javax.net.ssl.SSLHandshakeException:收到致命警报:unknown_ca

时间:2015-03-10 07:52:28

标签: java ssl keystore self-signed truststore

我必须通过SSL双重身份验证连接到服务器。我已将自己的私钥加证书添加到 keystore.jks ,并将服务器的自签名证书添加到 truststore.jks ,这两个文件都复制到/ usr /分享/ tomcat7。我的代码使用的套接字工厂由以下提供商提供:

@Singleton
public static class SecureSSLSocketFactoryProvider implements Provider<SSLSocketFactory> {
    private SSLSocketFactory sslSocketFactory;

    public SecureSSLSocketFactoryProvider() throws RuntimeException {
        try {
            final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
            final InputStream trustStoreFile = new FileInputStream("/usr/share/tomcat7/truststore.jks");
            trustStore.load(trustStoreFile, "changeit".toCharArray());
            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(trustStore);

            final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            final InputStream keyStoreFile = new FileInputStream("/usr/share/tomcat7/keystore.jks");
            keyStore.load(keyStoreFile, "changeit".toCharArray());
            final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, "changeit".toCharArray());

            final SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

            this.sslSocketFactory = sslContext.getSocketFactory();

        } catch (final KeyStoreException e) {
            Log.error("Key store exception: {}", e.getMessage(), e);
        } catch (final CertificateException e) {
            Log.error("Certificate exception: {}", e.getMessage(), e);
        } catch (final UnrecoverableKeyException e) {
            Log.error("Unrecoverable key exception: {}", e.getMessage(), e);
        } catch (final NoSuchAlgorithmException e) {
            Log.error("No such algorithm exception: {}", e.getMessage(), e);
        } catch (final KeyManagementException e) {
            Log.error("Key management exception: {}", e.getMessage(), e);
        } catch (final IOException e) {
            Log.error("IO exception: {}", e.getMessage(), e);
        }
    }

    @Override
    public SSLSocketFactory get() {
        return sslSocketFactory;
    }
}

当我尝试连接到服务器上的端点时,我得到以下异常:

javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.7.0_45]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ~[na:1.7.0_45]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) ~[na:1.7.0_45]
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[na:1.7.0_45]
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.7.0_45]
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.7.0_45]

知道我错过了什么吗?

1 个答案:

答案 0 :(得分:12)

如果从服务器收到警报unknown_ca,则服务器不喜欢您作为客户端证书发送的证书,因为它不是由受信任的CA签署的。客户端证书的服务器。