apache httpclient:收到致命警报:bad_certificate

时间:2018-06-03 16:42:25

标签: java ssl apache-httpclient-4.x

我正在使用自签名证书来兑现客户端身份验证。我将服务器配置为仅在客户端包含client-keystore的情况下接受连接。

这在soapUI工具中运行良好。但是当我尝试在我的代码中实现它时,它会抛出SSL错误,我很确定我在微观层面上缺少某些东西。我在SSL方面没有可见性。任何建议或帮助都会对我有所帮助。

服务器代码 https://github.com/next-time-space/cdn-service/blob/master/src/main/java/com/nexttimespace/cdnservice/config/ApplicationConfig.java#L31

代码

package com;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContextBuilder;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;
import org.junit.Test;

import javax.net.ssl.SSLContext;

import java.io.File;
import java.io.InputStream;
import java.security.KeyStore;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;

public class MyClientCertTest {



    private static final String KEYSTOREPATH = "/home/pasu/client-truststore.jks"; // or .p12
    private static final String KEYSTOREPASS = "secret";
    private static final String KEYPASS = "secret";

    KeyStore readStore() throws Exception {
        try (InputStream keyStoreStream = this.getClass().getResourceAsStream(KEYSTOREPATH)) {
            KeyStore keyStore = KeyStore.getInstance("JKS"); // or "PKCS12"
            keyStore.load(keyStoreStream, KEYSTOREPASS.toCharArray());
            return keyStore;
        }
    }


    public static void performClientRequest() throws Exception {
        try {
            org.apache.http.ssl.SSLContextBuilder builder = SSLContexts.custom();
                    //.loadKeyMaterial(readStore(), KEYPASS.toCharArray());
            //builder.loadTrustMaterial(null, (chain, authType) -> true);  
            builder.loadTrustMaterial(new File(KEYSTOREPATH), KEYPASS.toCharArray(), (chain, authType) -> true);
            SSLConnectionSocketFactory sslsf = new 
                      SSLConnectionSocketFactory(builder.build(), NoopHostnameVerifier.INSTANCE);
        /*SSLContext sslContext = SSLContexts.custom()
                .loadKeyMaterial(readStore(), KEYPASS.toCharArray()) // use null as second param if you don't have a separate key password
                .build();*/
        HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
        HttpResponse response = httpClient.execute(new HttpPost("https://localhost:8443/publish/"));
        assertEquals(200, response.getStatusLine().getStatusCode());
        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");
        System.out.println(response.getStatusLine());

        }catch(Exception e) {
            e.printStackTrace();
        }
    }
}

调试信息

adding as trusted cert:
  Subject: CN=localhost, OU=CDN, O=Next Time Space, L=City, ST=State, C=US
  Issuer:  CN=localhost, OU=CDN, O=Next Time Space, L=City, ST=State, C=US
  Algorithm: RSA; Serial number: 0x75894fb9
  Valid from Sun Jun 03 11:28:56 CDT 2018 until Sat Sep 01 11:28:56 CDT 2018

trigger seeding of SecureRandom
done seeding SecureRandom
11:36:22.751 [main] DEBUG org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: default
11:36:22.769 [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context
11:36:22.771 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://localhost:8443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
11:36:22.792 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://localhost:8443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
11:36:22.795 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://localhost:8443
11:36:22.799 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to localhost/127.0.0.1:8443
11:36:22.799 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Connecting socket to localhost/127.0.0.1:8443 with timeout 0
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
11:36:22.809 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
11:36:22.810 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
11:36:22.810 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1528043782 bytes = { 201, 221, 154, 64, 251, 188, 49, 50, 94, 97, 41, 74, 249, 82, 89, 82, 50, 116, 46, 63, 242, 158, 25, 242, 242, 177, 89, 204 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
***
main, WRITE: TLSv1.2 Handshake, length = 199
main, READ: TLSv1.2 Handshake, length = 1457
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1528043782 bytes = { 196, 222, 102, 241, 34, 60, 160, 243, 116, 141, 248, 68, 63, 140, 71, 214, 44, 156, 221, 65, 67, 71, 138, 20, 240, 201, 34, 149 }
Session ID:  {91, 20, 25, 6, 92, 29, 169, 21, 77, 40, 228, 110, 233, 126, 5, 68, 89, 242, 126, 213, 77, 101, 168, 186, 160, 225, 110, 173, 32, 2, 226, 173}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension extended_master_secret
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=localhost, OU=CDN, O=Next Time Space, L=City, ST=State, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 21513698687508137025388999196541356972168504639653257899234638752220491580139697754094304568882600883116653898030703708695833968858890448445436773602063033284273917688038102700991283326099758819860496288358869995277118073235237048549587466739317653202050181344394882884336005397146275517500795611045892424102179980995969134451276706102140851542391737547232907463433299560966349514520878916627333020770036230530069102815476472579728727786025974673661017008360429513221482333183823490693798489858292685116318692675450549418075469698477207814374342639227293241391745069434436316625798338678315618848088755703162901980597
  public exponent: 65537
  Validity: [From: Sun Jun 03 11:28:56 CDT 2018,
               To: Sat Sep 01 11:28:56 CDT 2018]
  Issuer: CN=localhost, OU=CDN, O=Next Time Space, L=City, ST=State, C=US
  SerialNumber: [    75894fb9]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BC D4 AB 47 04 B9 B1 8C   9A CD 9C 6B 93 66 42 39  ...G.......k.fB9
0010: 01 2E C7 55                                        ...U
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 2E 10 0C 90 EF ED 61 32   3D CA 5C A2 D4 C1 2E E6  ......a2=.\.....
0010: 2D 36 D8 8B 28 AB C6 22   0F F1 28 D7 CD 1A B6 A6  -6..(.."..(.....
0020: 4C 6A FA A1 2A 32 6F 61   DB 60 DE 71 CB 4C 6F BD  Lj..*2oa.`.q.Lo.
0030: 2F B9 B1 1A 11 8F 45 E0   D6 D3 97 2B 80 16 B2 AE  /.....E....+....
0040: 3C 3E 51 4D 9E F3 A4 5C   4E 5E B7 72 1F 1A 38 24  <>QM...\N^.r..8$
0050: 5D C6 93 59 A3 92 5B 9F   99 30 B8 98 A3 43 A2 B8  ]..Y..[..0...C..
0060: 1F 6E F8 72 FD A3 2D DB   DD 03 C3 E7 F5 4D 0F D7  .n.r..-......M..
0070: A5 A6 14 7B B2 F8 5A BA   5D B2 0E FA 3F 8F 99 1E  ......Z.]...?...
0080: ED D6 28 1C 57 79 B1 20   92 18 36 6D DC D1 5D 1A  ..(.Wy. ..6m..].
0090: EC C0 7F A4 B0 2D 71 1A   21 C6 D2 6A 53 85 42 12  .....-q.!..jS.B.
00A0: 90 FD E9 84 8A 65 F3 9D   3B 7D AB D8 78 16 F6 1E  .....e..;...x...
00B0: 14 BB DB 73 86 B7 AD 90   06 E3 28 68 9F 0E 0C 4E  ...s......(h...N
00C0: 53 80 7D 33 50 86 47 E8   09 54 D5 4E 98 9C 65 B2  S..3P.G..T.N..e.
00D0: 8A F0 F2 02 2D F2 F8 30   D3 83 1B 2C 79 77 5A E5  ....-..0...,ywZ.
00E0: 1C F4 1D 1A 09 89 CD 0E   1B DE DA 03 E6 84 7E 23  ...............#
00F0: 15 F6 98 63 E3 E4 4C B9   88 10 8D A7 A6 25 21 E1  ...c..L......%!.

]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 70172521039422248909320195719533803837374541434423491941153258668318553652765
  public y coord: 113130271971725885827866310055272414913641185740108701041895983651138628140605
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=local, OU=CDN, O=Next Time Space, L=City, ST=State, C=US>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 222, 204, 248, 55, 53, 216, 226, 189, 242, 50, 7, 23, 62, 68, 167, 44, 92, 95, 163, 11, 57, 53, 226, 4, 10, 212, 157, 57, 6, 96, 127, 254, 220, 31, 81, 230, 66, 48, 12, 66, 243, 163, 83, 207, 82, 137, 28, 63, 145, 172, 144, 31, 225, 48, 65, 176, 187, 57, 139, 139, 46, 68, 169, 119 }
main, WRITE: TLSv1.2 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
0000: 34 BE AC 97 14 32 4F 04   6C A8 21 A6 24 F0 6F 43  4....2O.l.!.$.oC
0010: D5 FB 4B AF DD 85 95 44   42 79 24 B1 40 D2 65 89  ..K....DBy$.@.e.
CONNECTION KEYGEN:
Client Nonce:
0000: 5B 14 19 06 C9 DD 9A 40   FB BC 31 32 5E 61 29 4A  [......@..12^a)J
0010: F9 52 59 52 32 74 2E 3F   F2 9E 19 F2 F2 B1 59 CC  .RYR2t.?......Y.
Server Nonce:
0000: 5B 14 19 06 C4 DE 66 F1   22 3C A0 F3 74 8D F8 44  [.....f."<..t..D
0010: 3F 8C 47 D6 2C 9C DD 41   43 47 8A 14 F0 C9 22 95  ?.G.,..ACG....".
Master Secret:
0000: 17 A5 34 3F 3D 6A B0 43   FD D7 0A C1 BF 10 EE 14  ..4?=j.C........
0010: 34 04 3F 53 8A 44 25 43   4D 2A 98 1C 40 EA 5C A9  4.?S.D%CM*..@.\.
0020: 87 7B C4 82 86 25 7E D5   34 BF 74 39 FD 41 11 02  .....%..4.t9.A..
Client MAC write Secret:
0000: 4B 13 3B 1B B0 2B 8C 6E   66 31 AC 4A 01 72 D9 59  K.;..+.nf1.J.r.Y
0010: EF 38 D7 B9 E7 1C DB 84   C2 C4 A0 1B B3 F4 F8 F3  .8..............
0020: 6A CF 37 2A 15 B9 A7 3E   50 FB 72 EC 2F CA FA BD  j.7*...>P.r./...
Server MAC write Secret:
0000: 79 BB 95 F5 0C 23 A6 91   A7 54 FC AC 64 EA 41 41  y....#...T..d.AA
0010: 79 3B 22 E8 09 A1 59 5C   0A 5D 20 5D 21 EC 54 B4  y;"...Y\.] ]!.T.
0020: 16 98 DF 16 DE 06 20 FC   D4 57 FE E3 F7 E7 40 75  ...... ..W....@u
Client write key:
0000: CF EA 2E 13 1F 0C F1 18   51 0D 7D F2 1B BA 3F 59  ........Q.....?Y
0010: AD 54 78 24 98 74 20 2E   1B 9B 26 0F A6 53 DC FC  .Tx$.t ...&..S..
Server write key:
0000: F3 52 86 B8 86 A3 0D ED   F5 25 F1 FD AF 62 91 80  .R.......%...b..
0010: 44 E3 09 99 36 4C 39 D2   EF 93 00 2D B8 51 4B A3  D...6L9....-.QK.
... no IV derived for this protocol
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 193, 22, 27, 106, 183, 71, 24, 242, 153, 181, 33, 133 }
***
main, WRITE: TLSv1.2 Handshake, length = 96
main, waiting for close_notify or alert: state 1
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, bad_certificate
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
main, called closeSocket()
main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
11:36:22.921 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection
11:36:22.921 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded
11:36:22.921 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://localhost:8443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)

1 个答案:

答案 0 :(得分:1)

2天后,这么多咖啡因找到了解决方案。我需要加载keymetrial和信任metrial,我需要加载keymetrial与别名。这是工作解决方案

package com.nexttimespace.analligence.eukarya.rille;

import static org.junit.Assert.assertEquals;
import java.io.File;
import java.net.Socket;
import java.net.URI;
import java.util.Map;

import javax.net.ssl.SSLContext;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.PrivateKeyDetails;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;
import org.junit.Test;

public class MyClientCertTest {



    private static final String KEYSTOREPATH = "/home/pasu/ntscerts/client-keystore.jks"; // or .p12
    private static final String KEYSTOREPASS = "secret";
    private static final String KEYPASS = "secret";


    @Test
    public void performClientRequest() throws Exception {
        try {
        SSLContext sslContext = SSLContexts.custom()
        .loadKeyMaterial(new URI("file:" + KEYSTOREPATH).toURL(), KEYPASS.toCharArray(), KEYPASS.toCharArray(), new PrivateKeyStrategy() {
            @Override
            public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
                return "client";
            }
        })
        .loadTrustMaterial(new File(KEYSTOREPATH), KEYPASS.toCharArray(), (chain, authType) -> true)
        .build();

        SSLConnectionSocketFactory sslsf = new 
              SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
        HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
        HttpResponse response = httpClient.execute(new HttpPost("https://localhost:8443/publish/cdn1"));
        assertEquals(200, response.getStatusLine().getStatusCode());
        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");
        System.out.println(response.getAllHeaders());
        EntityUtils.consume(entity);
        }catch(Exception e) {
            e.printStackTrace();
        }
    }
}