我需要使用自签名(或未签名)证书作为HTTPS侦听器的证书,以获取其中一个流的入站端点。我已经尝试了几种方法来生成证书,但是当侦听器尝试读取请求时我总是会收到错误:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Google似乎认为bad_certificate消息与信任存储有关。无论有无mule tls-server配置,我都会继续看到相同的错误,该配置应该定义信任存储。
我使用了几种不同的机制来创建证书:
在配置了tls-server和tls-client元素的情况下,我都尝试了这两种元素,所有这些都在mule文档中进行了描述。
我最终试图确定Mule可以接受哪些关键类型,以及问题的根本原因是什么。任何建议表示赞赏。
我的配置和错误日志如下(省略各种样板内容)
骡-config.xml中
<https:connector name="connectorName">
<!-- only one key, alias 'mule' -->
<https:tls-key-store path="/opt/mule/keys/keystore.jks" keyPassword="thePassword" storePassword="thePassword"/>
<!-- I've also tried the following, same error occurs both with or without this parameter -->
<https:tls-server path="/opt/mule/keys/keystore.jks storePassword="thePassword"/>
</https:connector>
<flow name="theFlow">
<https:inbound-endpoint host="0.0.0.0" port="8081" connector-ref="connectorName"/>
<!-- stuff: not important, works with http -->
</flow>
此配置正确加载,但是当我尝试使用与HTTP一起使用的相同方法发布请求时(但使用https://代替)我收到以下错误,并且没有回复(不是500错误,或任何东西,连接刚刚关闭)。此特定运行来自我使用HTTPS传输的mulesoft文档上的说明生成的密钥,但它与我使用任何其他方法获得的错误没有任何不同。
错误列表
[ERROR] org.mule.exception.DefaultSystemExceptionStrategy - Caught exception in Exception Strategy: Received fatal alert: bad_certificate
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1571)
at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:689)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.sendChangeCipherAndFinish(ServerHandshaker.java:1279)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientFinished(ServerHandshaker.java:1239)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:225)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:50)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.mule.transport.http.HttpServerConnection.readLine(HttpServerConnection.java:219)
at org.mule.transport.http.HttpServerConnection.readRequest(HttpServerConnection.java:185)
at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:155)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
最后,感谢您抽出时间阅读这篇文章。
更新
我已经开始获得不同的堆栈跟踪,但是同样的错误。改变?密钥和密钥库现在有不同的密码。
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:820)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:50)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.mule.transport.http.HttpServerConnection.readLine(HttpServerConnection.java:219)
at org.mule.transport.http.HttpServerConnection.readRequest(HttpServerConnection.java:185)
at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:155)
at org.mule.work.WorkerContext.run(WorkerContext.java:310)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
更新2
我将... / jre / lib / security / cacerts文件的密钥添加为可信证书。没有变化。
答案 0 :(得分:1)
创建Mule文档中显示的自签名证书的方法有效:我已多次使用它。我再次尝试了它,它适用于您的配置,但我删除了https:tls-server,这是无用的。
以下是我遵循的步骤:
keytool -genkey -alias mule -keyalg RSA -keystore keystore.jks(我为密钥库和密钥密码使用了“thePassword”)。配置骡子:
<https:connector name="connectorName">
<https:tls-key-store
path="...path.../keystore.jks"
keyPassword="thePassword" storePassword="thePassword" />
</https:connector>
<flow name="theFlow">
<https:inbound-endpoint host="0.0.0.0" port="8081"
connector-ref="connectorName" />
<set-payload value="w00t" />
</flow>
经过测试:
$ curl -vk https://localhost:8081
* About to connect() to localhost port 8081 (#0)
* Trying 127.0.0.1... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: C=Unknown; ST=Unknown; L=Unknown; O=Unknown; OU=Unknown; CN=Unknown
* start date: 2013-05-15 18:20:34 GMT
* expire date: 2013-08-13 18:20:34 GMT
* common name: Unknown (does not match 'localhost')
* issuer: C=Unknown; ST=Unknown; L=Unknown; O=Unknown; OU=Unknown; CN=Unknown
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: localhost:8081
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 15 May 2013 11:24:24 -0700
< Server: Mule Core/3.4.0
< X-MULE_SESSION: rO0ABXNyACNvcmcubXVsZS5zZXNzaW9uLkRlZmF1bHRNdWxlU2Vzc2lvbi7rdtEW7GGKAwAEWgAFdmFsaWRMAA1mbG93Q29uc3RydWN0dAAmTG9yZy9tdWxlL2FwaS9jb25zdHJ1Y3QvRmxvd0NvbnN0cnVjdDtMAAJpZHQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAD3NlY3VyaXR5Q29udGV4dHQAJ0xvcmcvbXVsZS9hcGkvc2VjdXJpdHkvU2VjdXJpdHlDb250ZXh0O3hwAXB0ACRhYjcwZTY0OS1iZDhjLTExZTItOWU5Yy1mZjdmMDIxMmE5MmZwc3IAJWphdmEudXRpbC5Db2xsZWN0aW9ucyRTeW5jaHJvbml6ZWRNYXAbc/kJS0s5ewMAAkwAAW10AA9MamF2YS91dGlsL01hcDtMAAVtdXRleHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwc3IAJG9yZy5tdWxlLnV0aWwuQ2FzZUluc2Vuc2l0aXZlSGFzaE1hcJ3R2e9nRc4AAwAAeHB3DD9AAAAAAAAQAAAAAHhxAH4ACXh4
< X-MULE_ENCODING: UTF-8
< LOCAL_CERTIFICATES: [Ljava.security.cert.X509Certificate;@1c5e22a
< Content-Type: text/plain
< Content-Length: 4
< Connection: close
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
w00t
答案 1 :(得分:0)
希望这有助于其他人。我用jdk1.6.0_45运行Mule EE 3.5.0。上面列出的命令不会生成兼容的密钥库。密钥库在工作室中运行时很好,但不能在独立的ESB上运行。
我查看了mule-security-example3.5.0应用程序上使用的密钥库,发现了差异。我使用KeyStore Explorer创建了具有这些属性的密钥库
尺寸:1024 版本:1 Alg:MD5与RSA
也许在我的Mule EE实例上配置了一些东西;如果有人能指出我正确的方向,我会很感激。使用具有上述属性的密钥将适用于本周从客户门户网站下载的EE 3.5.0。