我面临SSL握手的一个问题,当我在tomcat上托管应用程序时,客户端没有呈现客户端证书,但是相同的代码在独立的Java应用程序上工作正常。我认为这可能是Tomcat没有正确加载密钥库的问题所以我跟着https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration创建了一个密钥库,然后添加了-Djavax.net.ssl.trustStore =" C:\ Users \ xyz。密钥库" -Djavax.net.ssl.trustStorePassword ="的changeit"但这并没有解决问题。不知道我在这里失踪了什么。
申请代码:
SSLContext ctx = null;
SSLSocketFactory socketFactory = null;
KeyManagerFactory kmf;
KeyStore ks;
char[] passphrase = "abcd".toCharArray();
ctx = SSLContext.getInstance("TLS");
kmf = KeyManagerFactory.getInstance("SunX509");
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("C:/goahead.jks"), passphrase);
kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), null, null);
socketFactory = ctx.getSocketFactory();
String endpoint = "https://myurl/goahead";
BindingProvider bindingProvider = (BindingProvider) goSOAP; //goSOAP is derived from wsdl soap class
bindingProvider.getRequestContext()
.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, endpoint);
bindingProvider.getRequestContext()
.put("com.sun.xml.internal.ws.transport.https.client.SSLSocketFactory", socketFactory);
为了比较两个日志,我为ssl-handshake添加了调试日志,我看到的唯一区别如下: Tomcat应用程序显示:
Accept: application/soap+xml, multipart/related
Content-Type: application/soap+xml; charset=utf-8;action="/Address"
User-Agent: JAX-WS RI 2.2.10 svn-revision#919b322c92f13ad085a933e8dd6dd35d4947364b
独立应用程序显示:
Accept: [application/soap+xml, multipart/related]
Content-Type: [application/soap+xml; charset=utf-8;action="/Address"]
User-Agent: [JAX-WS RI 2.2.4-b01]
接近结尾独立应用
*** ServerHelloDone
matching alias: goaheaduat
*** Certificate chain
基于tomcat的应用程序没有匹配的别名:
尚未向服务器提供客户端证书以进行身份验证。
***我的证书链。 找到了关键:goaheaduat 链[0] = [ [ 版本:V3 主题:CN = WebKYCTest.servicepartnerconsumer.com,OU = ISS-3PTY,O = JabongS 签名算法:SHA256withRSA,OID = 1.3.340.314509.9.0.32
密钥:Sun RSA公钥,2048位 模量:27573819147946213043216108193871654407922029181865423070240388390082203239203276484533998399141937338366712797583606436874669271136184327404678172471800553725661929882862711783147991980007784094228604257987704412377010220942071292525488807622245786848032603065210767423710596079119175986038958679485985173914183400986232704952684194291691771747100348011779606334479154902757588018357364139623723065756491506767148994346890208737770932855458704848837399114296416887151154418561578978073777312232789403716198956145390511813892730740350579365196627658126157277478693917625969224935645208986859585794507961203141704075579 公共指数:65537 有效期:[来自:美国东部时间2016年5月3日15:03:50, 致:Mon Apr 22 15:33:49 EDT 2019] 发行人:CN =委托认证机构 - L1K,OU ="(c)2012 Entrust,Inc。 - 仅限授权使用",OU =见www.entrust.net/legal-terms,O =&# 34; Entrust,Inc。",C = US SerialNumber:[1051555d 65348b53 00000000 50d7ff44]
*** ClientHello,TLSv1 RandomCookie:GMT:1451756012 bytes = {109,25,125,234,72,78,180,84,205,146,231,249,138,99,17,154,171,146,144,41,1, 15,203,209,38,255,236,148} 会话ID:{} 密码套件:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 压缩方法:{0} 扩展elliptic_curves,曲线名称:{secp256r1,sect163k1,sect163r2,secp192r1,secp224r1,sect233k1,sect233r1,sect283k1,sect283r1,secp384r1,sect409k1,sect409r1,secp521r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,sect163r1,secp192k1,sect193r1,sect193r2 ,secp224k1,sect239k1,secp256k1} 扩展ec_point_formats,格式:[未压缩]
找到了关键:goaheaduat 链[0] = [ [ 版本:V3 主题:CN = WebKYCTest.servicepartnerconsumer.com,OU = ISS-3PTY,O = JabongS 签名算法:SHA256withRSA,OID = 1.3.340.314509.9.0.32
密钥:Sun RSA公钥,2048位 模量:27573819147946213043216108193871654407922029181865423070240388390082203239203276484533998399141937338366712797583606436874669271136184327404678172471800553725661929882862711783147991980007784094228604257987704412377010220942071292525488807622245786848032603065210767423710596079119175986038958679485985173914183400986232704952684194291691771747100348011779606334479154902757588018357364139623723065756491506767148994346890208737770932855458704848837399114296416887151154418561578978073777312232789403716198956145390511813892730740350579365196627658126157277478693917625969224935645208986859585794507961203141704075579 公共指数:65537 有效期:[来自:美国东部时间2016年5月3日15:03:50, 致:Mon Apr 22 15:33:49 EDT 2019] 发行人:CN =委托认证机构 - L1K,OU ="(c)2012 Entrust,Inc。 - 仅限授权使用",OU =见www.entrust.net/legal-terms,O =&# 34; Entrust,Inc。",C = US SerialNumber:[1051555d 65348b53 00000000 50d7ff44]
server_name,server_name:[host_name:it-internalservicepartner.jabong-dns.com]
http-bio-127.0.0.1-80-exec-1,WRITE:TLSv1握手,长度= 199 http-bio-127.0.0.1-80-exec-1,READ:TLSv1握手,长度= 16384 *** ServerHello,TLSv1 RandomCookie:GMT:1451756012 bytes = {33,109,178,249,102,30,1,105,194,42,88,10,247,104,93,45,166,230,141,49,180, 154,198,251,76,170,162,49} 会议ID:{87,136,10,236,32,220,206,169,30,219,131,106,24,37,117,192,116,56,195,254,29,197,185, 155,141,192,95,152,23,143,14,114} 密码套件:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 压缩方法:0 扩展renegotiation_info,renegotiated_connection:
%%已初始化:[Session-17,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] ** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ***证书链
* ECDH ServerKeyExchange 服务器密钥:Sun EC公钥,256位 public x coord:68950688134319531882901065943858827597037420392341729344093733189994857259424 public y coord:103565436179130252254673183632021691038591576368603542556238032190750005197048 参数:secp256r1 [NIST P-256,X9.62 prime256v1](1.2.840.10045.3.1.7) http-bio-127.0.0.1-80-exec-1,READ:TLSv1握手,长度= 1760 * CertificateRequest 证书类型:RSA,DSS,ECDSA 证书颁发机构: *** ServerHelloDone
答案 0 :(得分:0)
服务器有一个信任库,在此信任库内是客户端的公共证书。只有当信任库内的客户端的公共证书没有颁发者,或者至少有一个颁发者位于信任库内时,它才会与别名匹配。
上的源代码 if (issuers.length == 0) {
// no issuer specified, match all
aliases.add(alias); <--- this is important
if (debug != null && Debug.isOn("keymanager")) {
System.out.println("matching alias: " + alias);
}