我正在构建一个 java 客户端来连接到 Windows IIS 7.5 服务器。现在我可以控制这两个系统,因为我正在构建一个概念证明,所以 windows 机器是我笔记本电脑上的一个虚拟机。我已经在 IIS 7.5 中成功设置了客户端证书,并验证了通过自签名证书的相互身份验证是否可以通过浏览器工作。
不幸的是,在发送 SSLv2 客户端问候消息和 TLSv1 客户端问候消息后,连接正在重置,并出现 TLSv1 警报意外消息。我搜索了 StackOverflow 以及许多其他地方来解决这个问题,但似乎无法找到解决这个特定问题的方法。这是我第一次使用 Mutual Auth。我的代码如下:
final KeyStore keystore = KeyStore.getInstance("pkcs12");
InputStream keystoreInput = new FileInputStream(KEY_STORE_PATH);
keystore.load(keystoreInput, "test".toCharArray());
System.out.println("Keystore has " + keystore.size() + " keys");
// load the trustore, leave it null to rely on cacerts distributed with the JVM - truststore type is probably jks or pkcs12
KeyStore truststore = KeyStore.getInstance("pkcs12");
InputStream truststoreInput = new FileInputStream(TRUST_STORE_PATH);
truststore.load(truststoreInput, "test".toCharArray());
System.out.println("Truststore has " + truststore.size() + " keys");
URI uri = new URI("https://192.168.2.112:444");
String result = null;
DefaultHttpClient httpclient = new DefaultHttpClient();
SSLSocketFactory socketFactory = new SSLSocketFactory(keystore, String.valueOf("test"), truststore);
Scheme sch = new Scheme("https", 444, socketFactory);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
HttpGet httpget = new HttpGet(uri.toASCIIString());
HttpResponse response = httpclient.execute(httpget);
HttpEntity entity = response.getEntity();
调试跟踪在这里:
Keystore has 1 keys
Truststore has 1 keys
***
found key for : pvktmp:0bfeeb5c-bf33-4ef3-a00e-d547e35774c6
chain [0] = [
[
Version: V3
Subject: CN=Chris Nanda
Signature Algorithm: SHA1withRSA, OID = 1.3.14.3.2.29
Key: Sun RSA public key, 2048 bits
modulus: 27130899851248154939882863851763653399730366371287600333384386175121736158788923280330198649817012144950949568512692167276184169703299725013344337362317100916091834207526372858824337248769441540975936119155896345867494063216196776658828993122572447899402194194077727951304168585241790036601092365261322113697370538176270611427949951453920476169582825252258759745485892192237387988896185894058602081306722996452816186803769762977498453060320624472197936928709207159769282155656635385394975574974944302095509596248869870407415024524635233253519215244773231069920494280237259291072815104686895907061226740651660601534821
public exponent: 65537
Validity: [From: Sat Jan 21 00:00:00 CST 2012,
To: Tue Jan 21 00:00:00 CST 2014]
Issuer: CN=BHS CA
SerialNumber: [ -6e5243e9 73783768 b67202d3 8e7bd30e]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 3B 30 39 80 10 B2 DC 54 DD B5 45 40 62 7C B7 .;09....T..E@b..
0010: F1 73 76 53 54 14 A1 13 30 11 31 0F 30 0D 06 03 .svST...0.1.0...
0020: 55 04 03 13 06 42 48 53 20 43 41 82 10 07 BE 71 U....BHS CA....q
0030: 73 48 F3 F1 85 48 20 1C EE 05 07 EF 20 sH...H .....
[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 43 D0 3A 1C 15 DC A2 67 5A 14 44 10 78 CF 30 7C C.:....gZ.D.x.0.
0010: AB FB 95 65 E5 5E 9F D1 40 BE 1A 5E 05 D5 CB 59 ...e.^..@..^...Y
0020: C9 D3 08 F8 DD E7 65 05 C5 22 9C A9 23 E1 4A A1 ......e.."..#.J.
0030: 71 B1 BF 09 70 1D 64 FA 94 92 51 0B 44 A2 48 4C q...p.d...Q.D.HL
0040: 3B 4A 9B F2 E1 8C 21 D9 0E 45 BB 0E 28 9B 67 9C ;J....!..E..(.g.
0050: A0 FC 5E DD 79 77 74 16 CB 81 F7 36 C5 33 EE 14 ..^.ywt....6.3..
0060: 85 CA F4 4E 0D 2D AF 59 C0 4E 49 58 79 8C 83 9F ...N.-.Y.NIXy...
0070: 77 F7 DB 26 53 F0 FF 1A F5 CB DD 44 05 FC 3B 9E w..&S......D..;.
0080: D2 19 AF 95 B1 BA 9E 78 4A 72 84 77 32 17 68 88 .......xJr.w2.h.
0090: CC B4 04 FB C4 3F 4C D5 F4 5C B5 23 9F 78 2C A9 .....?L..\.#.x,.
00A0: A2 EB 4D 3E 95 09 B9 A8 38 35 51 95 3C B9 48 5F ..M>....85Q.<.H_
00B0: D3 40 7B 5B 40 CE F5 47 09 30 E0 B8 AB B5 7A 61 .@.[@..G.0....za
00C0: 6D C0 11 36 5B 07 1B A4 96 B2 41 DF 6E C2 91 23 m..6[.....A.n..#
00D0: D3 D5 37 18 79 77 C6 F4 30 C4 29 C7 8E 25 63 E2 ..7.yw..0.)..%c.
00E0: 92 A3 53 C2 37 1E C4 8C 2C 8C FD 93 63 62 F4 1B ..S.7...,...cb..
00F0: 01 36 B9 60 8F 70 DD A2 E1 25 20 78 7A AE 51 84 .6.`.p...% xz.Q.
]
***
adding as trusted cert:
Subject: CN=BHS CA
Issuer: CN=BHS CA
Algorithm: RSA; Serial number: 0x7be717348f3f18548201cee0507ef20
Valid from Sat Jan 21 00:00:00 CST 2012 until Thu Jan 21 00:00:00 CST 2016
trigger seeding of SecureRandom
done seeding SecureRandom
trustStore is: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=Secure Global CA, O=SecureTrust Corporation, C=US
Issuer: CN=Secure Global CA, O=SecureTrust Corporation, C=US
Algorithm: RSA; Serial number: 0x75622a4e8d48a894df413c8f0f8eaa5
Valid from Tue Nov 07 13:42:28 CST 2006 until Mon Dec 31 13:52:06 CST 2029
adding as trusted cert:
Subject: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
Issuer: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE
Algorithm: RSA; Serial number: 0x2e6a000100021fd752212c115c3b
Valid from Thu Jan 12 08:38:43 CST 2006 until Wed Dec 31 16:59:59 CST 2025
adding as trusted cert:
Subject: CN=VRK Gov. Root CA, OU=Varmennepalvelut, OU=Certification Authority Services, O=Vaestorekisterikeskus CA, ST=Finland, C=FI
Issuer: CN=VRK Gov. Root CA, OU=Varmennepalvelut, OU=Certification Authority Services, O=Vaestorekisterikeskus CA, ST=Finland, C=FI
Algorithm: RSA; Serial number: 0x186a0
Valid from Wed Dec 18 07:53:00 CST 2002 until Mon Dec 18 07:51:08 CST 2023
trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1339396239 bytes = { 174, 62, 41, 222, 119, 84, 174, 118, 101, 33, 7, 220, 249, 96, 130, 234, 41, 163, 171, 6, 194, 145, 45, 132, 134, 39, 186, 32 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 81
0000: 01 00 00 4D 03 01 50 D6 91 8F AE 3E 29 DE 77 54 ...M..P....>).wT
0010: AE 76 65 21 07 DC F9 60 82 EA 29 A3 AB 06 C2 91 .ve!...`..).....
0020: 2D 84 86 27 BA 20 00 00 26 00 04 00 05 00 2F 00 -..'. ..&...../.
0030: 35 00 33 00 39 00 32 00 38 00 0A 00 16 00 13 00 5.3.9.2.8.......
0040: 09 00 15 00 12 00 03 00 08 00 14 00 11 00 FF 01 ................
0050: 00 .
main, WRITE: TLSv1 Handshake, length = 81
[write] MD5 and SHA1 hashes: len = 110
0000: 01 03 01 00 45 00 00 00 20 00 00 04 01 00 80 00 ....E... .......
0010: 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 00 00 ..../..5..3..9..
0020: 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 00 13 2..8............
0030: 00 00 09 06 00 40 00 00 15 00 00 12 00 00 03 02 .....@..........
0040: 00 80 00 00 08 00 00 14 00 00 11 00 00 FF 50 D6 ..............P.
0050: 91 8F AE 3E 29 DE 77 54 AE 76 65 21 07 DC F9 60 ...>).wT.ve!...`
0060: 82 EA 29 A3 AB 06 C2 91 2D 84 86 27 BA 20 ..).....-..'.
main, WRITE: SSLv2 client hello message, length = 110
[Raw write]: length = 112
0000: 80 6E 01 03 01 00 45 00 00 00 20 00 00 04 01 00 .n....E... .....
0010: 80 00 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 ....../..5..3..9
0020: 00 00 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 ..2..8..........
0030: 00 13 00 00 09 06 00 40 00 00 15 00 00 12 00 00 .......@........
0040: 03 02 00 80 00 00 08 00 00 14 00 00 11 00 00 FF ................
0050: 50 D6 91 8F AE 3E 29 DE 77 54 AE 76 65 21 07 DC P....>).wT.ve!..
0060: F9 60 82 EA 29 A3 AB 06 C2 91 2D 84 86 27 BA 20 .`..).....-..'.
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Broken pipe
main, called closeSocket()
main, IOException in getSession(): java.net.SocketException: Connection reset
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
peer not authenticated
每次都出现同样的错误,所以我假设在 IIS 中有一个我丢失的细节,或者我在 java 中丢失了某种类型的标志。正如我所说,这适用于加载证书的浏览器。
是什么导致了这个握手错误,上面的代码有什么不正确的吗?握手期间没有返回 ServerHello。