我已经被困了几天了,我已经检查了几个答案(this,this,this,this,{{ 3}},this,this,this),但我无法解决我的问题。我是SSL新手,我的组织中似乎没有其他任何人这样做过。
背景
我们目前在零售商店有一组终端通过SSL连接到服务器。连接包括客户端身份验证。我的组织充当CA并发布了cacert.crt证书,并用它来签署服务器的证书和所有客户终端的一个证书。终端当前可以正常使用服务器,但是我无法从支持环境的人那里获得有关当前连接或配置的详细信息......似乎系统是多年前从供应商的组合中购买的,并且知识已经丢失。我目前正在尝试开发一个可以在现有终端之外与服务器通信的独立客户端。
问题
我开发了一个非常简单的Java SSL客户端,以便更好地理解SSL配置,并了解在连接时需要引用证书和密钥的位置和方式。不幸的是,我无法成功连接到服务器,我不确定有什么问题或者还有什么要检查。
我已经能够生成SSL连接的调试日志(附在下面)。我也能够通过运行openssl的s_client函数生成一个日志,但我不熟悉这个工具,所以我不确定它告诉我的是什么。我附上了所有代码和日志,我希望你能为我提供一些有关问题的见解。
由于我是SSL的新手,我不确定我是否提供了所有相关信息。如果您需要任何进一步的信息,请与我们联系。
简单Java客户端
public class Client {
private static String serverIP = "{snip: server IP}";
private static int serverPort = {snip: port number};
public static void main(String[] arstring) {
try {
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(Client.serverIP, Client.serverPort);
InputStream inputstream = System.in;
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
OutputStream outputstream = sslsocket.getOutputStream();
OutputStreamWriter outputstreamwriter = new OutputStreamWriter(outputstream);
BufferedWriter bufferedwriter = new BufferedWriter(outputstreamwriter);
String string = null;
while ((string = bufferedreader.readLine()) != null) {
bufferedwriter.write(string + '\n');
bufferedwriter.flush();
}
} catch (Exception exception) {
exception.printStackTrace();
}
}
}
SSL调试日志
java -Djavax.net.ssl.trustStore=ca_only.jks -Djavax.net.ssl.keyStore=keystore.jks -Djavax.net.debug=ssl,handshake -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password Client
keyStore is : keystore.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : 1
chain [0] = [
[
Version: V3
Subject: CN=Server, O=Organization, ST=ON, C=CA
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: {snipped due to post length}
public exponent: 65537
Validity: [From: Wed Jul 04 11:17:50 CDT 2012,
To: Mon Jul 04 11:17:50 CDT 2022]
Issuer: CN=DEV2008, O=Organization, ST=ON, C=CA
SerialNumber: [ b7ccceda 64ef4eb7]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B8 92 53 99 09 EB 73 6D 6D 45 8E 84 35 C5 11 77 ..S...smmE..5..w
0010: 7A 41 C9 10 zA..
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 43 EF 2E E1 B8 E6 01 C4 65 E1 E3 38 CE DA 86 C7 C.......e..8....
0010: BE 93 65 BA ..e.
]
]
]
Algorithm: [SHA1withRSA]
Signature:
{snipped due to post length}
]
***
trustStore is: ca_only.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=DEV2008, O=Organization, ST=ON, C=CA
Issuer: CN=DEV2008, O=Organization, ST=ON, C=CA
Algorithm: RSA; Serial number: 0xb7ccceda64ef4eb3
Valid from Wed Sep 10 10:10:25 CDT 2008 until Sun Sep 10 10:10:25 CDT 2028
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
testText
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1388847103 bytes = { 81, 210, 193, 47, 1, 40, 31, 209, 31, 74, 153, 216, 224, 141, 29, 4, 49, 162, 216, 34, 206, 202, 42, 228, 204, 73, 106, 208 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect5
71r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 149
main, READ: SSLv3 Handshake, length = 74
*** ServerHello, SSLv3
RandomCookie: GMT: 1385163043 bytes = { 125, 48, 211, 49, 203, 23, 208, 161, 188, 43, 152, 33, 160, 32, 20, 163, 66, 19, 136, 90, 152, 42, 154, 53, 208, 175, 39, 177 }
Session ID: {162, 201, 116, 199, 55, 245, 172, 195, 38, 102, 80, 124, 35, 60, 29, 218, 112, 86, 108, 44, 8, 212, 102, 73, 102, 68, 212, 246, 165, 233, 2, 31}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
main, READ: SSLv3 Handshake, length = 1980
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=Server, O=Organization, ST=ON, C=CA
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: {snipped due to post length}
public exponent: 65537
Validity: [From: Wed Jul 04 11:15:51 CDT 2012,
To: Mon Jul 04 11:15:51 CDT 2022]
Issuer: CN=DEV2008, O=Organization, ST=ON, C=CA
SerialNumber: [ b7ccceda 64ef4eb6]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B8 92 53 99 09 EB 73 6D 6D 45 8E 84 35 C5 11 77 ..S...smmE..5..w
0010: 7A 41 C9 10 zA..
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 01 98 19 F0 74 48 DB CF 55 D0 1B 9B A3 C8 04 61 ....tH..U......a
0010: 50 03 F9 F6 P...
]
]
]
Algorithm: [SHA1withRSA]
Signature: {snipped due to post length}
]
chain [1] = [
[
Version: V3
Subject: CN=DEV2008, O=Organization, ST=ON, C=CA
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: {snipped due to post length}
public exponent: 65537
Validity: [From: Wed Sep 10 10:10:25 CDT 2008,
To: Sun Sep 10 10:10:25 CDT 2028]
Issuer: CN=DEV2008, O=Organization, ST=ON, C=CA
SerialNumber: [ b7ccceda 64ef4eb3]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B8 92 53 99 09 EB 73 6D 6D 45 8E 84 35 C5 11 77 ..S...smmE..5..w
0010: 7A 41 C9 10 zA..
]
[CN=DEV2008, O=Organization, ST=ON, C=CA]
SerialNumber: [ b7ccceda 64ef4eb3]
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B8 92 53 99 09 EB 73 6D 6D 45 8E 84 35 C5 11 77 ..S...smmE..5..w
0010: 7A 41 C9 10 zA..
]
]
]
Algorithm: [SHA1withRSA]
Signature: {snipped due to post length}
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=DEV2008, O=Organization, ST=ON, C=CA
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: {snipped due to post length}
public exponent: 65537
Validity: [From: Wed Sep 10 10:10:25 CDT 2008,
To: Sun Sep 10 10:10:25 CDT 2028]
Issuer: CN=DEV2008, O=Organization, ST=ON, C=CA
SerialNumber: [ b7ccceda 64ef4eb3]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B8 92 53 99 09 EB 73 6D 6D 45 8E 84 35 C5 11 77 ..S...smmE..5..w
0010: 7A 41 C9 10 zA..
]
[CN=DEV2008, O=Organization, ST=ON, C=CA]
SerialNumber: [ b7ccceda 64ef4eb3]
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B8 92 53 99 09 EB 73 6D 6D 45 8E 84 35 C5 11 77 ..S...smmE..5..w
0010: 7A 41 C9 10 zA..
]
]
]
Algorithm: [SHA1withRSA]
Signature: {snipped due to post length}
]
main, READ: SSLv3 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<Empty>
*** ServerHelloDone
matching alias: 1
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=Server, O=Organization, ST=ON, C=CA
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: {snipped due to post length}
public exponent: 65537
Validity: [From: Wed Jul 04 11:17:50 CDT 2012,
To: Mon Jul 04 11:17:50 CDT 2022]
Issuer: CN=DEV2008, O=Organization, ST=ON, C=CA
SerialNumber: [ b7ccceda 64ef4eb7]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B8 92 53 99 09 EB 73 6D 6D 45 8E 84 35 C5 11 77 ..S...smmE..5..w
0010: 7A 41 C9 10 zA..
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 43 EF 2E E1 B8 E6 01 C4 65 E1 E3 38 CE DA 86 C7 C.......e..8....
0010: BE 93 65 BA ..e.
]
]
]
Algorithm: [SHA1withRSA]
Signature:
{snipped due to post length}
]
***
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
main, WRITE: SSLv3 Handshake, length = 1221
SESSION KEYGEN:
{snipped because I'm not sure if this is sensitive or not}
*** CertificateVerify
main, WRITE: SSLv3 Handshake, length = 262
main, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 159, 145, 181, 103, 3, 219, 244, 50, 1, 137, 254, 25, 166, 118, 40, 186, 196, 23, 254, 184, 250, 137, 29, 171, 163, 153, 126, 193, 226, 134, 145, 9, 137, 16, 90, 178 }
***
main, WRITE: SSLv3 Handshake, length = 64
main, READ: SSLv3 Alert, length = 2
main, RECV SSLv3 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at sun.nio.cs.StreamEncoder.writeBytes(Unknown Source)
at sun.nio.cs.StreamEncoder.implFlushBuffer(Unknown Source)
at sun.nio.cs.StreamEncoder.implFlush(Unknown Source)
at sun.nio.cs.StreamEncoder.flush(Unknown Source)
at java.io.OutputStreamWriter.flush(Unknown Source)
at java.io.BufferedWriter.flush(Unknown Source)
at Client.main(Client.java:33)
OpenSSL s_client状态日志 正如我上面提到的,我不确定这个工具告诉我什么,或者我是否正确运行它。
openssl.exe s_client -connect {serverIP}:{serverPort} -cert client.cer -key client.key -cipher AES128-SHA -state
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter pass phrase for client.key:
Loading 'screen' into random state - done
CONNECTED(000000E0)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = CA, ST = ON, O = Organization, CN = DEV2008
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CA/ST=ON/O=Organization/CN=Server
i:/C=CA/ST=ON/O=Organization/CN=DEV2008
1 s:/C=CA/ST=ON/O=Organization/CN=DEV2008
i:/C=CA/ST=ON/O=Organization/CN=DEV2008
---
Server certificate
-----BEGIN CERTIFICATE-----
{snipped due to post length}
-----END CERTIFICATE-----
subject=/C=CA/ST=ON/O=Organization/CN=Server
issuer=/C=CA/ST=ON/O=Organization/CN=DEV2008
---
No client certificate CA names sent
---
SSL handshake has read 2157 bytes and written 1672 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES128-SHA
Session-ID: E6EB30E4E24114A59436063BE2A732B3CBF6F47A57AA34CFBFB584FC1517F5D9
Session-ID-ctx:
Master-Key: 86307078588C268CDCFCD6B9ABBD55DC8C0A61E900384D3FF99091E030EF9C831B61A880D33313D0DCC7C6688507790A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1405627491
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
read:errno=0
SSL3 alert write:warning:close notify
我注意到在SSL调试日志的CertificateRequest部分中,证书颁发机构列表是“”。我在一个问题中读到这是服务器的配置问题,但情况并非如此,因为当前终端没有问题。我还在另一个问题中读到,这取决于实施,可能是允许的。我不确定哪个是真的,但我确定终端当前能够连接到服务器,而我的测试客户端无法连接。
你知道我做错了什么,当我尝试连接时,我得到握手和失败吗?
感谢您提供的任何帮助。
答案 0 :(得分:2)
我注意到很多&#34;忽略不支持的xxxx协议&#34;在你的调试中。如果你添加;
socket.setEnabledProtocols(new String[]{"SSLv3", "TLSv1"});
到您的代码,这应解决握手问题。