我尝试运行测试运行测试。一旦我打开SSL,我就会遇到"无法找到有效的认证路径"错误很常见。 我的证书设置如下: 测试根CA - >测试子CA->测试服务器 - >测试客户端
因此,服务器和客户端证书都由Sub CA签名。 我尝试设置我的客户端和服务器密钥库:
客户密钥库:
客户信任库:
服务器密钥库:
我尝试做所有变体:只将客户端/服务器证书导入密钥库,导入完整的CA链...我总是遇到该错误。我在Java中激活了SSL调试,但这仍然是我能看到的最后一条错误消息。
你能看一下日志文件吗? 由于空间限制,我把它分成两部分。 Log until first error是上半部分,显示SSL协商和密钥存储处理,并显示第一次找不到证书路径。 其余的是Rest of the log。
我相信SSL握手和证书验证都可以。当我像这样手动设置信任库
URL trustStoreURL = classLoader.getResource("jsse/client-truststore.jks");
System.setProperty("javax.net.ssl.trustStore", trustStoreURL.getFile());
System.setProperty("javax.net.ssl.trustStorePassword", "password");
验证工作正常,SSL也没问题。无论如何,两个信任商店都是相同的。但如果没有设置会怎么样?我认为以编程方式设置这个(见下文)应该没问题,但不知怎的,我感觉另一个信任库被加载(cacerts),不知何故会破坏验证。我真的想了解发生了什么,并且能够理解日志中的SSL握手。但我不明白为什么证书验证失败了 谢谢!
编辑: JAVA-版本:
openjdk version" 1.8.0_91" OpenJDK运行时环境(构建 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)OpenJDK 64位服务器VM(内置25.91-b14,混合模式)
配置SSL上下文参数的代码:
private static SSLContextParameters defineClientSSLContextClientParameters() {
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/client-keystore.jks").toString());
ksp.setPassword(PWD);
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyPassword(PWD);
kmp.setKeyStore(ksp);
KeyStoreParameters tsp = new KeyStoreParameters();
tsp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/client-truststore.jks").toString());
tsp.setPassword(PWD);
TrustManagersParameters tmp = new TrustManagersParameters();
tmp.setKeyStore(tsp);
SSLContextServerParameters scsp = new SSLContextServerParameters();
//scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
scsp.setClientAuthentication(ClientAuthentication.NONE.name());
SSLContextParameters sslContextParameters = new SSLContextParameters();
sslContextParameters.setKeyManagers(kmp);
sslContextParameters.setTrustManagers(tmp);
sslContextParameters.setServerParameters(scsp);
return sslContextParameters;
}
private static SSLContextParameters defineServerSSLContextParameters() {
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/server-keystore.jks").toString());
ksp.setPassword(PWD);
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyPassword(PWD);
kmp.setKeyStore(ksp);
KeyStoreParameters tsp = new KeyStoreParameters();
tsp.setResource(Thread.currentThread().getContextClassLoader().getResource("jsse/server-truststore.jks").toString());
tsp.setPassword(PWD);
TrustManagersParameters tmp = new TrustManagersParameters();
tmp.setKeyStore(tsp);
SSLContextServerParameters scsp = new SSLContextServerParameters();
//scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
scsp.setClientAuthentication(ClientAuthentication.NONE.name());
SSLContextParameters sslContextParameters = new SSLContextParameters();
sslContextParameters.setKeyManagers(kmp);
sslContextParameters.setTrustManagers(tmp);
sslContextParameters.setServerParameters(scsp);
return sslContextParameters;
}
配置我的测试路线的代码:
@Override
protected RouteBuilder[] createRouteBuilders() throws Exception {
RouteBuilder[] rbs = new RouteBuilder[2];
// A consumer
rbs[0] = new RouteBuilder() {
public void configure() {
// Needed to configure TLS on the client side
WsComponent wsComponent = (WsComponent) context.getComponent("idsclient");
wsComponent.setSslContextParameters(defineClientSSLContextClientParameters());
from("direct:input").routeId("foo")
.log(">>> Message from direct to WebSocket Client : ${body}")
.to("idsclient://localhost:9292/echo")
.log(">>> Message from WebSocket Client to server: ${body}");
}
};
// A provider
rbs[1] = new RouteBuilder() {
public void configure() {
// Needed to configure TLS on the server side
WebsocketComponent websocketComponent = (WebsocketComponent) context.getComponent("idsserver");
websocketComponent.setSslContextParameters(defineServerSSLContextParameters());
// This route is set to use TLS, referring to the parameters set above
from("idsserver:localhost:9292/echo")
.log(">>> Message from WebSocket Server to mock: ${body}")
.to("mock:result");
}
};
return rbs;
}
服务器端的测试证书如下所示(取自日志文件):
found key for : server
chain [0] = [
[
Version: V3
Subject: CN=Test Server, OU=MyDepartment, O=MyCompany, L=Munich, ST=Bavaria, C=DE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 19697468346206325338625931027401620685505412743602335229201285324147237256216294710834287613270808792700765169197171367371459991031662084309764776191914171160104989266207613238184784158415975037177065022201531172433794931849866898549526682368884371139417838799836320672154199909478730633522432282118939559532307066108447566990979134741165253612506513491626459651819946324249745973578011579650517987718802720162457248935339641095429277723082345377268006775487733517858798408645354401260091015110745708667097965877142342305591846833532604648462225727819942287641383438004739414038605341137460966856052237012367021734999
public exponent: 65537
Validity: [From: Tue Oct 25 09:37:42 CEST 2016,
To: Thu Oct 25 09:37:42 CEST 2018]
Issuer: CN=Test SubCA 2016, O=Company, C=DE
SerialNumber: [ 01]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A5 55 EC 7E AC F0 98 95 EA 58 D7 BF 43 92 2C 65 .U.......X..C.,e
0010: AA A0 32 73 ..2s
]
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
[4]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
DNSName: 127.0.0.1
]
[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7F 45 12 3E F5 17 F8 EF FF 2F 08 46 25 4B 21 60 .E.>...../.F%K!`
0010: EB FC 1B 4F ...O
]
]
]
Algorithm: [SHA256withRSA]
Signature: