jboss 5.1 ssl客户端身份验证

时间:2014-09-26 12:21:19

标签: ssl openssl jboss5.x keytool authentication

我在Jboss 5.1 GA中遇到客户端身份验证问题。我尝试做的是使用自生成和自签名证书进行客户端身份验证。因此,我有一个密钥库my.keystore和一个truststore my.truststore。我使用Java keytool。要生成证书,我使用命令:

keytool -genkey -alias test -keyalg RSA -validity 365 -keystore /mirrored/certs/my.keystore

要导出此证书,请使用以下命令:

keytool -export -alias test -keystore /mirrored/certs/my.keystore -rfc -file /mirrored/certs/test.cert

将证书导出到文件后,我使用以下命令将其导入信任库:

keytool -import -alias test -file /mirrored/certs/test.cert -storetype JKS -keystore /mirrored/certs/my.truststore

作为证书的所有者,我使用localhost。

Jboss 5.1 GA在server.xml中配置如下:

<Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="8765" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="true" 
       keystoreFile="/mirrored/certs/my.keystore"
       keystorePass="mypasswd" sslProtocol="TLS" 
       truststoreFile="/mirrored/certs/my.truststore"
       truststorePass="mypasswd"/>

要测试此配置和证书,我使用openssl。首先,我验证了上面的证书。认证证明是开放的。然后我通过openssl s_client调用我的应用程序服务器,我使用以下命令执行此操作:

openssl s_client -showcerts -CAfile test.cert -connect localhost:8765

执行此操作后,我得到以下输出:

openssl s_client -showcerts -CAfile test.cert -connect 10.180.10.74:8765
CONNECTED(00000003)
depth=0 C = DE, ST = Bremen, L = Bremen, O = Signalis, OU = localhost, CN = localhost
verify return:1
140477019141960:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1193:SSL alert number 42
140477019141960:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
Certificate chain
0 s:/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
i:/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
-----BEGIN CERTIFICATE-----
MIICazCCAdSgAwIBAgIEVCE7CTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJE
RTEPMA0GA1UECBMGQnJlbWVuMQ8wDQYDVQQHEwZCcmVtZW4xETAPBgNVBAoTCFNp
Z25hbGlzMRowGAYDVQQLExF1Z2QtYnJicmVmLXNlcnYtNzEaMBgGA1UEAxMRdWdk
LWJyYnJlZi1zZXJ2LTcwHhcNMTQwOTIzMDkxOTA1WhcNMTUwOTIzMDkxOTA1WjB6
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQnJlbWVuMQ8wDQYDVQQHEwZCcmVtZW4x
ETAPBgNVBAoTCFNpZ25hbGlzMRowGAYDVQQLExF1Z2QtYnJicmVmLXNlcnYtNzEa
MBgGA1UEAxMRdWdkLWJyYnJlZi1zZXJ2LTcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAIxLY7onLN91UPIUesdwQxvbSSqFPnYXz5HnSaZx3dkqje+g6qOupqU7
4NP4dFgLbxMx6eqKkGAVVXQ7QEn/Ekp1w6Xncts2LM9FyFHUikBDZewwyvRGbIak
WW3vexpS8FMwmESPnJ+Bk1tHd2YJ0POWGt4FQfZ1u5FR4BQk72CJAgMBAAEwDQYJ
KoZIhvcNAQEFBQADgYEABk5Je4aoPuv1J06Vget40vHqs+rahSpoto39Flbp2JYz
y1UQPnp6o6alLtiOQcFI0iea0zXm8LMybkZTnvP7jj2//49KOmI0+RJx6cWj+cXi
qWJbK+C+8GcU+jJYwOwJrQgEl0Lr21ExebO5Is8kqQVdSiroT5KQsdPCCjKPqYc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
issuer=/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
---
Acceptable client certificate CA names
/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=ugd-brbref-serv-7/CN=ugd-brbref-serv-7
---
SSL handshake has read 1420 bytes and written 170 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : EDH-RSA-DES-CBC3-SHA
Session-ID: 542421BD481B93286D41F5BCB96272B668500E2D35C74862189BFEAF1FC4EE4C
Session-ID-ctx:
Master-Key:    
ED17146FE586DE1A7F9E7272E1771293E964F242BF2187DF5329FFF0E3090C9B14B298CAFD13558A8F763444E6A53B5A
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1411654077
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---

因此openssl中的错误消息是

SSL alert number 42

Jboss日志记录中的错误消息是:

2014-09-25 11:38:34,366 DEBUG [org.apache.tomcat.util.net.JIoEndpoint] (http-0.0.0.0-8765-1) Handshake failed
javax.net.ssl.SSLHandshakeException: null cert chain
   at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:231)
   at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1369)
   at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:160)
   at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
   at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
   at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:160)
   at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:633)
   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
   at java.lang.Thread.run(Thread.java:662)

因此Jboss中的错误消息是

null cert chain

我不知道我做错了什么。我原则上做得对吗?首先在密钥库中生成证书,然后将其导出并导入到信任库中。有没有人在Jboss 5.1 GA中有一些客户端身份验证的经验?也许我以错误的方式使用openssl来测试客户端身份验证?

1 个答案:

答案 0 :(得分:0)

问题出在openssl命令中,您需要导出私钥然后执行命令,如下所示:

openssl s_client -connect localhost:8765 -CAfile test.cert -cert test.cert -key MYKEY.key

有关详细信息,请参阅s_client(1)s_server(1)上的文档。

相关问题
最新问题