Jetty发送的SSL证书与密钥库中配置的不同

时间:2015-08-30 06:49:50

标签: ssl https jetty keystore jetty-9

Jetty 9.3.1.v20150714配置了包含3个证书的密钥库:服务器证书,CA证书和GeoTrust根证书。

使用keytool -list -keystore jetty/etc/keystore -storetype pkcs12显示它具有这些证书 - 

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 4 entries

jetty, Aug 29, 2015, PrivateKeyEntry, 
Certificate fingerprint (SHA1): A3:...:10
root, Aug 30, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
ca, Aug 30, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 0E:34:14:18:46:E7:42:3D:37:F2:0D:C0:AB:06:C9:BB:D8:43:DC:24
server, Aug 30, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 20:...:E3

当服务器加载时,日志显示它加载证书 - 

2015-08-30 05:32:47 main ServerConnector [INFO] Started ServerConnector@34849eef{HTTP/1.1,[http/1.1, h2c, h2c-17, h2c-16, h2c-15, h2c-14]}{0.0.0.0:8080}
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=jetty cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=root cn=GeoTrust Global CA in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate SAN alias=server cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [INFO] x509={example.com=server} wild={} alias=null for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] managers=[sun.security.ssl.SunX509KeyManagerImpl@36c54a56] for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)

但是当尝试使用HTTPS连接服务器时,由于错误(自签名)证书而失败。

使用openssl s_client -connect example.com:443返回检查返回的证书 - 

CONNECTED(00000003)
depth=0 C = ..., CN = example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ..., CN = example.com
verify return:1
---
Certificate chain
 0 s:/C=.../CN=example.com
   i:/C=.../CN=example.com
---

这仅显示1个自签名证书,而不是密钥库中的证书。尝试向服务器发送HTTPS命令时,它会显示在日志中 - 

2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Customize 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Enable SNI matching 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matches=type=host_name (0), value=example.com for org.eclipse.jetty.util.ssl.SslContextFactory$AliasSNIMatcher@22497dda
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matched example.com->server
2015-08-30 06:06:52 qtp1579572132-16 HttpParser [WARN] parse exception: java.lang.IllegalStateException: too much data seeking EOF in CLOSE for HttpChannelOverHttp@37b97125{r=1,c=false,a=IDLE,uri=-}

我确保通过关闭它来连接到正确的服务器,然后得到CONNECTION REFUSED,还尝试删除密钥库文件并且服务器无法加载,这意味着它使用了正确的文件。

这个自签名的1长证书链来自哪里?服务器是否可以定义两个密钥库?

更新

使用openssl s_client和所有3个证书正确显示了使用其他(工作)密钥库替换密钥库。

这意味着问题出在原始密钥库中,如上图所示它有3个公共证书,但openssl只输出1个自签名证书。

以下是用于生成密钥库的命令 - 

keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -alias jetty
keytool -certreq -alias jetty -keystore keystore.p12 -storetype pkcs12 -file jetty.csr -keyalg RSA

# send CSR file to a CA for signing. got back 3 CRT files.

keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt 
keytool -import -alias ca -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias server -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt

1 个答案:

答案 0 :(得分:1)

Keystore构建错误。

添加到密钥库的最后一个条目具有别名server,而不是 jetty ,这是私钥的别名。执行此操作无法识别对私钥的证书回复。

要解决此问题,我已从密钥库中删除了所有证书,并添加了正确的别名。

keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt 
keytool -import -alias inter -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias jetty -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt

在最后一个命令之后,keytool将以Certificate reply was installed in keystore响应,表示它识别出服务器证书响应。

我不确定它是否有影响,但我没有调用CA的中间证书ca,而是在工作密钥库中将其称为inter,我不是&# 39;不要认为这是必要的,但如果确实如此,那就值得一提。

相关问题
最新问题