我们有第三方应用程序,它使用Jetty 6.1构建soap适配器。应用程序通过SOAP从.Net应用程序通过SSL获取入站请求。
最近,SSL证书已过期,安全团队已向信任库添加了新证书。
问题是Jetty获取了所有证书的列表,但只使用了第一个(过期)并且握手失败。
以下是一些日志片段。很少行被标记为xxxxxxxxx以隐藏文本。
这显示3个别名,第一个在2017年10月8日到期。
JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.2
JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.2
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
matching alias: 44240-xxxx-xxxxx-xxxxxx-org
matching alias: 111824-xxxx-xxxxx-xxxxxx-org
matching alias: 109491-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias 44240-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true
**%% Negotiating: [Session-1, SSL_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie: GMT: 1491745993 bytes = { 73, 37, 191, 131, 31, 235, 131, 242, 96, 119, 124, 73, 57, 221, 38, 112, 19, 216, 144, 221, 184, 25, 181, 210, 229, 39, 62, 50 }
Session ID: {89, 234, 61, 201, 31, 215, 166, 2, 132, 100, 188, 234, 63, 57, 167, 114, 199, 190, 119, 228, 154, 176, 153, 236, 115, 222, 35, 98, 53, 182, 88, 140}
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
***
Cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=xxxx-xxxxx-xxxxxx.org, OU=TreSOAP Server Test-PROD Primary, O=XXXX-XXXXX - internal dmz, L=Saint Louis, ST=Missouri, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMPKCS11Impl RSA Public Key:
Token: false
Private: false
Label: IBMPKCS1162112826090763885165327
Modifiable: true
KeyType: 0
ID:
Start Date: Wed Dec 31 17:59:59 CST 1969
End Date: Wed Dec 31 17:59:59 CST 1969
Derive: false
Local: false
Subject:
Encrypt: true
Verify: true
VerifyRecover: true
Wrap: true
modulus: 26606850225087850589932908027067524318268268224826270839465320725092268136382373728617246685378243753417909514269416692823470338958771068354701078301334195882971493513282715502700026787422539437203244486983379743077668035555448903482759728453372918271687510462097996374206565621965829077017536736170426765991639165149047482746818974654077122772442139310513169191565788646178636478714837968871155118100289147723685748486274263964655017819372517057114974155848311538134591086912352063631149931407513232621741060410510212626457131410022996185588768438731050436344397255226489472133617477053078911021189068729861786067773
modulus bits: 2048
public exponent: 65537
Validity: [From: Wed Oct 09 12:59:36 CDT 2013,
To: Sun Oct 08 12:49:19 CDT 2017]
Issuer: CN=MC Internal Zone Applications sub CA, OU=Global Information Security, O=XXXX, DC=xxxx, DC=com
SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: cf 53 c3 63 61 83 f7 cd 4c 99 6a af 72 16 63 ee .S.ca...L.j.r.c.
0010: 63 48 23 2c cH..
]
[CN=Internal Zone Applications root CA, OU=Global Information Security, O=XXXX XXXX, DC=xxxx, DC=com]
SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxx]
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
1.3.6.1.5.5.7.3.1 1.3.6.1.5.5.7.3.2]
[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[5]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
]
[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8b 74 8c b4 9e 21 d6 dd 86 f0 51 5f 77 c0 21 52 .t........Q.w..R
0010: 78 ab a8 2a x...
]
]
]
Algorithm: [SHA1withRSA]
Signature:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
]
***
*** ServerHelloDone
301601274@qtp-1542806517-9, WRITE: TLSv1 Handshake, length = 1443
301601274@qtp-1542806517-9, READ: TLSv1 Alert, length = 2
301601274@qtp-1542806517-9, RECV TLSv1 ALERT: fatal, handshake_failure
301601274@qtp-1542806517-9, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
301601274@qtp-1542806517-9, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure**
需要专家的帮助才能找出问题所在。
答案 0 :(得分:0)
问题结果是SslSelectChannelConnector在应用程序中被覆盖以支持HSM,但是jetty版本已更新,支持新版本jetty的更改未包含在Overridden类中。