我目前正在使用一个Web服务客户端,它将使用SSL连接到第三方Web服务。
Web Service客户端是使用Spring和Apache CXF开发的。
我目前无法访问第三方网络服务,因此我使用Soap UI提供模拟服务。
当我不尝试实现任何安全性时,客户端可以愉快地向Mock服务发送请求。
我的问题是当我尝试使用SSL来保护客户端和服务器(服务器是模拟服务)之间的连接时。
这是我第一次尝试实施任何类型的安全连接,所以如果我遗漏了一些基本的东西,我会道歉但是我花了几个小时搜索这个主题无济于事。
为了尝试保护连接,我使用Java keytool实用程序为客户端和服务器创建了私钥,自签名证书和信任库:
keytool -genkey -alias clientKey -keyalg RSA -keypass changeit -storepass changeit -keystore clientKeyStore.jks
keytool -export -alias clientKey -storepass changeit -file client.cer -keystore clientKeyStore.jks
keytool -genkey -alias serverKey -keyalg RSA -keypass changeit -storepass changeit -keystore serverKeyStore.jks
keytool -export -alias serverKey -storepass changeit -file server.cer -keystore serverKeyStore.jks
我已将两个密钥的证书添加到两个信任存储区:
keytool -import -v -trustcacerts -alias clientKey -file client.cer -keystore serverCaCerts.jks -keypass changeit
keytool -import -v -trustcacerts -alias clientKey -file client.cer -keystore clientCaCerts.jks -keypass changeit
keytool -import -v -trustcacerts -alias serverKey -file server.cer -keystore serverCaCerts.jks -keypass changeit
keytool -import -v -trustcacerts -alias serverKey -file server.cer -keystore clientCaCerts.jks -keypass changeit
然后我在Soap UI中配置了模拟服务以使用SSL安全性
KeyStore: C:\javaSecurity\serverKeyStore.jks
KeyStore Password: changeit
Enable Mock SSL: True (enable SSL for Mock Services)
Mock Port: 8443
Mock KeyStore: C:\javaSecurity\serverKeyStore.jks
Mock Password: changeit
Mock Key Password: changeit
Mock TrustStore: C:\javaSecurity\serverCaCerts.jks
Mock TrustStore Password: changeit
Client Authentication: false(does not require client authentication)
然后我在客户端的applicationContext.xml中设置了以下配置:
<http:conduit name="*.http-conduit">
<http:tlsClientParameters secureSocketProtocol="SSL" disableCNCheck="true">
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit"
file="C:\\javaSecurity\\clientKeyStore.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit"
file="C:\\javaSecurity\\clientCaCerts.jks"/>
</sec:trustManagers>
</http:tlsClientParameters>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
当我尝试从客户端发送消息时,我从客户端收到以下错误:
2014-01-28 14:17:36,094 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_RSA_EXPORT_WITH_DES40_CBC_SHA cipher suite is included by the filter.
2014-01-28 14:17:36,098 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA cipher suite is included by the filter.
2014-01-28 14:17:36,099 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA cipher suite is included by the filter.
2014-01-28 14:17:36,099 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite is included by the filter.
2014-01-28 14:17:36,099 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_RSA_WITH_NULL_MD5 cipher suite is excluded by the filter.
2014-01-28 14:17:36,099 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_RSA_WITH_NULL_SHA cipher suite is excluded by the filter.
2014-01-28 14:17:36,099 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_DH_anon_WITH_RC4_128_MD5 cipher suite is excluded by the filter.
2014-01-28 14:17:36,100 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_DH_anon_WITH_AES_128_CBC_SHA cipher suite is excluded by the filter.
2014-01-28 14:17:36,100 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_DH_anon_WITH_3DES_EDE_CBC_SHA cipher suite is excluded by the filter.
2014-01-28 14:17:36,100 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_DH_anon_WITH_DES_CBC_SHA cipher suite is excluded by the filter.
2014-01-28 14:17:36,100 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 cipher suite is excluded by the filter.
2014-01-28 14:17:36,101 DEBUG [ServiceThread] (LogUtils.java:443) - The SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA cipher suite is excluded by the filter.
2014-01-28 14:17:36,101 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_WITH_RC4_128_SHA cipher suite is included by the filter.
2014-01-28 14:17:36,101 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_WITH_RC4_128_MD5 cipher suite is included by the filter.
2014-01-28 14:17:36,101 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_WITH_3DES_EDE_CBC_SHA cipher suite is included by the filter.
2014-01-28 14:17:36,102 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_WITH_3DES_EDE_CBC_MD5 cipher suite is included by the filter.
2014-01-28 14:17:36,102 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_WITH_DES_CBC_SHA cipher suite is included by the filter.
2014-01-28 14:17:36,102 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_WITH_DES_CBC_MD5 cipher suite is included by the filter.
2014-01-28 14:17:36,103 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_EXPORT_WITH_RC4_40_SHA cipher suite is included by the filter.
2014-01-28 14:17:36,104 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_EXPORT_WITH_RC4_40_MD5 cipher suite is included by the filter.
2014-01-28 14:17:36,104 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA cipher suite is included by the filter.
2014-01-28 14:17:36,104 DEBUG [ServiceThread] (LogUtils.java:443) - The TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 cipher suite is included by the filter.
2014-01-28 14:17:36,104 DEBUG [ServiceThread] (LogUtils.java:443) - The enabled cipher suites have been filtered down to [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5].
2014-01-28 14:17:36,105 DEBUG [ServiceThread] (LogUtils.java:443) - The excluded cipher suites have been filtered down to [SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA].
2014-01-28 14:17:36,107 DEBUG [ServiceThread] (LogUtils.java:443) - The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
2014-01-28 14:17:36,107 DEBUG [ServiceThread] (Headers.java:257) - Accept: */*
2014-01-28 14:17:36,107 DEBUG [ServiceThread] (HTTPConduit.java:1707) - No Trust Decider for Conduit '{http://cxf.apache.org}TransportURIResolver.http-conduit'. An afirmative Trust Decision is assumed.
2014-01-28 14:17:36,247 DEBUG [ServiceThread] (DefaultResourceManager.java:103) - resolving resource <https://pc-1049:8443/mockServiceSOAPBinding?WSDL> as stream
2014-01-28 14:17:36,248 DEBUG [ServiceThread] (DefaultResourceManager.java:103) - resolving resource <https://pc-1049:8443/mockServiceSOAPBinding?WSDL> type <class java.net.URL>
2014-01-28 14:17:36,248 DEBUG [ServiceThread] (HTTPConduit.java:895) - Conduit '{http://cxf.apache.org}TransportURIResolver.http-conduit' has been (re)configured for plain http.
2014-01-28 14:17:36,249 DEBUG [ServiceThread] (HTTPConduit.java:361) - No Trust Decider configured for Conduit '{http://cxf.apache.org}TransportURIResolver.http-conduit'
2014-01-28 14:17:36,249 DEBUG [ServiceThread] (HTTPConduit.java:374) - No Auth Supplier configured for Conduit '{http://cxf.apache.org}TransportURIResolver.http-conduit'
2014-01-28 14:17:36,249 DEBUG [ServiceThread] (HTTPConduit.java:393) - Conduit '{http://cxf.apache.org}TransportURIResolver.http-conduit' has been configured for plain http.
2014-01-28 14:17:36,249 DEBUG [ServiceThread] (AbstractObservable.java:46) - registering incoming observer: org.apache.cxf.transport.TransportURIResolver$1@76e1db
在SOAP UI日志中,我收到以下错误消息:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:708)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
有人可以帮助我并指出我可能缺少的东西吗?
正如我之前提到的,我在该领域没有太多经验,所以请不要认为有些事情是根本无法提及的 - 如果我没有提到它,我很有可能错过它!
提前感谢任何回复的人。
答案 0 :(得分:2)
这个问题的原因结果是我定义我的http:管道设置。
我在我的applicationContext.xml
中包含了http-conduit定义实际上需要在类路径上的单独cxf.xml文件中定义。