Jetty“javax.net.ssl.SSLHandshakeException:没有共同的密码套件”

时间:2016-12-23 00:52:33

标签: java ssl https jetty embedded-jetty

我已经查看了类似的问题,但似乎没有任何内容与我正在做的或建议的修复工作相匹配。

我有一个从Java(JDK 1.8.0_101)配置的Jetty 9.4.0服务器,它不接受来自Chrome或我自己的Java客户端的SSL连接。从openssl s_client连接起作用。

Jetty端报告的错误是“javax.net.ssl.SSLHandshakeException:没有共同的密码套件”。 Chrome报告“客户端和服务器不支持常见的SSL协议版本或密码套件。”

我正在使用内部CA来创建证书。 CA证书已作为受信任添加到Chrome。 Jetty服务器端使用包含私钥,服务器证书和CA可信证书的内存中JKS。

Jetty服务器和Chrome / openssl在同一系统上运行(Windows 10)。

当CHROME连接时从JETTY / JAVA DEBUG输出:

Session ID:  {}
Cipher Suites: [Unknown 0xba:0xba, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Unsupported extension type_56026, data: 
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 23130, unknown curve 29, java.security.spec.ECParameterSpec@b25af0c, java.security.spec.ECParameterSpec@4ac6a6d}
Unsupported extension type_64250, data: 00
***
%% Initialized:  [Session-11, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
qtp93314457-157, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-11, SSL_NULL_WITH_NULL_NULL]
qtp93314457-157, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
qtp93314457-157, WRITE: TLSv1.2 Alert, length = 2
qtp93314457-157, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-157, called closeOutbound()
qtp93314457-157, closeOutboundInternal()
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
qtp93314457-151, READ: TLSv1 Handshake, length = 206
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -2087203376 Using SSLEngineImpl.
bytes = { 70, 173, 91, 213, 98, 98, 217, 46, 252, 233, 43, 114, 31, 19, 183, 40, 228, 28, 173, 130, 85, 182, 183, 173, 4, 212, 40, 245 }
Session ID:  {}
Cipher Suites: [Unknown 0x8a:0x8a, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Unsupported extension type_51914, data: 
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 39578, unknown curve 29, java.security.spec.ECParameterSpec@638b01ff, java.security.spec.ECParameterSpec@3dbba4da}
Unsupported extension type_56026, data: 00
***
%% Initialized:  [Session-12, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
matching alias: myPrivateKey for CN=dim.magnicomp.com
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
qtp93314457-151, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
%% Invalidated:  [Session-12, SSL_NULL_WITH_NULL_NULL]
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
qtp93314457-151, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
qtp93314457-151, WRITE: TLSv1.2 Alert, length = 2
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
qtp93314457-151, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-151, called closeOutbound()
qtp93314457-151, closeOutboundInternal()
qtp93314457-160, READ: TLSv1 Handshake, length = 212
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -316909219 bytes = { 57, 49, 102, 214, 160, 20, 226, 56, 251, 203, 38, 163, 9, 6, 194, 243, 5, 216, 212, 3, 4, 190, 51, 224, 44, 154, 92, 64 }
Session ID:  {}
Cipher Suites: [Unknown 0xea:0xea, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Unsupported extension type_23130, data: 
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 6682, unknown curve 29, java.security.spec.ECParameterSpec@e90285a, java.security.spec.ECParameterSpec@51bbd50e}
Unsupported extension type_19018, data: 00
***
%% Initialized:  [Session-13, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
qtp93314457-160, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-13, SSL_NULL_WITH_NULL_NULL]
qtp93314457-160, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
qtp93314457-160, WRITE: TLSv1.2 Alert, length = 2
qtp93314457-160, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-160, called closeOutbound()
qtp93314457-160, closeOutboundInternal()

这是我的码头代码:

private Server createServer() {
    Server server = new Server();
    server.setStopAtShutdown(true);
    if (log.getDebugLevel() >= 1)
        server.setDumpAfterStart(true);
    ServerConnector httpConnector = createHttpConnector(server);
    ServerConnector httpsConnector = createHttpsConnector(server);
    server.addConnector(httpConnector);
    server.addConnector(httpsConnector);

... snip ...
}
private ServerConnector createHttpsConnector(Server server) {
    HttpConfiguration httpConfig = new HttpConfiguration(getBasicHttpConfiguration());
    httpConfig.addCustomizer(new SecureRequestCustomizer());
    SslContextFactory sslContextFactory = createSslContextFactory();
    SslConnectionFactory connectionFactory = new SslConnectionFactory(sslContextFactory, HTTP_VERSION);

    ServerConnector connector = new ServerConnector(server, connectionFactory, new HttpConnectionFactory(httpConfig));
    connector.setPort(getHttpsPort());
    connector.setIdleTimeout(getHttpIdleTimeoutSeconds());

    return connector;
}

private SslContextFactory createSslContextFactory() {
    KeyStore keyStore = createKeyStore();
    KeyStore trustStore = createTrustStore();

    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStore(keyStore);
    sslContextFactory.setTrustStore(trustStore);
    sslContextFactory.setExcludeCipherSuites(excludeCiphers);
    sslContextFactory.setExcludeProtocols(excludeProtocols);

    return sslContextFactory;
}
private HttpConfiguration getBasicHttpConfiguration() {
    if (basicHttpConfig == null) {
        basicHttpConfig = new HttpConfiguration();
        basicHttpConfig.setSecureScheme("https");
        basicHttpConfig.setSecurePort(getHttpsPort());
    }

    return basicHttpConfig;
}

public KeyStore createKeyStore(...) {
        X509Certificate xcert = ...

        List<X509Certificate> chain = new ArrayList<>();
        chain.add(xcert);
        chain.addAll(caCerts);

        PrivateKey privateKey = ... ;

        String keyAlias = "myPrivateKey for " + xcert.getSubjectX500Principal().getName();
        String certAlias = "myCertificate for " + xcert.getSubjectX500Principal().getName();

        KeyStore ks = KeyStore.getInstance(KEYSTORE_TYPE);
        ks.load(null, null);
        ks.setCertificateEntry(certAlias, xcert);
        ks.setKeyEntry(keyAlias, privateKey, null, xchain.toArray(new X509Certificate [] {}));

        return ks;
}

public KeyStore createTrustStore() {
    KeyStore ks = null;
    try {
        ks = KeyStore.getInstance("JKS");
        ks.load(null, null);
    } catch (NoSuchAlgorithmException | CertificateException | IOException | KeyStoreException e) {
        throw new OperationFailedException(e);
    }

    int count = 0;
    for (CertificateAuthority ca : list) {
        boolean isTrusted = (ca.getTrusted() != null) ? ca.getTrusted() : false;
        if (isTrusted == false)
            continue;

        X509Certificate xcert = CertificateConverter.convertToX509Certificate(ca.getCertificate());
        String alias = xcert.getSubjectDN().getName();
        TrustedCertificateEntry entry = new TrustedCertificateEntry(xcert);

        try {
            ks.setEntry(alias, entry, null);
            ++count;
        } catch (KeyStoreException e) {
            throw new OperationFailedException(e);
        }
    }

    if (count == 0)
        throw new OperationFailedException("No Trusted Certificate Authorities found");

    return ks;
}

当Jetty服务器启动时,它确实显示它包含在密码:

 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=34)
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=48)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA', ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'SSL_DHE_DSS_WITH_DES_CBC_SHA', ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
... snip ...

与Jetty的上述Include Ciphers输出以及ClientHello显示的内容(来自Chrome)肯定有多个共同密码。

我可以使用openssl成功连接到Jetty服务器:

openssl s_client -CAfile ca-bundle.crt -connect dim.magnicomp.com:443
CONNECTED(00000003)
depth=2 CN = MagniComp Root CA
verify return:1
depth=1 DC = com, DC = magnicomp, CN = MagniComp Issuing CA3
verify return:1
depth=0 CN = dim.magnicomp.com
verify return:1
---
Certificate chain
 0 s:/CN=dim.magnicomp.com
   i:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
 1 s:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
   i:/CN=MagniComp Root CA
 2 s:/CN=MagniComp Root CA
   i:/CN=MagniComp Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHLDCCBRSgAwIBAgITSwAAHrdVt+0m8ilX2QABAAAetzANBgkqhkiG9w0BAQsF
... snip ...
+yePwA+yZbwCJmfm6H/tHw==
-----END CERTIFICATE-----
subject=/CN=dim.magnicomp.com
issuer=/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5896 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 585C70B03124705067B91809B759000159C3537719D2D49CDA95FA34A8A0A838
    Session-ID-ctx:
    Master-Key: 869543E852F7C7FB0C8849CFE673FDB5C89EA7F8BA118215E00781F80390ADD6DA71B747F8DAA8F5E610FE9EF2F0ADFD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1482453168
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

这是我正在使用的服务器证书:

    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=magnicomp, CN=MagniComp Issuing CA3
        Validity
            Not Before: Dec 22 22:09:32 2016 GMT
            Not After : Dec 22 22:09:32 2017 GMT
        Subject: CN=dim.magnicomp.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a1:95:ef:ff:bf:c8:a2:fb:4e:3a:81:b5:4d:36:
                    03:21:55:3e:fb:35:93:14:b0:4e:93:16:2c:13:fd:
                    dd:7e:b4:4d:5a:32:04:28:9a:51:93:23:01:e4:80:
                    37:e9:4e:9b:9e:ca:ba:8d:96:5e:2b:78:2d:f9:3f:
                    bd:7e:cf:70:32:75:9b:e8:c7:1d:42:d4:ee:8e:2d:
                    e0:b8:2f:93:02:2b:a4:72:ac:99:8c:6d:05:f9:6b:
                    18:88:47:52:06:02:71:a9:9d:fe:87:71:d3:4f:28:
                    84:9b:55:2a:cd:af:37:77:94:a9:cc:6f:26:fe:88:
                    6b:c0:b5:b2:c6:59:c0:94:dd:af:3a:50:d7:7b:da:
                    2f:e4:98:b0:8a:b7:56:a7:ed:13:fd:7f:b3:39:14:
                    76:12:f4:39:0d:b4:ac:31:f3:2b:c6:12:3a:44:ef:
                    5b:b8:0d:03:0d:e4:f4:06:05:38:46:66:a7:07:9b:
                    ec:83:af:bc:48:46:d0:32:e7:96:13:96:6a:c6:d9:
                    49:71:c0:49:3c:04:9b:1e:20:ab:2f:06:af:6f:43:
                    ff:5a:30:55:35:3b:96:6b:51:61:cf:95:5b:58:c3:
                    37:e4:bf:05:09:d0:3b:57:82:86:40:bf:7e:bf:d8:
                    41:be:27:1c:f5:36:a7:b1:63:98:ea:cb:ff:32:99:
                    60:83
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:dim.magnicomp.com, DNS:dim
            X509v3 Subject Key Identifier:
                8D:8D:4E:99:AB:6A:15:32:B8:EA:C0:61:52:9D:3B:BE:A9:2E:C9:13
            X509v3 Authority Key Identifier:
                keyid:22:D9:24:A4:0C:3C:E9:63:82:D2:22:F6:87:C0:03:A2:2F:97:ED:80

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://CDP.magnicomp.com/PKI/MagniComp%20Issuing%20CA3.crl
                  URI:ldap:///CN=MagniComp%20Issuing%20CA3,CN=ca3,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=magnicomp,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access:
                CA Issuers - URI:http://CDP.magnicomp.com/PKI/ca3.magnicomp.com_MagniComp%20Issuing%20CA3(1).crt
                CA Issuers - URI:ldap:///CN=MagniComp%20Issuing%20CA3,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=magnicomp,DC=com?cACertificate?base?objectClass=certificationAuthority

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            1.3.6.1.4.1.311.21.7:
                0..&+.....7.....X...........b...d^...q......d...
            1.3.6.1.4.1.311.21.10:
                0.0
..+.......
    Signature Algorithm: sha256WithRSAEncryption
    ... snip ...

2 个答案:

答案 0 :(得分:5)

我终于弄明白了。对于证书和密钥条目,KeyStore别名必须是“jetty”。我使用自定义名称来更轻松地识别密钥库中的条目。

RANT:当它无法在KeyStore中找到证书/密钥时,为什么Jetty或底层Java SSL代码报告“没有共同的密码”?这完全是钝的,几乎没有机会帮助开发人员找出问题所在!

答案 1 :(得分:1)

https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html https://www.eclipse.org/jetty/documentation/current/jetty-ssl-distribution.html

除了码头的官方文件外,别无其他。按照上面的说明进行操作后,再在start.ini中添加以下几行,即可使其正常工作。

jetty.sslContext.keyStorePath=etc/keystore jetty.sslContext.trustStorePath=etc/keystore jetty.sslContext.keyStorePassword=password jetty.sslContext.keyManagerPassword=password jetty.sslContext.trustStorePassword=password