使用soap适配器进行SSL握手失败

时间:2017-10-25 04:06:31

标签: java ssl soap jetty

我们有第三方应用程序,它使用Jetty 6.1构建soap适配器。应用程序通过SOAP从.Net应用程序通过SSL获取入站请求。

最近,SSL证书已过期,安全团队已向信任库添加了新证书。

问题是Jetty获取了所有证书的列表,但只使用了第一个(过期)并且握手失败。

以下是一些日志片段。很少行被标记为xxxxxxxxx以隐藏文本。

这显示3个别名,第一个在2017年10月8日到期。

JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.2
JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.2
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
matching alias: 44240-xxxx-xxxxx-xxxxxx-org
matching alias: 111824-xxxx-xxxxx-xxxxxx-org
matching alias: 109491-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias 44240-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true

**%% Negotiating:  [Session-1, SSL_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1491745993 bytes = { 73, 37, 191, 131, 31, 235, 131, 242, 96, 119, 124, 73, 57, 221, 38, 112, 19, 216, 144, 221, 184, 25, 181, 210, 229, 39, 62, 50 }
Session ID:  {89, 234, 61, 201, 31, 215, 166, 2, 132, 100, 188, 234, 63, 57, 167, 114, 199, 190, 119, 228, 154, 176, 153, 236, 115, 222, 35, 98, 53, 182, 88, 140}
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
***
Cipher suite:  SSL_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=xxxx-xxxxx-xxxxxx.org, OU=TreSOAP Server Test-PROD Primary, O=XXXX-XXXXX - internal dmz, L=Saint Louis, ST=Missouri, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  IBMPKCS11Impl RSA Public Key: 
 Token: false
 Private: false
 Label: IBMPKCS1162112826090763885165327
 Modifiable: true
 KeyType: 0
 ID: 
 Start Date: Wed Dec 31 17:59:59 CST 1969
 End Date: Wed Dec 31 17:59:59 CST 1969
 Derive: false
 Local: false
 Subject: 
 Encrypt: true
 Verify: true
 VerifyRecover: true
 Wrap: true
 modulus: 26606850225087850589932908027067524318268268224826270839465320725092268136382373728617246685378243753417909514269416692823470338958771068354701078301334195882971493513282715502700026787422539437203244486983379743077668035555448903482759728453372918271687510462097996374206565621965829077017536736170426765991639165149047482746818974654077122772442139310513169191565788646178636478714837968871155118100289147723685748486274263964655017819372517057114974155848311538134591086912352063631149931407513232621741060410510212626457131410022996185588768438731050436344397255226489472133617477053078911021189068729861786067773
 modulus bits: 2048
 public exponent: 65537
  Validity: [From: Wed Oct 09 12:59:36 CDT 2013,
               To: Sun Oct 08 12:49:19 CDT 2017]
  Issuer: CN=MC Internal Zone Applications sub CA, OU=Global Information Security, O=XXXX, DC=xxxx, DC=com
  SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: cf 53 c3 63 61 83 f7 cd  4c 99 6a af 72 16 63 ee  .S.ca...L.j.r.c.
0010: 63 48 23 2c                                        cH..
]

[CN=Internal Zone Applications root CA, OU=Global Information Security, O=XXXX XXXX, DC=xxxx, DC=com]
SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxx]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[3]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
    1.3.6.1.5.5.7.3.1   1.3.6.1.5.5.7.3.2]

[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[5]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8b 74 8c b4 9e 21 d6 dd  86 f0 51 5f 77 c0 21 52  .t........Q.w..R
0010: 78 ab a8 2a                                        x...
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

]
***
*** ServerHelloDone
301601274@qtp-1542806517-9, WRITE: TLSv1 Handshake, length = 1443
301601274@qtp-1542806517-9, READ: TLSv1 Alert, length = 2
301601274@qtp-1542806517-9, RECV TLSv1 ALERT:  fatal, handshake_failure
301601274@qtp-1542806517-9, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
301601274@qtp-1542806517-9, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure**

需要专家的帮助才能找出问题所在。

1 个答案:

答案 0 :(得分:0)

问题结果是SslSelectChannelConnector在应用程序中被覆盖以支持HSM,但是jetty版本已更新,支持新版本jetty的更改未包含在Overridden类中。