我的示例webapp代表其客户端安全地调用webservices,这适用于我的本地环境,现在我想尝试在Heroku上部署它。
我设置了Procfile,如下所示:
web: java $JAVA_OPTS -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=cacerts_custom.jks -Djavax.net.ssl.trustStorePassword=password -jar target/dependency/webapp-runner.jar --port $PORT target/*.war
感谢-Djavax.net.debug=ssl我可以清楚地看到我添加到cacerts文件中的自定义服务器证书正在加载。
app web.1 - - trustStore is: cacerts_custom.jks
app web.1 - - trustStore type is : jks
app web.1 - - trustStore provider is :
app web.1 - - init truststore
app web.1 - - adding as trusted cert:
app web.1 - - Subject: me me me
app web.1 - - Issuer: me me me
但我仍然不断获得这些例外:
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle (ApacheHttpClient4Handler.java:184)
...
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371)
app web.1 - - INFO: 1 * Client out-bound request
app web.1 - - 1 > GET https://webservice.com:80/gimmestuff
app web.1 - - 1 > Accept-Encoding: application/zip
app web.1 - -
app web.1 - - http-nio-31384-exec-5, setSoTimeout(0) called
app web.1 - - Allow unsafe renegotiation: false
app web.1 - - Allow legacy hello messages: true
app web.1 - - Is initial handshake: true
app web.1 - - Is secure renegotiation: false
app web.1 - - %% No cached client session
app web.1 - - *** ClientHello, TLSv1
app web.1 - - RandomCookie: GMT: 1340484029 bytes = { 185, 85, 19, 4, 68, 226, 214, 134, 35, 143, 91, 59, 106, 156, 34, 20, 77, 75, 64, 92, 131, 186, 239, 23, 168, 188, 37, 157 }
app web.1 - - Session ID: {}
app web.1 - - Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
app web.1 - - Compression Methods: { 0 }
app web.1 - - ***
app web.1 - - http-nio-31384-exec-5, WRITE: TLSv1 Handshake, length = 75
app web.1 - - http-nio-31384-exec-5, WRITE: SSLv2 client hello message, length = 101
app web.1 - - http-nio-31384-exec-5, READ: TLSv1 Alert, length = 2
app web.1 - - http-nio-31384-exec-5, RECV TLSv1 ALERT: fatal, handshake_failure
app web.1 - - http-nio-31384-exec-5, called closeSocket()
app web.1 - - http-nio-31384-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
app web.1 - - http-nio-31384-exec-5, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
app web.1 - - http-nio-31384-exec-5, called close()
app web.1 - - http-nio-31384-exec-5, called closeInternal(true)
app web.1 - - http-nio-31384-exec-5, called close()
app web.1 - - http-nio-31384-exec-5, called closeInternal(true)
所以,在这一点上,我想知道:
webapp-runner.jar以使用cacerts_custom.jks文件吗?我看到Using Apache httpclient for https这里可能存在httpclient的潜在问题,但我发现很难相信它今天仍然存在问题。我会研究并回复,但如果有人知道答案,请告诉我们。
如果我按照以下stackoverflow帖子中的内容进行操作:
Receiving SSLHandshakeException: handshake_failure despite my client ignoring all certs
它暗示以下日志是出现问题的迹象:
app[web.1]: http-nio-45949-exec-4, WRITE: TLSv1 Handshake, length = 75
app[web.1]: http-nio-45949-exec-4, WRITE: SSLv2 client hello message, length = 101
app[web.1]: http-nio-45949-exec-4, READ: TLSv1 Alert, length = 2
app[web.1]: http-nio-45949-exec-4, RECV TLSv1 ALERT: fatal, handshake_failure
那么有什么可归咎于此?提出服务器证书的一方?这不可能是因为我的本地托管的webapp可以在那一方工作......除非我的本地环境中的JDK与Heroku上的那些在SSL握手和/或协议的实现上截然不同的是什么?
答案 0 :(得分:3)
出于许可原因,Heroku使用的OpenJDK构建版本不包括Java Cryptography Extensions(JCE)。某些SSL证书需要处理JCE。
您可以按照本文中的步骤将JCE与您的应用包含在JDK中:https://devcenter.heroku.com/articles/customizing-the-jdk
在此处下载JCE:http://www.oracle.com/technetwork/java/javase/downloads/index.html