设置: 我已经生成了服务器和客户端自签名证书。
已将根证书添加到truststore cacert.jks。 已将服务器证书添加到密钥库keystore.jks。 已正确添加tomcat配置(浏览器正常工作)。
根据以下内容,为示例GET请求提供单独的密钥库client.jks: http://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java
问题: 如果我将浏览器指向localhost:8443,我收到错误:ssl_error_bad_cert_alert 在将.p12证书添加到firefox / chrome之后,我能够加载默认页面,并且它允许我选择要以交互方式发送的证书。
但是,java客户端调用失败,并显示:
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
我不确定是否发送了证书:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<EMAILADDRESS=ca@xxx.in, CN=CA Admin, OU=CA, O=local in da house, L=Bangalore, ST=Karnataka, C=IN>
*** ServerHelloDone
*** Certificate chain
***
*** ECDHClientKeyExchange
ECDH Public value: { ...}
main, WRITE: TLSv1 Handshake, length = 77
最终失败了:
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 231, 55, 193, 12, 126, 106, 78, 235, 72, 209, 1, 113 }
***
main, WRITE: TLSv1 Handshake, length = 48
main, waiting for close_notify or alert: state 1
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, bad_certificate
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
main, called closeSocket()
main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
我发送了正确的证书,client.jks只有一个,或者我发送任何东西。有没有办法覆盖发送客户端证书或发送所有证书?
编辑:添加服务器调试日志:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<EMAILADDRESS=caadmin@caboss.org, CN=caadmin, OU=ca, O=CA Boss, L=bangalore, ST=KA, C=IN>
*** ServerHelloDone
http-bio-8443-exec-1, WRITE: TLSv1 Handshake, length = 1476
http-bio-8443-exec-1, READ: TLSv1 Handshake, length = 77
*** Certificate chain
***
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
http-bio-8443-exec-1, SEND TLSv1 ALERT: fatal, description = bad_certificate
http-bio-8443-exec-1, WRITE: TLSv1 Alert, length = 2
http-bio-8443-exec-1, called closeSocket()
http-bio-8443-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
http-bio-8443-exec-1, IOException in getSession(): javax.net.ssl.SSLHandshakeException: null cert chain
http-bio-8443-exec-1, called close()
http-bio-8443-exec-1, called closeInternal(true)
我从&#34; * 证书链&#34;其后不是任何条目,如&#34; chain [n] = ...&#34;。这是否意味着没有从客户端发送证书?
编辑:为googlechrome添加服务器日志 - 正如我之前所说,从autfox / chrome连接时,cert auth可以正常工作。
当浏览器商店中没有客户端证书时:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<EMAILADDRESS=caadmin@caboss.org, CN=caadmin, OU=ca, O=CA Boss, L=bangalore, ST=KA, C=IN>
*** ServerHelloDone
http-bio-8443-exec-10, WRITE: TLSv1.2 Handshake, length = 1504
http-bio-8443-exec-10, READ: TLSv1.2 Handshake, length = 77
*** Certificate chain
***
%% Invalidated: [Session-8, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
http-bio-8443-exec-10, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
http-bio-8443-exec-10, WRITE: TLSv1.2 Alert, length = 2
http-bio-8443-exec-10, called closeSocket()
http-bio-8443-exec-10, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
http-bio-8443-exec-10, IOException in getSession(): javax.net.ssl.SSLHandshakeException: null cert chain
http-bio-8443-exec-10, called close()
http-bio-8443-exec-10, called closeInternal(true)
当浏览器商店中存在证书时:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<EMAILADDRESS=caadmin@caboss.org, CN=caadmin, OU=ca, O=CA Boss, L=bangalore, ST=KA, C=IN>
*** ServerHelloDone
http-bio-8443-exec-3, WRITE: TLSv1.2 Handshake, length = 1504
http-bio-8443-exec-3, READ: TLSv1.2 Handshake, length = 1247
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=client@clientboss.org, CN=client, OU=clientboss, O=client boss, L=bng, ST=ka, C=in
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 28632453992003431308915057706872593510827517481645176167926299596175388758364475388282973862780043525858628044314596282467149011086426793445608130577955324107891088141707834114383829274495458679055679534162696112905173150434463742848918480552822337987796140398151985164856125750513570841056135410235400373584276647404249334190718247108789459533624236506201184258830704869791048114520941758364485115072957575259760369673257402633308683304933495211104494746578922374021151983094620317725008850265643603908594096873957992013696420211357274147343040148174076085536080587875591891218216008897086438638059125110840536055577
public exponent: 65537
Validity: [From: Tue May 27 15:58:23 IST 2014,
To: Wed May 27 15:58:23 IST 2015]
Issuer: EMAILADDRESS=caadmin@caboss.org, CN=caadmin, OU=ca, O=CA Boss, L=bangalore, ST=KA, C=IN
SerialNumber: [ 04]
编辑:让它发挥作用 最后让它工作:在客户端,我没有注册一个拥有客户端自签名证书的密钥库。
// Trust own CA and all self-signed certs
SSLContext sslcontext = SSLContexts.custom()
.loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
**.loadKeyMaterial(trustStore, "changeit".toCharArray())** // this is needed
.build();
发布更改客户端调试日志:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<EMAILADDRESS=caadmin@caboss.org, CN=caadmin, OU=ca, O=CA Boss, L=bangalore, ST=KA, C=IN>
[read] MD5 and SHA1 hashes: len = 145
0000: 0D 00 00 8D 03 01 02 40 00 87 00 85 30 81 82 31 .......@....0..1
0010: 0B 30 09 06 03 55 04 06 13 02 49 4E 31 0B 30 09 .0...U....IN1.0.
0020: 06 03 55 04 08 0C 02 4B 41 31 12 30 10 06 03 55 ..U....KA1.0...U
0030: 04 07 0C 09 62 61 6E 67 61 6C 6F 72 65 31 10 30 ....bangalore1.0
0040: 0E 06 03 55 04 0A 0C 07 43 41 20 42 6F 73 73 31 ...U....CA Boss1
0050: 0B 30 09 06 03 55 04 0B 0C 02 63 61 31 10 30 0E .0...U....ca1.0.
0060: 06 03 55 04 03 0C 07 63 61 61 64 6D 69 6E 31 21 ..U....caadmin1!
0070: 30 1F 06 09 2A 86 48 86 F7 0D 01 09 01 16 12 63 0...*.H........c
0080: 61 61 64 6D 69 6E 40 63 61 62 6F 73 73 2E 6F 72 aadmin@caboss.or
0090: 67 g
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
matching alias: client
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=client@clientboss.org, CN=client, OU=clientboss, O=client boss, L=bng, ST=ka, C=in
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 28632453992003431308915057706872593510827517481645176167926299596175388758364475388282973862780043525858628044314596282467149011086426793445608130577955324107891088141707834114383829274495458679055679534162696112905173150434463742848918480552822337987796140398151985164856125750513570841056135410235400373584276647404249334190718247108789459533624236506201184258830704869791048114520941758364485115072957575259760369673257402633308683304933495211104494746578922374021151983094620317725008850265643603908594096873957992013696420211357274147343040148174076085536080587875591891218216008897086438638059125110840536055577
public exponent: 65537
Validity: [From: Tue May 27 15:58:23 IST 2014,
To: Wed May 27 15:58:23 IST 2015]
Issuer: EMAILADDRESS=caadmin@caboss.org, CN=caadmin, OU=ca, O=CA Boss, L=bangalore, ST=KA, C=IN
SerialNumber: [ 04]