我有两个客户端pkcs12密钥库。我从这两个中导出了证书,并使用keyman将它们添加到新的jks中。奇怪的是,每个密钥库单独工作正常,但当我将它们组合到一个密钥库中时,对每个客户端的两次调用都失败了
<pre><code>org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, WRITE: TLSv1 Handshake, length = 32
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, handling exception: java.net.SocketException: Connection reset
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, SEND TLSv1 ALERT: fatal, description = unexpected_message
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, WRITE: TLSv1 Alert, length = 18
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, Exception sending alert: java.net.SocketException: Broken pipe
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeSocket()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody4(HttpRequestUtil.java:140)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody5$advice(HttpRequestUtil.java:65)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post(HttpRequestUtil.java:1)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody2(HttpRequestUtil.java:89)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody3$advice(HttpRequestUtil.java:65)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post(HttpRequestUtil.java:1)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken_aroundBody0(SocialNetworkingAuthenticationImpl.java:87)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken_aroundBody1$advice(SocialNetworkingAuthenticationImpl.java:65)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken(SocialNetworkingAuthenticationImpl.java:1)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng_aroundBody0(UploadManagerImpl.java:61)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng_aroundBody1$advice(UploadManagerImpl.java:65)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng(UploadManagerImpl.java:1)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage_aroundBody0(SocialNetworkingManagerQueueListener.java:52)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage_aroundBody1$advice(SocialNetworkingManagerQueueListener.java:65)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage(SocialNetworkingManagerQueueListener.java:1)
at org.springframework.jms.listener.adapter.MessageListenerAdapter.onMessage(MessageListenerAdapter.java:343)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:518)
at org.springframework.jms.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:479)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:451)
at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.doReceiveAndExecute(AbstractPollingMessageListenerContainer.java:323)
at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.receiveAndExecute(AbstractPollingMessageListenerContainer.java:261)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:982)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:974)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:876)
at java.lang.Thread.run(Thread.java:662)</code></pre>
我不确定发生了什么事,因为我以前做过这件事。在组合来自两个客户的证书时,为什么会失败的任何想法?
答案 0 :(得分:1)
您说您从两个密钥库中导出了证书 - 您是否也导出了相关密钥?
TLS客户端身份验证也需要密钥。仅凭证书不会让你走得太远。
此外,在为给定连接选择正确的密钥/证书时,您的想法可能会导致问题:您必须确保正确选择它们,通常客户端身份验证密钥/证书对应该仅适用于一个专用服务,因此混合密钥会导致拒绝连接尝试。
答案 1 :(得分:1)
在同一个keystore.jks文件中使用多个键时,我们遇到了类似的问题。我们有相同的行为,当我们分别使用每个密钥时,访问工作没有任何问题。当我们将两个密钥放入同一个密钥库时,我们收到错误“403:Forbidden”。
在创建新证书等之后,我们发现密钥库中的证书名称会产生影响:
其中一个键的名称(匿名):
测试-CERT-of_company
并没有奏效。更改为 cert_of_company 后,它有效。
cert_of_company
我们猜测名称中的字符“ - ”确实导致了问题,替换为“_”解决了它。也许这可以帮到你。
答案 2 :(得分:0)
使用keytool列出组合密钥库的内容。
每个条目的“类型”是什么?
它们应该是私钥条目;如果不是(如果它们是可信条目),则无法导出关联的私钥。
这两个证书来自同一个发行人吗?