无法使用Akka HTTP服务器(播放框架)验证客户端证书

时间:2019-04-03 12:04:44

标签: authentication https playframework certificate akka

我正在尝试使用Play Framework(2.7)设置具有客户端证书身份验证的HTTPS服务器。但是客户端身份验证始终以unable to find valid certification path to requested target失败。

客户端证书由使用自签名证书的自定义证书颁发机构签名。在我的设置中,此自定义CA是服务器应信任的唯一CA。

application.conf中,我添加了以下配置,以设置HTTPS服务器并用自定义CA证书替换默认的信任库。

play {
  server {
    https {
      keyStore {
        path = "/path/to/store",
        password = "password",
        type = "PKCS12"
      }
      needClientAuth = true
    }
  }
}

ssl-config {
  trustManager = {
    stores = [
      { type = "PEM", path = "path/to/ca/certificate" }
    ]
  }
}

启用调试后,在应用程序初始化时,我看到已加载自定义CA证书:

adding as trusted cert:
  Subject: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
  Issuer:  EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
  Valid from Wed Jul 06 15:38:40 CEST 2005 until Tue Jul 01 15:38:40 CEST 2025

但是,我还在日志中看到以下几行:

trustStore is: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is : 
init truststore

我没想到也不希望服务器使用默认的JRE信任存储。如何完全禁用它?

无论如何,这不会阻止服务器正确地对客户端进行身份验证-除非信任存储被完全覆盖(我希望不是这种情况,但到目前为止尚未证明)。

当客户端连接时,我在日志中看到其证书已正确读取:

chain [0] = [
Subject: EMAILADDRESS=devnull@mydomain.com, CN=My User, OU="User#41183", O=MyOrg, C=FR
Validity: [From: Thu Jan 11 10:17:12 CET 2018, To: Tue Jan 10 10:17:12 CET 2023]
Issuer: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
]
chain [1] = [
Subject: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
Validity: [From: Wed Jul 06 15:38:40 CEST 2005, To: Tue Jul 01 15:38:40 CEST 2025]
Issuer: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
]

客户端颁发者与先前加载的自定义CA证书匹配。但是,抛出以下错误:

application-akka.actor.default-dispatcher-2, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我想念什么或我做错了什么?

编辑:我注意到,如果我将自定义CA证书导入默认的信任存储,则身份验证有效。

编辑2:似乎已链接到SSL引擎提供程序的默认实现:

2019-04-08 13:21:46 +0200 [DEBUG] from play.core.server.ssl.DefaultSSLEngineProvider in application-akka.actor.default-dispatcher-3 - Using default trust store for client side CA verification

1 个答案:

答案 0 :(得分:0)

必须设置自定义SSL引擎提供程序,请参见docs,因为namespace Vendor\ModuleName\Model; class Product extends \Magento\Catalog\Model\Product { //constructors here public function getMediaGalleryImages() { $images = $this->_collectionFactory->create(); $image['url'] = "/mycontroller/image/generate/sku_here"; $images->addItem($image); return $images; } 仅支持DefaultSSLEngineProvider并回退到默认的JVM信任库。

不要与某些日志消息混淆,并更好地调试应用程序。您的CA已加载,但已加载到您需要的其他SSL上下文中。

我遇到了稍有不同的问题,并最终覆盖了JVM cacerts,因为Play配置未提供我所需的配置。

相关问题
最新问题