在尝试访问 https Web 服务时,我已经为 WSO2 ESB 的配置苦苦挣扎了几天。我遵循了许多建议,到目前为止我所做的是将 Web 服务客户端证书导入 repostory/resources/security 中的 client-truststore.jks 将代理访问参数添加到 repository/conf/axis2/axis2.xml(因为ESB 位于公司防火墙后面)在 axis2.xml 中将 AllowAll 参数添加到 transportSender https 重新启动了 esb 并且仍然出现异常
http-nio-9443-exec-50, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-nio-9443-exec-50, WRITE: TLSv1 Alert, length = 2
http-nio-9443-exec-50, called closeSocket()
http-nio-9443-exec-50, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching my.domain.com found
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 154
我正在使用 jdk1.6_34 并尝试使用 WSO2 ESB 4.5.1 和 4.6,结果相同。日志显示正在启动 ssl 握手,但随后以上述错误结束。所有的谷歌搜索都表明 hostnameverifier 参数应该可以解决问题,但显然没有。是否有其他地方我应该配置这个,或者如果这个参数在其他地方被覆盖?我已经用完了这个选项和地方。
编辑:我对此进行了另一次尝试,通过将我的主机文件中的主机名设置为客户端证书中指定的 CN,我现在可以更进一步,但我现在遇到了另一个我似乎无法理解的错误. 具体错误是“...没有用于此密码的 IV”,但调试跟踪是
Found trusted certificate:
[
[
Version: V1
Subject: CN=mydomain.com, O=my o, ST=INTERFACES, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:#### loads of numbers here ####
public exponent: 65537
Validity: [From: Mon Apr 22 14:26:25 BST 2013,
To: Tue Apr 22 14:26:25 BST 2014]
Issuer: CN=ath-st2-API-a, O=Northgate IS, ST=INTERFACES, C=GB
SerialNumber: [ a4cf31a6 9c0d920d]
]
Algorithm: [SHA1withRSA]
Signature:
### signature here ###
]
http-nio-9443-exec-13, READ: SSLv3 Handshake, length = 98
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=mydomain.com, O=my o, ST=INTERFACES, C=GB>
*** ServerHelloDone
http-nio-9443-exec-13, SEND SSLv3 ALERT: warning, description = no_certificate
http-nio-9443-exec-13, WRITE: SSLv3 Alert, length = 2
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 132
SESSION KEYGEN:
PreMaster Secret:
###master secret here ####
CONNECTION KEYGEN:
Client Nonce:
0000: 52 45 86 22 10 B0 E2 EF 19 10 B1 04 ED C9 6F B0 RE."..........o.
0010: C3 8E BC D6 2C C9 5E D0 CA 8E 88 6B 22 53 1D B0 ....,.^....k"S..
Server Nonce:
0000: 52 45 86 23 B0 56 30 EC 84 F0 48 C1 F7 31 0C 5C RE.#.V0...H..1.\
0010: 43 B3 CB 25 DA 19 4C 0E B1 71 CB 17 8E 0C 62 04 C..%..L..q....b.
Master Secret:
0000: C3 F4 6B 9B EB 50 67 BD 6C A8 F0 63 88 A1 5A C7 ..k..Pg.l..c..Z.
0010: E5 CD A4 9A 46 95 3F B3 13 2D 4E BF 77 2C 64 86 ....F.?..-N.w,d.
0020: 44 D2 89 B5 09 EE 96 E5 8B 8D E2 30 04 09 F2 D3 D..........0....
Client MAC write Secret:
0000: F7 76 83 C9 16 F5 CB 33 E3 43 3F 7B 68 2E 8A 6F .v.....3.C?.h..o
Server MAC write Secret:
0000: CC FB 14 CE 21 AD C8 BC 20 C1 A5 2B 0B 2B 83 35 ....!... ..+.+.5
Client write key:
0000: 9C 9E FA A5 68 6E 27 2C E0 6E 80 9D ED C9 1C 01 ....hn',.n......
Server write key:
0000: B7 5A 24 DD 6F 65 5A 7E C8 AD 4A 29 E4 09 08 6D .Z$.oeZ...J)...m
... no IV used for this cipher
http-nio-9443-exec-13, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 174, 247, 182, 190, 5, 104, 242, 127, 216, 79, 94, 15, 215, 236, 236, 211, 30, 51, 116, 56, 138, 144, 19, 125, 0, 54, 52, 114, 173, 138, 170, 166, 24, 67, 108, 102 }
***
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 56
http-nio-9443-exec-13, READ: SSLv3 Alert, length = 2
http-nio-9443-exec-13, RECV SSLv3 ALERT: fatal, handshake_failure
http-nio-9443-exec-13, called closeSocket()
http-nio-9443-exec-13, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert
: handshake_failure
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 154
http-nio-9443-ClientPoller-0, called closeOutbound()
http-nio-9443-ClientPoller-0, closeOutboundInternal()
http-nio-9443-ClientPoller-0, SEND TLSv1 ALERT: warning, description = close_notify
http-nio-9443-ClientPoller-0, WRITE: TLSv1 Alert, length = 32
Finalizer, called close()
Finalizer, called closeInternal(true)
我已经尝试将axis2配置文件中的https.protocols=SSLv3,SSLv2Hello或https.protocols=SSLv3作为https发送方传输传递,但这也无济于事。
欢迎提出建议。谢谢康拉德