我的最终目标是设置一个RESTful服务,该服务需要客户端和服务器之间的双向(相互)身份验证。首先,我想我会设置单向身份验证以获得上半部分设置,然后进入双向。
所以,我创建了一个RESTful服务,它纯粹返回单词“Test”并公开了它。我生成了一个服务器公钥/私钥并进行了自签名(使用Java keytool -genkeypair ....)并设置我的RESTful服务来使用它。该服务在MuleESB上运行。
现在,在将新证书添加到我的客户端信任库之前,我想我会测试该服务以检查我是否收到了证书错误。奇怪的是,通过浏览器和Postman,我得到了正确的错误;浏览器抱怨收到的证书不可信(因为我没有将根CA添加到信任库)。但是,当我使用SOAPUI测试服务时,它可以正常运行而不会抱怨任何事情。任何人都可以帮我解释为什么会这样吗?我需要让SOAPUI工作,当我进入双向身份验证时,我希望能够指定要使用的证书,Postman不提供或浏览器测试。
当我在运行SSL Debug的情况下运行SOAPUI时,我可以看到它正确地接收了我的证书。但是,为什么它允许连接继续进行?
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Thread-19, setSoTimeout(60000) called
11:09:31,437 DEBUG [HttpClientSupport$SoapUIHttpClient] Attempt 1 to execute request
11:09:31,437 DEBUG [SoapUIMultiThreadedHttpConnectionManager$SoapUIDefaultClientConnection] Sending request: POST /tls_demo HTTP/1.1
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1430129115 bytes = { 169, 90, 188, 193, 157, 139, 108, 202, 210, 247, 133, 120, 10, 158, 27, 16, 64, 185, 132, 252, 160, 132, 134, 143, 10
7, 43 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, T
A_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SS
_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_
SA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409
9r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
Thread-19, WRITE: TLSv1 Handshake, length = 149
Thread-19, READ: TLSv1 Handshake, length = 1263
*** ServerHello, TLSv1
RandomCookie: GMT: 1430129115 bytes = { 53, 109, 252, 185, 170, 82, 228, 217, 216, 171, 31, 216, 97, 146, 131, 246, 22, 186, 112, 91, 84, 70, 120, 245, 133,
171 }
Session ID: {85, 62, 10, 219, 107, 202, 236, 196, 63, 241, 150, 1, 106, 39, 117, 228, 115, 228, 46, 184, 113, 246, 47, 221, 167, 189, 241, 113, 84, 206, 208,
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=localhost, O=XXX, L=London, ST=London, C=UK
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: ...
public exponent: 65537
Validity: [From: Sun Apr 26 13:34:47 BST 2015,
To: Sat Jul 25 13:34:47 BST 2015]
Issuer: CN=localhost, O=XXX, L=London, ST=London, C=UK
SerialNumber: [ 455a97e9]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
... n..^
]
]
]
Algorithm: [SHA256withRSA]
Signature:
...
]
***
*** ECDH ServerKeyExchange
Server key: Sun EC public key, 256 bits
public x coord: 68526603352329217636640245091574224497038239255373755817696844356233255971246
public y coord: 21112579998360783627101805895048744731921568253573017990269969136714373392408
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 89, 134, 56, 131, 220, 223, 187, 120, 151, 87, 126, 47, 86, 127, 171, 82, 53, 120, 167, 24, 61, 34, 71, 184, 249, 52, 80, 138, 14, 80
163, 158, 153, 90, 73, 82, 162, 196, 57, 200, 82, 29, 86, 66, 212, 100, 247, 225, 206, 59, 214, 212, 254, 184, 70, 251, 29, 169, 148, 209, 235, 153 }
Thread-19, WRITE: TLSv1 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 37 99 38 FE 85 E7 7B 4B 22 7B 84 4A 09 9E 56 4B 7.8....K"..J..VK
0010: 0F 30 30 BE A8 68 E6 83 E2 4A 26 86 14 1A 20 C6 .00..h...J&... .
CONNECTION KEYGEN:
Client Nonce:
0000: 55 3E 0A DB A9 5A BC C1 9D 8B 6C CA D2 F7 85 78 U>...Z....l....x
0010: 0A 9E 1B 10 40 B9 84 FC A0 84 86 8F 69 ED D9 2B ....@.......i..+
Server Nonce:
0000: 55 3E 0A DB 35 6D FC B9 AA 52 E4 D9 D8 AB 1F D8 U>..5m...R......
0010: 61 92 83 F6 16 BA 70 5B 54 46 78 F5 85 90 FE AB a.....p[TFx.....
Master Secret:
0000: E2 A8 93 EC 8F 94 D7 E4 D3 1E 5D C4 67 CB 04 D8 ..........].g...
0010: A3 DB 9A AA 62 AD A5 E9 82 69 A9 53 73 E9 A3 EA ....b....i.Ss...
0020: 19 70 2A CC B4 D9 73 A1 45 5D 0E 71 88 F2 87 39 .p*...s.E].q...9
Client MAC write Secret:
0000: 7E 59 8D 23 82 EA 68 09 D6 EB 61 A6 FA 09 83 CA .Y.#..h...a.....
0010: 82 55 A1 55 .U.U
Server MAC write Secret:
0000: 5E B6 5A AB 76 E7 ED 58 C3 F4 54 31 22 C4 17 25 ^.Z.v..X..T1"..%
0010: 7B FB 13 93 ....
Client write key:
0000: 3B A8 B0 59 BE 06 91 A0 49 E8 92 E9 0F 65 97 0D ;..Y....I....e..
Server write key:
0000: 4A 72 09 C2 44 86 3F A4 23 E3 97 44 93 87 6B D2 Jr..D.?.#..D..k.
Client write IV:
0000: 8F 97 2C D0 F2 40 A8 73 73 58 F1 2C A1 0C 9B 4A ..,..@.ssX.,...J
Server write IV:
0000: BC 6D DF 9D 3B 4D 36 60 9C 1F 42 E9 92 E1 DC E8 .m..;M6`..B.....
Thread-19, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 79, 84, 80, 98, 226, 179, 250, 217, 159, 48, 116, 201 }
***
Thread-19, WRITE: TLSv1 Handshake, length = 48
Thread-19, READ: TLSv1 Change Cipher Spec, length = 1
Thread-19, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 251, 97, 234, 50, 100, 163, 171, 163, 81, 10, 21, 147 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
Thread-19, WRITE: TLSv1 Application Data, length = 224
Thread-19, READ: TLSv1 Application Data, length = 896
11:09:31,701 DEBUG [SoapUIMultiThreadedHttpConnectionManager$SoapUIDefaultClientConnection] Receiving response: HTTP/1.1 200 OK
Thread-19, READ: TLSv1 Application Data, length = 32
Thread-19, READ: TLSv1 Application Data, length = 32
Thread-19, called close()
Thread-19, called closeInternal(true)
Thread-19, SEND TLSv1 ALERT: warning, description = close_notify
Thread-19, WRITE: TLSv1 Alert, length = 32
Thread-19, called closeSocket(selfInitiated)
11:09:31,714 DEBUG [SoapUIMultiThreadedHttpConnectionManager$SoapUIDefaultClientConnection] Connection shut down
Thread-19, called close()
Thread-19, called closeInternal(true)
11:09:31,866 INFO [AbstractHttpRequestDesktopPanel] Got response for [https://localhost:8081.Tls_demo:Request 1] in 709ms (6 bytes)
Finalizer, called close()
Finalizer, called closeInternal(true)
希望有人可以提供帮助。
答案 0 :(得分:0)
我已经运行了相同的测试,我可以看到它并不关心服务器证书。即使我检查&#34;客户端身份验证&#34;在SSL配置中。