我遇到SSLHandshake问题。我有一个应用程序,它使用jdk 1.8.0_60部署在Weblogic 12.1.3中。当应用程序调用外部服务时,我收到 javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure 。具有相同身份和信任存储的相同应用程序正在使用jdk 1.6在Weblogic 10.3.5 / 10.3.6上工作。
在similer问题链接SSLHandshake中提到的答案,答案中的第4点适用于客户端证书链在请求中为空的情况。
我只是不知道为什么在Weblogic 12.1.3中请求为空,但在10.3.5 / 10.3.6中它不是空的。
身份证明
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nemid
Creation date: Nov 11, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: XXXXXXX
Issuer: CN=TRUST2408 Systemtest XIX CA, O=TRUST2408, C=DK
Serial number: xxxxxx
Valid from: Tue Nov 11 15:43:57 IST 2014 until: Sat Nov 11 15:42:03 IST 2017
Certificate fingerprints:
MD5: 29:3B:D0:EC:05:86:3F:07:52:CA:24:43:E8:14:B9:AC
SHA1: 41:4F:AD:4E:C1:63:7F:B6:6A:62:40:DC:95:90:09:84:EA:4C:65:AB
SHA256:
2A:C2:30:11:F2:35:8A:11:A8:56:55:
F0:11:A6:41:22:36:00:0F:5D:45:0E:C9:16:8D:11:DA :03:EF:09:AA:BB
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
堆栈跟踪中的证书链
ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
Warning: no suitable certificate found - continuing without
client authentication
***Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
[write] MD5 and SHA1 hashes: len = 269
堆栈跟踪中的错误消息
[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default
(self- tuning)', READ: TLSv1 Alert, length = 2
[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default
(self-tuning)', RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default
(self-tuning)', called closeSocket()
[ACTIVE] ExecuteThread: '15' for queue: 'weblogic.kernel.Default
(self-tuning)',
handling exception:
**javax.net.ssl.SSLHandshakeException:Received**
**fatal alert: handshake_failure**
<Mar 23, 2016 3:32:38 PM IST>
<Warning><org.apache.cxf.phase.PhaseInterceptorChain>
<BEA-000000> <Interceptor for {http://localhost/}
pidwsdoc# {http://localhost/}pid has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
我是否需要为jdk 1.8重新生成密钥库文件? 请让我知道我错过了什么。
更新了堆栈跟踪
Found trusted certificate:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities**:<CN=PKI Light PreProduction CA, O=Nets, C=DK>
<CN=TRUST2408Systemtest XIX CA, O=TRUST2408, C=DK>
<CN=TRUST2408 Systemtest VIII CA, O=TRUST2408, C=DK>
<CN=TRUST2408 Systemtest VII Primary CA, O=TRUST2408, C=DK>**
[read] MD5 and SHA1 hashes: len = 313
0000: 0D 00 01 35 03 01 02 40 01 2F 00 43 30 41 31 0B ...5...@./.C0A1.
0010: 30 09 06 03 55 04 06 13 02 44 4B 31 0D 30 0B 06 0...U....DK1.0..
0020: 03 55 04 0A 13 04 4E 65 74 73 31 23 30 21 06 03 .U....Nets1#0!..
0030: 55 04 03 13 1A 50 4B 49 20 4C 69 67 68 74 20 50 U....PKI Light P
0040: 72 65 50 72 6F 64 75 63 74 69 6F 6E 20 43 41 00 reProduction CA.
0050: 49 30 47 31 0B 30 09 06 03 55 04 06 13 02 44 4B I0G1.0...U....DK
0060: 31 12 30 10 06 03 55 04 0A 0C 09 54 52 55 53 54 1.0...U....TRUST
0070: 32 34 30 38 31 24 30 22 06 03 55 04 03 0C 1B 54 24081$0"..U....T
0080: 52 55 53 54 32 34 30 38 20 53 79 73 74 65 6D 74 RUST2408 Systemt
0090: 65 73 74 20 58 49 58 20 43 41 00 4A 30 48 31 0B est XIX CA.J0H1.
00A0: 30 09 06 03 55 04 06 13 02 44 4B 31 12 30 10 06 0...U....DK1.0..
00B0: 03 55 04 0A 0C 09 54 52 55 53 54 32 34 30 38 31 .U....TRUST24081
00C0: 25 30 23 06 03 55 04 03 0C 1C 54 52 55 53 54 32 %0#..U....TRUST2
00D0: 34 30 38 20 53 79 73 74 65 6D 74 65 73 74 20 56 408 Systemtest V
00E0: 49 49 49 20 43 41 00 51 30 4F 31 0B 30 09 06 03 III CA.Q0O1.0...
00F0: 55 04 06 13 02 44 4B 31 12 30 10 06 03 55 04 0A U....DK1.0...U..
0100: 13 09 54 52 55 53 54 32 34 30 38 31 2C 30 2A 06 ..TRUST24081,0*.
0110: 03 55 04 03 13 23 54 52 55 53 54 32 34 30 38 20 .U...#TRUST2408
0120: 53 79 73 74 65 6D 74 65 73 74 20 56 49 49 20 50 Systemtest VII P
0130: 72 69 6D 61 72 79 20 43 41 rimary CA
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
Warning: no suitable certificate found - continuing without client authentication
***
**Certificate chain**
<Empty>
***
密钥库和信任库
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\software\JDK18~1.0_6\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,C=US
Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,C=US
Algorithm: RSA; Serial number: 0xc3517
Valid from Mon Jun 21 09:30:00 IST 1999 until Mon Jun 22 09:30:00 IST 2020
同样添加了多个证书 在添加最后一个证书之后,我在跟踪线下面
trigger seeding of SecureRandom
done seeding SecureRandom
trustStore is: C:\software\JDK18~1.0_6\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,C=US
Issuer: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc.,C=US
Algorithm: RSA; Serial number: 0xc3517
Valid from Mon Jun 21 09:30:00 IST 1999 until Mon Jun 22 09:30:00 IST 2020
并添加了相同的多个证书.. 然后我有下线
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
还有以上更多...... 在上面的行后我有客户问候
ClientHello,TLSv1 RandomCookie:GMT:1442483270字节.... 会话ID:{} 密码套房:[TLS_RSA_WITH_AES_128_CBC_SHA] 压缩方法:{0} 扩展server_name,server_name: [type = host_name(0),value = url appln想要连接] 扩展renegotiation_info,renegotiated_connection: