Linux上的Java SSL连接重置,Windows工作正常

时间:2017-11-06 09:47:24

标签: java .net ssl apache-camel

我们正在尝试通过HTTPS连接到基于.NET的Web服务和Apache Camel。这些调用在Windows下运行正常,但在SSL握手阶段,远程Web服务会为基于Linux的计算机提供连接重置。在Linux下调用来自cURL或Postman的URL是没有问题的,所以问题似乎与JVM有关。

我们已经通过启用SSL跟踪日志记录对此进行了测试,并且这两台计算机似乎正在协商完全相同的密码套件,因此我们对连接重置的原因一无所知。我们无法访问远程webservice的日志记录,因此我实际上不确定如何继续调试此问题......

我已截断两个平台的SSL跟踪日志记录,并将其包含在下面。我们在那里有什么遗漏,或者我们还可以在没有远程登录的情况下调试此问题吗?

Linux SSL跟踪日志记录:

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1509952410 bytes = ...truncated...
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=...truncated...]
***
http-nio-8080-exec-7, WRITE: TLSv1.2 Handshake, length = 230
http-nio-8080-exec-7, READ: TLSv1.2 Handshake, length = 91
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 720603056 bytes = ...truncated...
Session ID:  ...truncated...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
http-nio-8080-exec-7, READ: TLSv1.2 Handshake, length = 3959
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: ...truncated...
  Signature Algorithm: SHA256withRSA, OID = ...truncated...

  Key:  Sun RSA public key, 2048 bits
  modulus: ...truncated...
  public exponent: ...truncated...
  Validity: [...truncated...]
  Issuer: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
  SerialNumber: [    ...truncated...]

Certificate Extensions: 10
[1]: ObjectId: ...truncated... Criticality=false
Extension unknown: DER encoded OCTET string =
...truncated...


[2]: ObjectId: ...truncated... Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://secure.globalsign.com/cacert/gsextendvalsha2g3r3.crt
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp2.globalsign.com/gsextendvalsha2g3r3
]
]

[3]: ObjectId: ...truncated... Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

[4]: ObjectId: ...truncated... Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: ...truncated... Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.globalsign.com/gs/gsextendvalsha2g3r3.crl]
]]

[6]: ObjectId: ...truncated... Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [...truncated...]
[PolicyQualifierInfo: [
  qualifierID: ...truncated...
  qualifier: ...truncated...

]]  ]
  [CertificatePolicyId: [...truncated...]
[]  ]
]

[7]: ObjectId: ...truncated... Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: ...truncated... Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: ...truncated... Criticality=false
SubjectAlternativeName [
  DNSName: ...truncated...
  DNSName: ...truncated...
  DNSName: ...truncated...
]

[10]: ObjectId: ...truncated... Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
...truncated...

]
chain [1] = [
[
  Version: V3
  Subject: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
  Signature Algorithm: SHA256withRSA, OID = ...truncated...

  Key:  Sun RSA public key, 2048 bits
  modulus: ...truncated...
  public exponent: ...truncated...
  Validity: [...truncated...]
  Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  SerialNumber: [    ...truncated...]

Certificate Extensions: 7
[1]: ObjectId: ...truncated... Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp2.globalsign.com/rootr3
]
]

[2]: ObjectId: ...truncated... Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

[3]: ObjectId: ...truncated... Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: ...truncated... Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.globalsign.com/root-r3.crl]
]]

[5]: ObjectId: ...truncated... Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [...truncated...]
[PolicyQualifierInfo: [
  qualifierID: ...truncated...
  qualifier: ...truncated...

]]  ]
]

[6]: ObjectId: ...truncated... Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: ...truncated... Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
...truncated...

]
chain [2] = [
[
  Version: V3
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Signature Algorithm: SHA256withRSA, OID = ...truncated...

  Key:  Sun RSA public key, 2048 bits
  modulus: ...truncated...
  public exponent: ...truncated...
  Validity: [...truncated...]
  Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  SerialNumber: [    ...truncated...]

Certificate Extensions: 3
[1]: ObjectId: ...truncated... Criticality=true
BasicConstraints:[
...truncated...
]

[2]: ObjectId: ...truncated... Criticality=true
KeyUsage [
...truncated...
]

[3]: ObjectId: ...truncated... Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature: ...truncated...

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Signature Algorithm: SHA256withRSA, OID = ...truncated

  Key:  Sun RSA public key, 2048 bits
  modulus: ...truncated...
  public exponent: ...truncated...
  Validity: [...truncated...]
  Issuer: ...truncated...
  SerialNumber: [    ...truncated...]

Certificate Extensions: 3
[1]: ObjectId: ...truncated... Criticality=true
BasicConstraints:[
  CA:true
  PathLen:...truncated...
]

[2]: ObjectId: ...truncated... Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
...truncated...
]
http-nio-8080-exec-7, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
  public x coord: ...truncated...
  public y coord: ...truncated...
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
http-nio-8080-exec-7, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  ...truncated...
http-nio-8080-exec-7, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
...truncated...
CONNECTION KEYGEN:
Client Nonce:
...truncated...
Server Nonce:
...truncated...
Master Secret:
...truncated...
... no MAC keys used for this cipher
Client write key:
...truncated...
Server write key:
...truncated
Client write IV:
...truncated...
Server write IV:
...truncated....
http-nio-8080-exec-7, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
...truncated...
***
http-nio-8080-exec-7, WRITE: TLSv1.2 Handshake, length = 40
http-nio-8080-exec-7, READ: TLSv1.2 Change Cipher Spec, length = 1
http-nio-8080-exec-7, READ: TLSv1.2 Handshake, length = 40
*** Finished
...truncated...
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
http-nio-8080-exec-7, WRITE: TLSv1.2 Application Data, length = 2370
http-nio-8080-exec-7, handling exception: java.net.SocketException: Connection reset
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
http-nio-8080-exec-7, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
http-nio-8080-exec-7, WRITE: TLSv1.2 Alert, length = 26
http-nio-8080-exec-7, Exception sending alert: java.net.SocketException: Broken pipe (Write failed)
http-nio-8080-exec-7, called closeSocket()
http-nio-8080-exec-7, called close()
http-nio-8080-exec-7, called closeInternal(true)

Windows SSL跟踪日志记录:

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1509957147 bytes = ...truncated...
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=...truncated...]
***
http-nio-8080-exec-10, WRITE: TLSv1.2 Handshake, length = 258
http-nio-8080-exec-10, READ: TLSv1.2 Handshake, length = 91
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -607016418 bytes = ...truncated...
Session ID:  ...truncated...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
http-nio-8080-exec-10, READ: TLSv1.2 Handshake, length = 3959
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: ...truncated...
  Signature Algorithm: SHA256withRSA, OID = ...truncated...

  Key:  Sun RSA public key, 2048 bits
  modulus: ...truncated...
  public exponent: ...truncated...
  Validity: [...truncated...]
  Issuer: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
  SerialNumber: [    ...truncated...]

Certificate Extensions: 10
[1]: ObjectId: ...truncated... Criticality=false
Extension unknown: DER encoded OCTET string =
...truncated...


[2]: ObjectId: ...truncated... Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://secure.globalsign.com/cacert/gsextendvalsha2g3r3.crt
, 
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp2.globalsign.com/gsextendvalsha2g3r3
]
]

[3]: ObjectId: ...truncated... Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

[4]: ObjectId: ...truncated... Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: ...truncated... Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.globalsign.com/gs/gsextendvalsha2g3r3.crl]
]]

[6]: ObjectId: ...truncated... Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [...truncated...]
[PolicyQualifierInfo: [
  qualifierID: ...truncated...
  qualifier: ...truncated...

]]  ]
  [CertificatePolicyId: [...truncated...]
[]  ]
]

[7]: ObjectId: ...truncated... Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: ...truncated... Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: ...truncated... Criticality=false
SubjectAlternativeName [
  DNSName: ...truncated...
  DNSName: ...truncated...
  DNSName: ...truncated...
]

[10]: ObjectId: ...truncated... Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
...truncated...

]
chain [1] = [
[
  Version: V3
  Subject: CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
  Signature Algorithm: SHA256withRSA, OID = ...truncated...

  Key:  Sun RSA public key, 2048 bits
  modulus: ...truncated...
  public exponent: ...truncated...
  Validity: [...truncated...]
  Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  SerialNumber: [    ...truncated...]

Certificate Extensions: 7
[1]: ObjectId: ...truncated... Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp2.globalsign.com/rootr3
]
]

[2]: ObjectId: ...truncated... Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

[3]: ObjectId: ...truncated... Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: ...truncated... Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.globalsign.com/root-r3.crl]
]]

[5]: ObjectId: ...truncated... Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [...truncated...]
[PolicyQualifierInfo: [
  qualifierID: ...truncated...
  qualifier: ...truncated...

]]  ]
]

[6]: ObjectId: ...truncated... Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: ...truncated... Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
...truncated...

]
chain [2] = [
[
  Version: V3
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Signature Algorithm: SHA256withRSA, OID = ...truncated...

  Key:  Sun RSA public key, 2048 bits
  modulus: ...truncated...
  public exponent: ...truncated...
  Validity: [...truncated...]
  Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  SerialNumber: [    ...truncated...]

Certificate Extensions: 3
[1]: ObjectId: ...truncated... Criticality=true
BasicConstraints:[
...truncated...
]

[2]: ObjectId: ...truncated... Criticality=true
KeyUsage [
...truncated...
]

[3]: ObjectId: ...truncated... Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature: ...truncated...

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
  Signature Algorithm: SHA256withRSA, OID = ...truncated

  Key:  Sun RSA public key, 2048 bits
  modulus: ...truncated...
  public exponent: ...truncated...
  Validity: [...truncated...]
  Issuer: ...truncated...
  SerialNumber: [    ...truncated...]

Certificate Extensions: 3
[1]: ObjectId: ...truncated... Criticality=true
BasicConstraints:[
  CA:true
  PathLen:...truncated...
]

[2]: ObjectId: ...truncated... Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...truncated...
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
...truncated...
]
http-nio-8080-exec-10, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
  public x coord: ...truncated...
  public y coord: ...truncated...
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
http-nio-8080-exec-10, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 144, 81, 42, 27, 249, 12, 198, 167, 196, 189, 75, 11, 160, 39, 39, 10, 147, 244, 224, 161, 27, 200, 75, 153, 157, 161, 124, 97, 202, 134, 160, 96, 188, 86, 81, 42, 150, 115, 66, 254, 51, 50, 149, 2, 63, 191, 181, 70, 178, 233, 233, 207, 214, 235, 200, 52, 51, 47, 139, 211, 246, 147, 2, 250 }
http-nio-8080-exec-10, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
...truncated...
CONNECTION KEYGEN:
Client Nonce:
...truncated...
Server Nonce:
...truncated...
Master Secret:
...truncated...
0020: 5B 12 25 BC 53 8B 7C B8   D3 35 60 56 EE D8 8C E4  [.%.S....5`V....
... no MAC keys used for this cipher
Client write key:
...truncated...
Server write key:
...truncated...
Client write IV:
...truncated...
Server write IV:
...truncated...
http-nio-8080-exec-10, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: ...truncated...
***
http-nio-8080-exec-10, WRITE: TLSv1.2 Handshake, length = 40
http-nio-8080-exec-10, READ: TLSv1.2 Change Cipher Spec, length = 1
http-nio-8080-exec-10, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data: ...truncated...
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
http-nio-8080-exec-10, WRITE: TLSv1.2 Application Data, length = 2348
http-nio-8080-exec-10, READ: TLSv1.2 Application Data, length = 1123

1 个答案:

答案 0 :(得分:0)

我们实际上在远程日志记录的帮助下发现了这个问题:在Linux机器上,请求的URL包含端口号(即https://remote:443)而Windows机器的URL是没有端口定义(即https://remote)。从Linux配置中删除端口后,一切运行正常。

AFAIK端口号不应该是证书验证的一部分,但远程Web服务似乎仍然包含它。无论如何,我们的问题已经解决了。