Java没有为相互SSL提供客户端证书?

时间:2016-06-30 09:46:05

标签: java spring ssl netscaler

我正在尝试将Java SpringBoot应用程序中的相互SSL连接到NetScaler端点。我可以通过OpenSSL在命令行上按预期连接以下命令:

openssl s_client -connect xxxx.xxxx.xxxx.xxx:443 -cert cert.cer -key private.key

其中给出了以下输出:

CONNECTED(00000003)
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=XXXX XXXXX XXX/OU=Infrastructure Services/CN=sit1.xxxxxxx.xxxxxxx.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGEDCCBPigAwIBAgIQfcfqyYG0Xonen/ZVJX6uGzANBgkqhkiG9w0BAQsFADB+
...
/mYUOtT8fbbe1v+erDvbwbXikyE=
-----END CERTIFICATE-----
subject=/C=GB/ST=London/L=London/O=XXXX XXXXX XXX/OU=Infrastructure Services/CN=sit1.xxxxxxx.xxxxxxx.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Client Certificate Types: RSA sign, DSA sign
Requested Signature Algorithms: RSA+MD5:RSA+SHA1:RSA+SHA256:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA1:RSA+SHA256:DSA+SHA1
---
SSL handshake has read 4672 bytes and written 2489 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA
    Session-ID: BFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0D
    Session-ID-ctx: 
    Master-Key: F7FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX65
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1467272199
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

为了从Java应用程序连接,我使用以下命令将密钥和cert.cer和private.key文件中的证书组合在一起:

openssl pkcs12 -export -in cert.cer -inkey private.key -out keystore.p12

我使用以下参数启动Spring应用程序:

-Djavax.net.debug=ssl
-Djavax.net.ssl.keyStore=C:/opt/wtr-certs/keystore.p12
-Djavax.net.ssl.keyStorePassword=XXXXXXXXX

我可以清楚地看到我的密钥库在Java应用程序尝试连接时被加载,但在尝试将客户端证书提供给服务器时似乎失败了。

加载密钥库:

trigger seeding of SecureRandom
done seeding SecureRandom
keyStore is : C:/opt/wtr-certs/keystore.p12
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
***
found key for : xxxx.xxxx.xxx.xxxxxxxx.xxx
chain [0] = [
[
  Version: V3
  Subject: CN=xxxx.xxxx.xxx.xxxxxxxx.xxx, OU=Infrastructure Services, O=XXXX XXXX XXX, L=London, ST=London, C=GB
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 
...

我相信Java应用程序没有正确呈现证书,如日志的这一部分所示:

*** CertificateRequest
Cert Types: RSA, DSS
Supported Signature Algorithms: MD5withRSA, SHA1withRSA, SHA256withRSA, SHA1withDSA
Cert Authorities:
<CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US>
<CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***

这里似乎有一个类似的,较旧的问题:Java not sending client certificate但它没有答案。我怎样才能说服Java找到发送正确的证书?如果需要,我可以提供额外的日志记录。

0 个答案:

没有答案