Question

我正在构建一个Spring Boot应用程序，该应用程序对提供程序进行2路SSL调用。我创建了一个jks密钥库，其中放置了我的密钥，以及一个带有服务器证书的信任库。

我使用restTemplate进行调用，并且在运行时使用-Djavax.net.ssl.trustStore = path_to_truststore -Djavax.net.ssl.trustStorePassword = password -Djavax.net.ssl.keyStore传递商店详细信息= path_to_keystore -Djavax.net.ssl.keyStorePassword =密码

我必须在pom中添加apache httpclient依赖项，以防止出现java.net.HttpRetryException异常：在流模式下，由于服务器身份验证而无法重试。

当应用实际向提供者发出https调用时，它会收到401未经授权的响应。 SSL日志显示

javax.net.ssl|INFO|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.822 EDT|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.827 EDT|PreSharedKeyExtension.java:606|No session to resume.
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.831 EDT|ClientHello.java:633|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "5A 4B E8 7D 18 CC DA 1F F5 29 E7 1C 4D AF 91 80 AE 6A 86 26 BF 94 E4 48 F9 C0 AF 1A 7C AC 8C 44",
  "session id"          : "61 D7 74 F4 4D 79 4F 8F 27 EA CA B9 79 C2 9C B6 01 00 B6 28 EB C3 62 4F 69 25 E6 D9 E9 50 1B E6",
  "cipher suites"       : "[...]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=...
    },
    ...
  ]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.875 EDT|ServerHello.java:866|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "06 9F 42 F7 B2 36 3F 06 11 38 CE 42 14 8D B7 35 48 2C 5D 81 94 50 23 C6 14 45 63 E7 5E C9 FC 5C",
  "session id"          : "61 D7 74 F4 4D 79 4F 8F 27 EA CA B9 79 C2 9C B6 01 00 B6 28 EB C3 62 4F 69 25 E6 D9 E9 50 1B E6",
  "cipher suite"        : "TLS_AES_256_GCM_SHA384(0x1302)",
  "compression methods" : "00",
  ...
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.876 EDT|SSLExtensions.java:167|Consumed extension: supported_versions
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.876 EDT|ServerHello.java:962|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.878 EDT|SSLExtensions.java:167|Consumed extension: supported_versions
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|SSLExtensions.java:167|Consumed extension: key_share
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|SSLExtensions.java:138|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|PreSharedKeyExtension.java:832|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.887 EDT|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.889 EDT|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.889 EDT|ChangeCipherSpec.java:232|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.897 EDT|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
  "supported_groups (10)": {
    "versions": [x25519, secp256r1, secp384r1, secp224r1, secp521r1]
  }
]
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.897 EDT|SSLExtensions.java:167|Consumed extension: supported_groups
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.909 EDT|CertificateMessage.java:1148|Consuming server Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
  {
    "certificate" : {
      "version"            : "v3",
      "signature algorithm": "SHA256withRSA",
      ...}
    "extensions": {
      <no extension>
    }
  },
  {
    "certificate" : {
      "version"            : "v3",
      "signature algorithm": "SHA256withRSA",
      ...}
    "extensions": {
      <no extension>
    }
  },
  {
    "certificate" : {
      "version"            : "v3",
      "signature algorithm": "SHA256withRSA",
      ...}
    "extensions": {
      <no extension>
    }
  },
]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.939 EDT|CertificateVerify.java:1128|Consuming CertificateVerify handshake message (
"CertificateVerify": {
  "signature algorithm": rsa_pss_rsae_sha256
  "signature": {
    ...
  }
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.941 EDT|Finished.java:860|Consuming server Finished handshake message (
"Finished": {
  "verify data": {
    ...
  }'}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.942 EDT|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.943 EDT|Finished.java:658|Produced client Finished handshake message (
"Finished": {
  "verify data": {
    ...
  }'}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.943 EDT|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.994 EDT|NewSessionTicket.java:330|Consuming NewSessionTicket message (
"NewSessionTicket": {
  "ticket_lifetime"      : "7,200",
  "ticket_age_add"       : "<omitted>",
  "ticket_nonce"         : "00 00 00 00 00 00 00 00",
  "ticket"               : ...,
  "extensions"           : [
    <no extension>
  ]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.995 EDT|NewSessionTicket.java:330|Consuming NewSessionTicket message (
"NewSessionTicket": {
  "ticket_lifetime"      : "7,200",
  "ticket_age_add"       : "<omitted>",
  "ticket_nonce"         : "00 00 00 00 00 00 00 01",
  "ticket"               : ...,
  "extensions"           : [
    <no extension>
  ]
}
)

响应是

HttpMethod: POST, ResponseBody: <html>
<head><title>401 Authorization Required</title></head>
<body>
...
</body>
</html>

我很惊讶地没有看到服务器请求证书的SSL手共享步骤（步骤正在使用CertificateVerify握手消息之后紧接着是正在使用服务器完成的握手消息），因此我的应用似乎没有发送。我想这就是为什么我收到401错误的原因。

我尝试了不同的解决方案，手动构建KeyStore，KeyManagerFactory，SSLContext，HttpComponentsClientHttpRequestFactory，以便将所有内容注入restTemplate中，并且我总是得到相同的结果。在这种情况下，我可以在调试中看到restTemplate包含我的私钥和证书。

有什么想法吗？

2向SSL Java客户端故障，未提供客户端证书

0 个答案: