javax.net.ssl.SSLHandshakeException：收到致命警报：handshake_failure与安全的Rest webservice

Question

我正在尝试使用java中的安全rest api，拥有客户端提供的abc.crt，aaa.pem和xyz.key证书。

将aaa.pem导入jdk默认信任库'cacerts'，并使用abc.crt和xyz.key创建了keystore.jks，并且代码如下所示：

System.setProperty("javax.net.ssl.keyStore", "JAVA_HOME/jre/lib/security/keystore.jks");
            System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
            System.setProperty("javax.net.ssl.trustStore", "JAVA_HOME/jre/lib/security/cacerts");
            System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
            System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");

但要低于例外：

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

要从浏览器解析此下载的证书并导入，但这次最终会在下面

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
        at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1769)

什么不对，请指正。 SSL调试：

<CN=xxxx, O=xxxxx, C=xx>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
main, WRITE: TLSv1.2 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 61 6B A3 89 9B A5   35 44 DF 9A 19 4D C1 F3  ..ak....5D...M..
0010: 4D 7B 56 15 92 C7 7A BB   E3 D3 70 48 D7 BB 5F FF  M.V...z...pH.._.
0020: 8D 4A 83 F3 D3 46 F7 9C   82 35 C9 99 EC E7 42 66  .J...F...5....Bf
CONNECTION KEYGEN:
Client Nonce:
0000: 5A 02 99 9D C4 BC 72 E1   34 A8 46 18 7E 93 DA E7  Z.....r.4.F.....
0010: 67 E5 5A 2B 07 21 1C A0   CC 6F 5D 7E 47 75 89 7A  g.Z+.!...o].Gu.z
Server Nonce:
0000: 1C B1 ED 05 9C 11 5C 5F   BE 0C 28 67 0A B1 D0 04  ......\_..(g....
0010: 56 42 11 86 52 4A 95 8D   F9 69 3C 2A 9A 2F 69 02  VB..RJ...i<*./i.
Master Secret:
0000: FD 12 39 65 72 0C 0B 59   F3 60 BD 7F DE 5D 8C EC  ..9er..Y.`...]..
0010: D1 DE 3E 37 DA E3 35 B5   B6 1C E4 57 D7 18 5E 35  ..>7..5....W..^5
0020: F8 E0 24 2F 2C DB 68 89   99 25 8F D0 97 17 B8 70  ..$/,.h..%.....p
... no MAC keys used for this cipher
Client write key:
0000: 77 4E C7 9D F1 A1 34 2D   89 AC FD 3B 6B EB 72 51  wN....4-...;k.rQ
Server write key:
0000: C0 02 D9 65 D9 EC 8C 8E   4F 5C B3 8A E7 21 C8 32  ...e....O\...!.2
Client write IV:
0000: 7C E6 07 AB                                        ....
Server write IV:
0000: C6 8C 5E EE                                        ..^.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 177, 250, 131, 167, 57, 62, 209, 48, 184, 202, 65, 25 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, waiting for close_notify or alert: state 1
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_128_GCM_SHA256]
main, called closeSocket()
main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Cipher忽略了：

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

更新 与python脚本一样的事情：

def somefunction(data, headers):
  response = requests.post("https://xxxxxx.xxxx.xxxxxx", data=data, headers=headers, verify='/path/to/root/ca/aaa.pem', cert=('/path/to/crt/abc.crt','/path/to/key/xyz.key'), stream=True)
  headres = {'Authorization': 'Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'Content-Type': 'application/xml'}
  data = '<xyz>something</xyz>'