java network_error ai_generated true

javax.net.ssl.SSLException:没有合适的协议(协议被禁用或密码套件不合适)

javax.net.ssl.SSLException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

ID: java/ssl-exception-no-appropriate-protocol

其他格式: JSON · Markdown 中文 · English
80%修复率
85%置信度
1证据数
2023-06-15首次发现

版本兼容性

版本状态引入弃用备注
Java 11 active
Java 17 active
Java 21 active
OpenJDK 11.0.20 active
OpenJDK 17.0.8 active

根因分析

当客户端和服务器无法就TLS协议版本达成一致时发生,通常是因为Java 11+默认禁用了TLSv1或TLSv1.1等旧协议(通过jdk.tls.disabledAlgorithms),而服务器只支持这些已弃用的版本。

English

This error occurs when the client and server cannot agree on a TLS protocol version, often because older protocols like TLSv1 or TLSv1.1 have been disabled by default in Java 11+ (jdk.tls.disabledAlgorithms) and the server only supports those deprecated versions.

generic

官方文档

https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-6F2F5B1A-9B9C-4E3E-9A5A-5B5C5D5E5F5A

解决方案

  1. Add the system property -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 to the JVM startup arguments to explicitly enable the deprecated protocol (e.g., TLSv1.1) that the server supports.
  2. Modify the java.security file (located at $JAVA_HOME/conf/security/java.security) to remove 'TLSv1, TLSv1.1' from the jdk.tls.disabledAlgorithms property, then restart the application.
  3. For Apache HttpClient, set the SSLContext to use a custom SSLParameters that enables TLSv1.1: `SSLContext sslContext = SSLContext.getInstance("TLSv1.1"); sslContext.init(null, trustAllCerts, new SecureRandom());`

无效尝试

常见但无效的做法:

  1. Setting the system property -Dhttps.protocols=TLSv1.2,TLSv1.3 globally 60% 失败

    This only sets the client's preferred protocols but does not override the disabled algorithm list; if the server only offers TLSv1.1, the connection still fails.

  2. Upgrading the server to support TLSv1.2 without client-side changes 70% 失败

    The error is client-side; if the server cannot be upgraded (e.g., legacy mainframe), the client must explicitly enable the deprecated protocol.

  3. Ignoring the error and retrying the connection indefinitely 90% 失败

    The protocol mismatch is a configuration issue; retrying will not resolve the underlying incompatibility.