Certificate downloaded from cloudexpress:11443 is invalid

问题描述：

CertificateManagement : Server is not trusted.Received fatal alert: handshake_failure. Now installing certificates
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

当升级BMC CLM至4.6后，调用部分webservice会出现这个问题，该问题的主要原因是：Tomcat 7 getting SSLv2Hello is disabled error when trying to make client server ssl authntication，Java 6 uses an SSLv2Hello pseudo message to encapsulate the Client Hello message. By default,
Java 7 rejects handshake requests that use the SSLv2Hello pseudo message. This is what is causing the SSL/TLS handshake to fail.

所以解决办法有两种：1修改tomcat7配置文件，允许SSLv2Hello，2修改tomcat6配置文件，禁用SSLv2Hello

解决方案1

1 修改tomcat7配置文件server.xml，修改为如下内容

<!-- 修改前 -->
 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

<!--修改后 -->
 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" />

如果这些配置都在catalina.properties文件配置的话，那就需要改这个文件，不用改上面的了。

下面只是修改完成后的示例

# Connector HTTPS (SSL) enabled protocols
# Default=TLSv1,TLSv1.,TLSv1.
#
bna.connector.sslEnabledProtocols=TLSv1,TLSv1.,TLSv1.,SSLv2Hello

解决方案2

1 禁用SSLv2Hello握手协议

修改java启动选项参数。打开tomcat，在java tab页下最后一行添加如下参数：

java -Dhttps.protocols="SSLv2Hello"

如果还是不行，建议升级到同一版本吧

注意：修改前请停掉tomcat服务，修改完再启动

参考

Tomcat 7 getting SSLv2Hello is disabled error when trying to make client server ssl authntication