我正在使用 Java 中的 SSLServerSocket 类和目标 c 中的 Stream 类(CF 和 NS)设置安全套接字连接。我使用以下代码进行了设置:
Java SSLServerSocket 代码(SecureClientWorker
处理每个连接):
public void listenSocket(int port){
try {
System.setProperty("javax.net.ssl.keyStore", "path/to/certificate(signed_by_own_root_certificate).jks");
//I try to make this root certificate trusted by iOS (see obj-c code below)
System.setProperty("javax.net.ssl.keyStorePassword", "PASSWORD...");
} catch (IOException e1) {
e1.printStackTrace();
}
try{
SSLServerSocketFactory ssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
server = (SSLServerSocket) ssf.createServerSocket(port);
logger.info("Started to listen on port: "+port);
}catch(Exception e){
logger.warning("Could not listen on port: "+port);
e.printStackTrace();
}
while(running){
SecureClientWorker w;
try{
w = new SecureClientWorker(server.accept(), this);
Thread t = new Thread(w);
t.start();
}catch(IOException e){
if(running)
e.printStackTrace();
}
}
}
目标 C 客户端代码:
[self addRootCert]; //This is where I attempt to make the root certificate trusted, If needed I can post it
CFReadStreamRef readStream;
CFWriteStreamRef writeStream;
CFStreamCreatePairWithSocketToHost(NULL, (__bridge CFStringRef)self.ip.text, self.portNumber.text.intValue, &readStream, &writeStream);
// Set options then bridge to ARC:
NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
(id)kCFStreamSocketSecurityLevelNegotiatedSSL, kCFStreamPropertySocketSecurityLevel,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot,
[NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredRoots,
[NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain,
nil];
if (readStream) {
CFReadStreamSetProperty(readStream, kCFStreamPropertySSLSettings, (__bridge CFDictionaryRef)settings);
inStream = (__bridge_transfer NSInputStream*) readStream;
[inStream setDelegate:self];
[inStream scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode];
[inStream open];
}
if (writeStream) {
CFWriteStreamSetProperty(writeStream, kCFStreamPropertySSLSettings, (__bridge CFDictionaryRef)settings);
outStream = (__bridge_transfer NSOutputStream*) writeStream;
[outStream setDelegate:self];
[outStream scheduleInRunLoop:[NSRunLoop currentRunLoop] forMode:NSDefaultRunLoopMode];
[outStream open];
}
但是,这会导致错误代码CFNetwork SSLHandshake failed (-9824)
,并且 inStream 对象会NSStreamEventErrorOccurred
在NSStreamDelegate
方法中返回错误。
在 Java 方面,IOException
似乎会抛出以下内容:
in = new BufferedReader(new InputStreamReader(clientSocket.getInputStream())); //ClientSocket is just the connection to the client
[...]
in.readLine();
printStackTrace 说:javax.net.ssl.SSLHandshakeException: no cipher suites in common
我必须创建一个KeyManager
(正如我在其他地方读到的)吗?我该怎么做(从一无所有到打开 SSLServerSocket)?
任何帮助将不胜感激!
编辑
我更改了服务器代码,因为它可能无法设置系统属性。
我的新代码是:
KeyStore ks = KeyStore.getInstance("JKS");
FileInputStream ksIs = new FileInputStream(new File("path/to/certificate(signed_by_own_root_certificate).jks"));
try {
ks.load(ksIs, "PASSWORD...".toCharArray());
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (CertificateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} finally {
if (ksIs != null) {
ksIs.close();
}
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, "PASWD".toCharArray());
KeyManager keyManagers[] = kmf.getKeyManagers();
SSLContext sc = SSLContext.getDefault();
sc.init(keyManagers, null, new SecureRandom());
SSLServerSocketFactory socketFactory = sc.getServerSocketFactory();
server = (SSLServerSocket) socketFactory.createServerSocket(port);
但是我现在收到此错误消息:
java.security.KeyManagementException: Default SSLContext is initialized automatically
经过一些研究,我尝试自己制作TrustManager
,但仍然无法正常工作
我错过了什么?