms
ID: java/ssl-exception-no-algorithms
82%修复率
80%置信度
1证据数
2024-09-01首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Java 8 | active | — | — | — |
| Java 11 | active | — | — | — |
| Java 17 | active | — | — | — |
| Java 21 | active | — | — | — |
根因分析
SSL/TLS 握手失败,因为客户端和服务器没有共享任何共同的密码套件或协议版本,通常是由于安全策略限制或配置过时。
English
The SSL/TLS handshake fails because the client and server do not share any common cipher suites or protocol versions, often due to restrictive security policies or outdated configurations.
官方文档
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html解决方案
-
Enable specific cipher suites on the client: `System.setProperty("https.cipherSuites", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");` or use a custom SSLContext with `SSLContext.getInstance("TLSv1.2")`. -
Update the server to support modern cipher suites (e.g., TLS 1.2 or 1.3 with AES-GCM). On the JVM side, remove the `jdk.tls.disabledAlgorithms` restriction in `java.security` if appropriate.
-
Use a more permissive SSLContext: `SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(null, new TrustManager[]{new X509TrustManager() { public void checkClientTrusted(X509Certificate[] c, String a) {} public void checkServerTrusted(X509Certificate[] c, String a) {} public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }}, null);` (for testing only).
无效尝试
常见但无效的做法:
-
90% 失败
This completely disables certificate validation, creating a severe security vulnerability, and may not resolve algorithm mismatch.
-
70% 失败
Newer Java versions may remove weak cipher suites, so the mismatch persists if the server only offers deprecated algorithms.
-
60% 失败
If the server does not support TLSv1.2, the handshake still fails with a different error.