无法通过TLS与Vert.x连接到主机

时间:2017-10-02 11:43:31

标签: java ssl vert.x

我正在尝试使用TLS支持连接到特定主机。我有一个有效的私钥 - “my.key”,我的证书 - “my.crt”,还有rootCA证书“root_ca.crt”。我已经知道使用OpenSsl请求的主机。 Vertx可能会使用一些不同的变体来执行此操作:

  • 通过JksOptions()和java密钥库文件“.jks”
  • 通过PfxOptions()和文件“.pfx”(采用PKCS12格式)
  • 通过PemKeyCertOptions()和两个文件(“key.pem”和“cert.pem”)

但是当我这样做时:

NetClient client = vertx.createNetClient(
                (NetClientOptions) new NetClientOptions()
                        .setLogActivity(true)
                        .setSsl(true)
                        .setOpenSslEngineOptions(new OpenSSLEngineOptions())
                        .addEnabledSecureTransportProtocol("TLSv1.2")
                        .setJksOptions(
                                new JksOptions()
                                        .setPath("/path/to/my.jks")
                                        .setPassword("password")
                        )
        );
client.connect(some_port, "some_host", ar -> {
            if (ar.succeeded()) {
                LOG.debug("Connection succeeded!!!!");
            } else {
                LOG.debug("Connection failed!!!! :: {} :: {}", ar.cause(), ar.cause().getMessage());
            }
        });

构建是成功的,但是当我运行此代码时,我有例外:

INFO: Succeeded in deploying verticle
[vert.x-eventloop-thread-0] DEBUG io.netty.handler.ssl.ReferenceCountedOpenSslContext - verification of certificate failed
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:223)
    at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:606)
    at org.apache.tomcat.jni.SSL.readFromSSL(Native Method)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:470)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:927)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1033)
    at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:200)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1117)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1039)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:341)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:642)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:565)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:479)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:441)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 30 more

创建密钥库时可能我做错了什么? 要创建它,我正在使用本教程 - https://support.adeptia.com/hc/en-us/articles/207878953-How-to-create-a-KeyStore-with-certificate-chain

请帮助我了解如何通过TLS获取正确的密钥库以与主机连接?

1 个答案:

答案 0 :(得分:0)

我找到了一种通过此命令以PKCS12格式创建正确的Java密钥库的方法:

openssl pkcs12 -inkey my.key -in my.crt -export -out domain.pfx

然后将生成的“domain.pfx”文件放在PfxOptions中,将“root_ca.crt”文件放入PemTrustOptions中,如下所示:

return new NetClientOptions()
            .setSsl(true)
            .addEnabledSecureTransportProtocol("TLSv1.2")
            .setPfxKeyCertOptions(
                    new PfxOptions()
                            .setPath(pathToKeystoreFile)
                            .setPassword(keystorePassword)
            )
            .setPemTrustOptions(
                    new PemTrustOptions()
                            .addCertPath(rootCACertificate)
            );

P.S。您在创建证书时输入的keystorePassword。

相关问题
最新问题