ssl - Mule ESB 3.2.x：HTTPS 传输 bad_certificate 错误？

Question

我需要使用自签名（或未签名）证书作为 HTTPS 侦听器的证书，用于我的一个流的入站端点。我尝试了几种方法来生成证书，但是当侦听器尝试读取请求时，我总是会收到错误消息：

javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

Google 似乎认为该bad_certificate消息与信任库有关。tls-server无论有没有应该定义信任库的骡子配置，我都会继续看到相同的错误。

我使用了几种不同的机制来创建证书：

• HTTPS 传输的 mule 文档中使用 keytool 的方法
• 一种为 weblogic 描述的方法，使用 keytool
• 使用 openssl为 Apache 描述的一种方法，然后我使用 keytool 将其导入到 java 密钥库中
• 各种其他机制大多是上述机制的变体。

我已经尝试过配置和不配置tls-serverandtls-client元素，所有这些都在 mule 文档中描述。

我无法确定 Mule 可以接受哪些密钥类型，以及问题的根本原因是什么。任何建议表示赞赏。

我的配置和错误日志如下（省略各种样板内容）

骡子配置.xml

<https:connector name="connectorName">
    <!-- only one key, alias 'mule' -->
    <https:tls-key-store path="/opt/mule/keys/keystore.jks" keyPassword="thePassword" storePassword="thePassword"/>
    <!-- I've also tried the following, same error occurs both with or without this parameter -->
    <https:tls-server path="/opt/mule/keys/keystore.jks storePassword="thePassword"/>
</https:connector>

<flow name="theFlow">
    <https:inbound-endpoint host="0.0.0.0" port="8081" connector-ref="connectorName"/>
    <!-- stuff: not important, works with http -->
</flow>

此配置正确加载，但是当我尝试使用与 HTTP 相同的方法（但使用 https:// 代替）发布请求时，我收到以下错误，并且没有响应（不是 500 错误或任何东西，连接刚刚关闭）。这个特定的运行来自我使用 HTTPS 传输的 mulesoft 文档中的说明生成的密钥，但它与我使用任何其他方法得到的错误没有任何不同。

错误列表

[ERROR] org.mule.exception.DefaultSystemExceptionStrategy - Caught exception in Exception Strategy: Received fatal alert: bad_certificate
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1571)
    at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
    at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:689)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.sendChangeCipherAndFinish(ServerHandshaker.java:1279)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientFinished(ServerHandshaker.java:1239)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:225)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:818)
    at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
    at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:50)
    at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
    at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
    at org.mule.transport.http.HttpServerConnection.readLine(HttpServerConnection.java:219)
    at org.mule.transport.http.HttpServerConnection.readRequest(HttpServerConnection.java:185)
    at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:155)
    at org.mule.work.WorkerContext.run(WorkerContext.java:310)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
    at java.lang.Thread.run(Thread.java:662)

最后，感谢您抽出宝贵时间阅读本文。

更新

我已经开始得到不同的堆栈跟踪，但同样的错误。改变？密钥和密钥库现在具有不同的密码。

javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:820)
    at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
    at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:50)
    at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
    at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
    at org.mule.transport.http.HttpServerConnection.readLine(HttpServerConnection.java:219)
    at org.mule.transport.http.HttpServerConnection.readRequest(HttpServerConnection.java:185)
    at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:155)
    at org.mule.work.WorkerContext.run(WorkerContext.java:310)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
    at java.lang.Thread.run(Thread.java:662)

更新 2

我将密钥添加到 .../jre/lib/security/cacerts 文件中作为受信任的证书。没变。

Answer 1

Mule 文档中显示的创建自签名证书的方法有效：我已经使用过几次。我又试了一次，它适用于你的配置，除了我删除了https:tls-server，这是没用的。

以下是我遵循的步骤：

• 使用以下命令创建密钥库：（keytool -genkey -alias mule -keyalg RSA -keystore keystore.jks我对密钥库和密钥密码都使用了“thePassword”）。

• 像这样配置骡子：

  <https:connector name="connectorName">
      <https:tls-key-store
          path="...path.../keystore.jks"
          keyPassword="thePassword" storePassword="thePassword" />
  </https:connector>
  
  <flow name="theFlow">
      <https:inbound-endpoint host="0.0.0.0" port="8081"
          connector-ref="connectorName" />
      <set-payload value="w00t" />
  </flow>
  

• 经测试：

  $ curl -vk https://localhost:8081
  * About to connect() to localhost port 8081 (#0)
  *   Trying 127.0.0.1... connected
  * successfully set certificate verify locations:
  *   CAfile: none
    CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server key exchange (12):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using ECDHE-RSA-AES256-SHA
  * Server certificate:
  *    subject: C=Unknown; ST=Unknown; L=Unknown; O=Unknown; OU=Unknown; CN=Unknown
  *    start date: 2013-05-15 18:20:34 GMT
  *    expire date: 2013-08-13 18:20:34 GMT
  *    common name: Unknown (does not match 'localhost')
  *    issuer: C=Unknown; ST=Unknown; L=Unknown; O=Unknown; OU=Unknown; CN=Unknown
  *    SSL certificate verify result: self signed certificate (18), continuing anyway.
  > GET / HTTP/1.1
  > User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
  > Host: localhost:8081
  > Accept: */*
  > 
  < HTTP/1.1 200 OK
  < Date: Wed, 15 May 2013 11:24:24 -0700
  < Server: Mule Core/3.4.0
  < X-MULE_SESSION: rO0ABXNyACNvcmcubXVsZS5zZXNzaW9uLkRlZmF1bHRNdWxlU2Vzc2lvbi7rdtEW7GGKAwAEWgAFdmFsaWRMAA1mbG93Q29uc3RydWN0dAAmTG9yZy9tdWxlL2FwaS9jb25zdHJ1Y3QvRmxvd0NvbnN0cnVjdDtMAAJpZHQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAD3NlY3VyaXR5Q29udGV4dHQAJ0xvcmcvbXVsZS9hcGkvc2VjdXJpdHkvU2VjdXJpdHlDb250ZXh0O3hwAXB0ACRhYjcwZTY0OS1iZDhjLTExZTItOWU5Yy1mZjdmMDIxMmE5MmZwc3IAJWphdmEudXRpbC5Db2xsZWN0aW9ucyRTeW5jaHJvbml6ZWRNYXAbc/kJS0s5ewMAAkwAAW10AA9MamF2YS91dGlsL01hcDtMAAVtdXRleHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwc3IAJG9yZy5tdWxlLnV0aWwuQ2FzZUluc2Vuc2l0aXZlSGFzaE1hcJ3R2e9nRc4AAwAAeHB3DD9AAAAAAAAQAAAAAHhxAH4ACXh4
  < X-MULE_ENCODING: UTF-8
  < LOCAL_CERTIFICATES: [Ljava.security.cert.X509Certificate;@1c5e22a
  < Content-Type: text/plain
  < Content-Length: 4
  < Connection: close
  < 
  * Closing connection #0
  * SSLv3, TLS alert, Client hello (1):
  w00t
  

Answer 2

希望这对其他人有帮助。我正在使用 jdk1.6.0_45 运行 Mule EE 3.5.0。上面列出的命令不会生成兼容的密钥库。密钥库在工作室中运行时很好，但不能在独立 ESB 上运行。

我查看了 mule-security-example3.5.0 应用程序上使用的密钥库，发现了不同之处。我使用 KeyStore Explorer 创建了一个具有这些属性的密钥库

大小：1024 版本：1 算法：带有 RSA 的 MD5

也许我的 Mule EE 实例的配置有问题；如果有人能指出我正确的方向，我将不胜感激。使用具有上述属性的密钥将适用于本周从客户门户下载的 EE 3.5.0。