我嘗試使用Java建立到Web服務的雙向TSL連接,我已經給出了帶有私鑰和3個證書的證書鏈的pfx證書。下面是使用Java代碼Spring框架:握手失敗客戶端密鑰交換,使用證書鏈
@Bean
public Client weatherClient(Jaxb2Marshaller marshaller) throws Exception {
Client client = new Client();
client.setDefaultUri(".....");
client.setMarshaller(marshaller);
client.setUnmarshaller(marshaller);
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(keyStore.getInputStream(), keyStorePassword.toCharArray());
LOGGER.info("Loaded keystore: " + keyStore.getURI().toString());
System.out.println("Loaded keystore: " + keyStore.getURI().toString());
keyStore.getInputStream().close();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());//KeyManagerFactory.getDefaultAlgorithm()
keyManagerFactory.init(ks, keyStorePassword.toCharArray());
KeyStore ts = KeyStore.getInstance("PKCS12");
ts.load(trustStore.getInputStream(), trustStorePassword.toCharArray());//
LOGGER.info("Loaded trustStore: " + trustStore.getURI().toString());
System.out.println("Loaded trustStore: " + trustStore.getURI().toString());
trustStore.getInputStream().close();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(ts);
HttpsUrlConnectionMessageSender messageSender = new HttpsUrlConnectionMessageSender();
messageSender.setKeyManagers(keyManagerFactory.getKeyManagers());
messageSender.setTrustManagers(trustManagerFactory.getTrustManagers());
client.setMessageSender(messageSender);
return client;
}
到目前爲止,我得到一個客戶問候,並和發送的證書的服務器問候,我也得到一個找到的受信任的證書。然後有一個證書請求沒有找到任何證書
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=Thawte SSL CA, O="Thawte, Inc.", C=US>
....
....
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
我已經將證書單獨添加到lib/security/cacerts。 看來,第一個證書交換髮生在cacerts密鑰庫中,因爲如果這是證書添加的唯一地方,我會得到相同的行爲。看起來,請求正在尋找證書鏈,但無法找到它,即使我已經用私鑰和證書鏈作爲pkcs12導入到KeyStore對象中。任何幫助,將不勝感激
UPDATE
我得到一個握手失敗後ClientKeyExchange我認爲這是由於上述警告,但我可能是錯了。
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
....
....
0000: B0 E2 38 5E 40 4E 7C C5 ..8^@N..
Server write IV:
0000: 44 40 45 E1 82 45 15 9B [email protected]
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 109, 220, 225, 98, 98, 233, 48, 215, 61, 50, 58, 207 }
***
main, WRITE: TLSv1 Handshake, length = 40
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
UPDATE
相互認證工作,如果我添加了密鑰庫作爲一個變量-Djavax.net.ssl.keyStore=
但增加了密鑰存儲作爲一個變量,我得到以下。在代碼中指定的密鑰存儲區和信任存儲被發現和證書鏈和信任存儲在接着一個空的密鑰庫中示出和JVM cacerts中被用作可信證書調試
***
found key for : devcert
chain [0] = [
[
Version: V3 ......
***
adding as trusted cert:
Subject:
被示出。
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=ubuntu
然後有一個服務器問候 ***服務器問候,使用TLSv1 這對於其證書被發現
***
Found trusted certificate:
but the Certificate Request does find a matching certificate as above, unless it is added as a variable
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=Thawte SSL CA, O="Thawte, Inc.", C=US>
....
....
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
行爲與密鑰庫添加爲varible -Djavax.net.ssl.keyStore=
*** ServerHelloDone
matching alias: devcert
*** Certificate chain
chain [0] = [
[
Version: V3
我想從程序代碼中使用密鑰庫和信任庫,因爲希望能夠看到動態更改它後面
重新編輯,你將不得不看看服務器的SSL日誌,看看那裏出了什麼問題。如果客戶端發送了「證書」消息,則客戶端證書已經起作用。 – EJP
感謝您知道,我沒有訪問服務器,但我猜測客戶端密鑰交換後的一些數據交換導致錯誤。也許將錯誤的數據傳遞到服務器 –