我使用Apache HttpClientBuilder连接到在服务器上运行的REST webservice。客户端必须发送证书以进行验证,并在客户端的信任库中添加服务器证书。我使用选项-Djavax.net.ssl.keyStore,-Djavax.net.ssl.trustStore指定。
然而,我得到以下错误,任何线索?我不确定SSL握手是否成功,但日志中似乎ServerHelloDone和Found Certificate。
代码
HttpClient client = HttpClientBuilder.create().build();
HttpGet request = new HttpGet("https://testmachine.com/retrieve/path");
// add request header
request.addHeader(Constants.HTTP_HEADER_ACCEPT, Constants.MEDIA_TYPE_JSON);
// request to SERVER
HttpResponse response = client.execute(request);
日志
[write] MD5 and SHA1 hashes: len = 16
0000: 14 ........g...oJ..v...
Padded plaintext before ENCRYPTION: len = 32
0000: 14.......
0010: 5A.......
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Padded plaintext before ENCRYPTION: len = 18
0000: 02 .....@.y..A.
0010: 31 8F 1.
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
Apr 18, 2016 1:52:17 PM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (java.net.SocketException) caught when processing request to {s}->https://testmachine.com:443: Software caused connection abort: recv failed
Apr 18, 2016 1:52:17 PM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {s}->https://testmachine.com:443
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
答案 0 :(得分:0)
看起来似乎没有从日志中读取keystore。我怀疑这是因为我keystore内的证书是“。 p12 ”格式并且有自己的密码。因此,我必须明确加载keystore和truststore并构建SSLContext才能使其正常运行。
需要注意的一件重要事情是privateKeyPassword您必须提供certificate密码(而不是用于保护密钥条目的keystore密码)。
.loadKeyMaterial(keyStore, privateKeyPassword.toCharArray())
以下是解释该问题的部分代码。
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream keyStream = new FileInputStream(keystoreFile);
try {
keyStore.load(keyStream, keystorePassword.toCharArray());
} catch (Exception ex) {
System.err.println("Failed to load keystore: " + ex.toString());
return;
} finally {
try {
keyStream.close();
} catch (Exception ignore) {
}
}
// load keystore and truststore
SSLContext sslcontext = SSLContexts.custom()
.loadTrustMaterial(truststoreFile, truststorePassword.toCharArray(),
new TrustSelfSignedStrategy())
.loadKeyMaterial(keyStore, privateKeyPassword.toCharArray())
.build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslcontext,
new String[] { "TLSv1" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();