Question

团队尝试使用HTTPS完成相互握手时遇到以下问题

main, READ: TLSv1.2 Handshake, length = 30
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA
Cert Authorities:
<Empty>
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>

我的JAVA课程是以下

public class ClientCustomSSL {

    @SuppressWarnings("deprecation")
    public final static void main(String[] args) throws Exception {
        // Trust own CA and all self-signed certs
        final String CLIENT_KEYSTORE = "yourkeystore.jks";
        final String CLIENT_TRUSTSTORE = "catruststore.jks";
        final char[] KEYPASS_AND_STOREPASS_VALUE = "Hello1".toCharArray();


        System.setProperty("https.protocols", "TLSv1");

        //SSLContext sslcontext = SSLContexts.custom().loadKeyMaterial(keystore, keyPassword)(YK,"Hello1".toCharArray(),"Hello1".toCharArray()).loadTrustMaterial(CA, "Hello1".toCharArray(), (TrustStrategy) new TrustSelfSignedStrategy()).build();

        KeyStore clientTrustStore = getStore(CLIENT_TRUSTSTORE, KEYPASS_AND_STOREPASS_VALUE);
        KeyStore clientKeyStore = getStore(CLIENT_KEYSTORE, KEYPASS_AND_STOREPASS_VALUE);  


        SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(clientKeyStore, "Hello1".toCharArray()).loadTrustMaterial(clientTrustStore,(TrustStrategy) new TrustSelfSignedStrategy()).build();
       CloseableHttpClient httpclient = HttpClients.custom().setSSLContext(sslContext).build();

        System.out.println("SSLCONETXT   **** " + sslContext.getProvider());
        try {

            HttpGet httpget = new HttpGet("https://myserver:10220");

            CloseableHttpResponse response = httpclient.execute(httpget);

            try {
                System.out.println("Inside TRY blcok"); 
                HttpEntity entity = response.getEntity();
                System.out.println("----------------------------------------");
                System.out.println(response.getStatusLine());
                EntityUtils.consume(entity);

            } catch (Exception e) {
                e.getMessage();
                e.printStackTrace();
            }
            finally {
                response.close();
            }
        } finally {
            httpclient.close();
        }
    }


    public static KeyStore getStore(final String storeFileName, final char[] password) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException 
    {
        final String JAVA_KEYSTORE = "jks";
        final KeyStore store = KeyStore.getInstance(JAVA_KEYSTORE);
        URL url = ClientCustomSSL.class.getClassLoader().getResource(storeFileName);
        String workingDir = System.getProperty("user.dir");
        System.out.println("Current working directory : " + workingDir);

        System.out.println("Value of URL *** " + url);
        InputStream inputStream = url.openStream();
        try {
            store.load(inputStream, password);
} finally {
    inputStream.close();
}

return store;
}

}

我正在准备一个jar文件并在UNIX框中测试它

使用以下命令 java -Djavax.net.debug = ssl -cp snSSLclientTrustWithStoreCCC.jar cassandra.cass.ClientCustomSSL

我跟着帖子了 why doesn't java send the client certificate during SSL handshake? 并完成了布鲁诺提到的所有步骤。

我不确定我在这里缺少什么。任何帮助将不胜感激

Answer 1

客户端无法在其密钥库中找到由CertificateRequest消息中提到的任何签名者直接或间接签名的证书。
原因是服务器没有在该消息中指定任何可信签名者。
这反过来意味着服务器的信任库是空的。

Answer 2

这实际上是TLS 1.0规范与TLS 1.1 / 1.2不同的领域。

特别是，以下内容已添加到Section 7.4.4 (Certificate Request) in TLS 1.1：

如果certificate_authorities列表为空，则客户端可以发送除非有，否则任何相应ClientCertificateType的证书是一些相反的外部安排。

所以空的证书颁发机构只是意味着客户可以自由地向服务器发送任何证书，服务器的内部规则可能接受也可能不接受。

Answer 3

我有类似的问题

ServerHelloDone
警告：未找到合适的证书-未经客户端身份验证即可继续

证书链

对我来说，问题是我没有正确创建密钥库：

keytool -importcert -keystore keystore.jks -alias client-cert -file client-cert.pem  -storepass password

帮助我的是：

openssl pkcs12 -export -chain -in client-cert.pem  -inkey client-key.pem  -out keystore.p12 -name client-cert -CAfile ca-cert.pem
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -alias client-cert

我在这里找到了这个解决方案： https://blogs.oracle.com/jtc/installing-trusted-certificates-into-a-java-keystore

Answer 4

在我的情况下，问题出在我在装入密钥存储区时以null作为密码来传递：

KeyStore keyStore = KeyStore.getInstance("PKCS12")
InputStream inputStream = new FileInputStream('/path/to/mykeystore.p12')

try {
    keyStore.load(inputStream, null); // <-- PROBLEM HERE!
}
finally {
    inputStream.close();
}

这不会产生任何错误消息，但它默默地未能加载客户端密钥和证书。

解决方案是输入密码：

keyStore.load(inputStream as InputStream, 'mypassword'.toCharArray());

警告：找不到合适的证书 - 继续没有客户端身份验证

4 个答案: