在我们的QC服务器上,我们完成了以下步骤:
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name some-alias -CAfile ca.crt -caname root
keytool -importkeystore -deststorepass changeit -destkeypass changeit
-destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass
changeit -alias server
(CAfile从未创建,所以尚未使用它。)
这些步骤是基于SO引用完成的:
1 / importing an existing x509 certificate and private key in Java keystore to use in ssl
此外,我使用/测试了来自Altassian(https://confluence.atlassian.com/download/attachments/180292346/SSLPoke.java?version=1&modificationDate=1236556497004&api=v2)的SSLPoke实用程序,并且在同一台服务器上似乎也可以使用以下命令:
java -Djavax.net.ssl.keyStore=server.keystore
-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.debug=all SSLPoke
facebook.com 443
问题在于apache + tomcat,当通过java代码建立到https://graph.facebook.com的连接时抛出了所述异常。
如何克服此异常?
以下是server.keystore中的facebook certificat列表:
#keytool -list -v -keystore server.keystore -alias facebook.com
Enter keystore password:
Alias name: facebook.com
Creation date: 17 Jun, 2014
Entry type: trustedCertEntry
Owner: CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=CA, C=US
Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 771430e2db21fb0b295cdb959c98454
Valid from: Sat Mar 01 05:30:00 IST 2014 until: Mon Apr 13 17:30:00 IST 2015
Certificate fingerprints:
MD5: D3:A6:3C:18:15:C6:4B:BB:BE:75:7B:AC:ED:7D:2B:80
SHA1: BD:01:2A:89:B2:CC:9E:49:F8:1F:47:BF:BD:52:DE:48:A0:4E:D3:AB
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A4 5F 2C 39 02 78 AE 38 57 D1 42 5D 3B 43 CE 4F ._,9.x.8W.B];C.O
0010: AF F0 97 72 ...r
]
]
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.digicert.com,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt]
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ca3-g27.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ca3-g27.crl]
]]
#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
]
#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 50 EA 73 89 DB 29 FB 10 8F 9E E5 01 20 D4 DE 79 P.s..)...... ..y
0010: 99 48 83 F7 .H..
]
]
#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.facebook.com
DNSName: facebook.com
DNSName: *.fbsbx.com
DNSName: *.fbcdn.net
DNSName: *.xx.fbcdn.net
DNSName: *.xy.fbcdn.net
]
#
答案 0 :(得分:0)
原来我们遇到了防火墙问题。
我们的QC服务器在facebook下被阻止了IP。 谷歌的SSLPoke没有显示任何错误,而由于从内部防火墙返回ping,因此facebook显示无效证书,因此graph.facebook.com的证书例外,找不到名称。