0

它的短处......

我有一个 JAX-WS 服务驻留在使用 SSL 的 Web 服务器上,并且需要相互身份验证。

首先测试相互认证是否正常工作,我将客户端证书导入浏览器。然后我将浏览器指向受保护的站点,它成功连接并检索内容。

然后我编写了java代码来连接到同一个网站上的服务。我将相同的证书导入到 java 密钥库文件 (jks) 中,我收到 TLSv1 警报:致命,handshake_failure。

我做了一个

-Djavax.net.debug=ssl:handshake

发现ClientHelloServerHello都成功了。然后它继续执行ClientKeyExchange,我看到了 SESSION KEYGEN。然后它转到CertificateVerify,这就是致命的握手失败发生的时候。

我不知道为什么浏览器可以工作而 java 应用程序不能工作。

我在 Java 1.6.0_45 上运行,尽管我在 Java 7 上尝试了相同的代码以获得相同的结果。

请参阅下面的更多细节。


它的长....

这很长,我包含了用于加载密钥和信任库的代码,最后包含了 javax.net.debug 输出。

为了支持动态加载密钥库和信任库,我创建了一个自定义 SocketFactory。

    public abstract class AbstractSSLSocketFactory extends SSLSocketFactory {
private static final Logger logger = Logger.getLogger(AbstractSSLSocketFactory.class);
protected AbstractSocketFactoryAdapter adapter = null;

@Override
public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3)
        throws IOException {
    return this.adapter.getFactory().createSocket(arg0, arg1, arg2, arg3);
}

@Override
public String[] getDefaultCipherSuites() {
    String[] cipherSuites = null;
    try {
        cipherSuites = this.adapter.getFactory().getDefaultCipherSuites();
    }
    catch (ServiceSecurityException e) {
        logger.error("There was an error retrieving the SSLSocketFactory", e);
    }

    return cipherSuites;
}

@Override
public String[] getSupportedCipherSuites() {
    String[] cipherSuites = null;
    try {
        cipherSuites = this.adapter.getFactory().getSupportedCipherSuites();
    }
    catch (ServiceSecurityException e) {
        logger.error("There was an error retrieving the SSLSocketFactory", e);
    }

    return cipherSuites;
}

@Override
public Socket createSocket(String arg0, int arg1) throws IOException,
        UnknownHostException {
    return this.adapter.getFactory().createSocket(arg0, arg1);
}

@Override
public Socket createSocket(InetAddress arg0, int arg1) throws IOException {
    return this.adapter.getFactory().createSocket(arg0, arg1);
}

@Override
public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
        throws IOException, UnknownHostException {
    return this.adapter.getFactory().createSocket(arg0, arg1, arg2, arg3);
}

@Override
public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
        int arg3) throws IOException {
    return this.adapter.getFactory().createSocket(arg0, arg1, arg2, arg3);
}
}

抽象的适配器如下:

    public abstract class AbstractSocketFactoryAdapter {
private SSLSocketFactory socketFactory = null;

protected abstract String getProtocol() throws ServiceSecurityException;

protected abstract KeyManagerFactory getKeyManagerFactory() throws ServiceSecurityException;

protected abstract TrustManagerFactory getTrustManagerFactory() throws ServiceSecurityException;

public SSLSocketFactory getFactory() throws ServiceSecurityException {
    if (this.socketFactory == null ) {
        // Create a new socket factory
        try {
            // Retrieve the KeyManagerFactory from the implementing class
            KeyManagerFactory keyManagerFactory = this.getKeyManagerFactory();

            //  Retrieve the TrustManagerFactory
            TrustManagerFactory trustManagerFactory = this.getTrustManagerFactory();

            //  Retrieve the Protocol
            String protocol = this.getProtocol();

            // Create the SSL Context to create the Socket Factory
            SSLContext context = SSLContext.getInstance(protocol);

            KeyManager[] keyManagers = null;
            if ( keyManagerFactory != null ) {
                keyManagers = keyManagerFactory.getKeyManagers();
            }

            TrustManager[] trustManagers = null;
            if ( trustManagerFactory != null ) {
                trustManagers = trustManagerFactory.getTrustManagers();
            }

            // Associate the KeyManagerFactory with the SSLContext
            //      if the keyManagers and/or trustManagers are null then 
            //      the jvm default is used for the respective manager 
            context.init(keyManagers, trustManagers, new SecureRandom());

            // cache the socket factory for later use
            this.socketFactory = context.getSocketFactory();
        } catch (NoSuchAlgorithmException e) {
            throw new ServiceSecurityException(e);
        } catch (KeyManagementException e) {
            throw new ServiceSecurityException(e);
        }
    }

    return this.socketFactory;
}
}

适配器的具体实现是:(在这个测试用例中,我从磁盘加载密钥和信任存储,但最终我们计划将它们作为 blob 存储在数据库中。)

    public class SocketFactoryFileAdapter extends AbstractSocketFactoryAdapter {
private static final String DEFAULT_KEY_STORE_TYPE      = "JKS";
private static final String DEFAULT_TRUST_STORE_TYPE    = "JKS";
private static final String DEFAULT_PROTOCOL            = "TLS";
private final String        keyStoreType;
private final String        trustStoreType;
private final String        protocol;
private final String        keyStoreFileName;
private final String        keyStorePassword;
private final String        trustStoreFileName;
private final String        trustStorePassword;

public SocketFactoryFileAdapter(String keyStoreFileName,
        String keyStorePassword,
        String trustStoreFileName,
        String trustStorePassword) {
    this(   keyStoreFileName,
            keyStorePassword,
            SocketFactoryFileAdapter.DEFAULT_KEY_STORE_TYPE,
            trustStoreFileName,
            trustStorePassword,
            SocketFactoryFileAdapter.DEFAULT_TRUST_STORE_TYPE,
            SocketFactoryFileAdapter.DEFAULT_PROTOCOL);
}

public SocketFactoryFileAdapter(String keyStoreFileName,
        String keyStorePassword,
        String keyStoreType,
        String trustStoreFileName,
        String trustStorePassword,
        String trustStoreType,
        String protocol) {
    this.keyStoreFileName = keyStoreFileName;
    this.keyStorePassword = keyStorePassword;
    this.keyStoreType = keyStoreType;
    this.trustStoreFileName = trustStoreFileName;
    this.trustStorePassword = trustStorePassword;
    this.trustStoreType = trustStoreType;
    this.protocol = protocol;
}

@Override
protected KeyManagerFactory getKeyManagerFactory() throws ServiceSecurityException {
    KeyManagerFactory keyManagerFactory = null;

    // If the keystore file name is null or 0 length, do not create a new factory
    if (this.keyStoreFileName != null && keyStoreFileName.length() > 0) {
        try {
            // Create a Key Manager Factory
            keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

            // Create the KeyStore
            KeyStore keyStore = KeyStore.getInstance(this.keyStoreType);

            // Load the KeyStore from disk
            InputStream keyInput = new FileInputStream(this.keyStoreFileName);
            keyStore.load(keyInput, this.keyStorePassword.toCharArray());
            keyInput.close();

            // Initialize the Key Manager Factory
            keyManagerFactory.init(keyStore, this.keyStorePassword.toCharArray());
        }
        catch (NoSuchAlgorithmException e) {
            throw new ServiceSecurityException(e);
        }
        catch (KeyStoreException e) {
            throw new ServiceSecurityException(e);
        }
        catch (CertificateException e) {
            throw new ServiceSecurityException(e);
        }
        catch (IOException e) {
            throw new ServiceSecurityException(e);
        }
        catch (UnrecoverableKeyException e) {
            throw new ServiceSecurityException(e);
        }
    }

    return keyManagerFactory;
}

@Override
protected TrustManagerFactory getTrustManagerFactory() throws ServiceSecurityException {

    TrustManagerFactory trustManagerFactory = null;
    // If the keystore file name is null or 0 length, do not create a new factory
    if (this.trustStoreFileName != null && trustStoreFileName.length() > 0) {
        try {
            // Create a Trust Manager Factory
            trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

            // Create the KeyStore
            KeyStore trustStore = KeyStore.getInstance(this.trustStoreType);

            // Load the TrustStore from disk
            InputStream trustInput = new FileInputStream(this.trustStoreFileName);
            trustStore.load(trustInput, this.trustStorePassword.toCharArray());
            trustInput.close();

            // Initialize the Trust Manager Factory
            trustManagerFactory.init(trustStore);
        }
        catch (NoSuchAlgorithmException e) {
            throw new ServiceSecurityException(e);
        }
        catch (KeyStoreException e) {
            throw new ServiceSecurityException(e);
        }
        catch (CertificateException e) {
            throw new ServiceSecurityException(e);
        }
        catch (IOException e) {
            throw new ServiceSecurityException(e);
        }
    }

    return trustManagerFactory;
}

public String getKeyStoreType() {
    return this.keyStoreType;
}

public String getTrustStoreType() {
    return this.trustStoreType;
}

@Override
public String getProtocol() {
    return this.protocol;
}
}

然后我有一个类,它将 SSL 套接字工厂放入开发人员的 JAX-WS 上下文中。

    public class SecureFileWebServiceProxy extends AbstractSecureWebServiceProxy {
public SecureFileWebServiceProxy(Class<?> serviceImplementationClass,
        String keyStoreFileName,
        String keyStorePassword,
        String trustStoreFileName,
        String trustStorePassword) throws InstantiationException, IllegalAccessException {
    this(serviceImplementationClass, new FileSSLSocketFactory(  keyStoreFileName,
                                                                keyStorePassword,
                                                                trustStoreFileName,
                                                                trustStorePassword));
}

public SecureFileWebServiceProxy(Class<?> serviceImplementationClass,
        String keyStoreFileName,
        String keyStorePassword,
        String keyStoreType,
        String trustStoreFileName,
        String trustStorePassword,
        String trustStoreType,
        String protocol) throws InstantiationException, IllegalAccessException {
    this(serviceImplementationClass, new FileSSLSocketFactory(  keyStoreFileName,
                                                                keyStorePassword,
                                                                keyStoreType,
                                                                trustStoreFileName,
                                                                trustStorePassword,
                                                                trustStoreType,
                                                                protocol));
}

private SecureFileWebServiceProxy(Class<?> serviceImplementationClass, SSLSocketFactory factory) throws InstantiationException,
        IllegalAccessException {
    super(serviceImplementationClass, factory);
}
}

这是创建服务代理:

public class SecureFileWebServiceProxy extends AbstractSecureWebServiceProxy {
public SecureFileWebServiceProxy(Class<?> serviceImplementationClass,
        String keyStoreFileName,
        String keyStorePassword,
        String trustStoreFileName,
        String trustStorePassword) throws InstantiationException, IllegalAccessException {
    this(serviceImplementationClass, new FileSSLSocketFactory(  keyStoreFileName,
                                                                keyStorePassword,
                                                                trustStoreFileName,
                                                                trustStorePassword));
}

public SecureFileWebServiceProxy(Class<?> serviceImplementationClass,
        String keyStoreFileName,
        String keyStorePassword,
        String keyStoreType,
        String trustStoreFileName,
        String trustStorePassword,
        String trustStoreType,
        String protocol) throws InstantiationException, IllegalAccessException {
    this(serviceImplementationClass, new FileSSLSocketFactory(  keyStoreFileName,
                                                                keyStorePassword,
                                                                keyStoreType,
                                                                trustStoreFileName,
                                                                trustStorePassword,
                                                                trustStoreType,
                                                                protocol));
}

private SecureFileWebServiceProxy(Class<?> serviceImplementationClass, SSLSocketFactory factory) throws InstantiationException,
        IllegalAccessException {
    super(serviceImplementationClass, factory);
}

}

最后把它们放在一起,我打电话给服务......

public static void main(String[] args) {
    String keyStoreFileName = "keystores/keystore.jks";
    String keyStorePassword = "changeit";
    String trustStoreFileName = "keystores/keystore.jks";
    String trustStorePassword = "changeit";
    SecureFileWebServiceProxy proxy  = null;
    try {
        proxy = new SecureFileWebServiceProxy(SampleWebServiceService.class, keyStoreFileName, keyStorePassword, "JKS", trustStoreFileName, trustStorePassword, "JKS", "TLS");
    }
    catch ( Throwable th ) {
        logger.fatal("There was an error creating the service factory", th);
        return;
    }

    SampleWebService service = null;

    try {
        service = proxy.getPort(SampleWebService.class);
    }
    catch ( Throwable th ) {
        logger.fatal("There was an error creating the service", th);
        return;
    }

    try {
        String rvalue = service.testMethod("test");
        logger.debug("The service returned the value: " + rvalue);
    }
    catch ( Throwable th ) {
        logger.fatal("There was an error calling the service", th);
    }
}

这是调试的输出,数据已修改,因为我们使用的是非自签名的真实证书...

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files\Java\jdk1.6.0_45\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:

trigger seeding of SecureRandom
done seeding SecureRandom
***
found key for : ALIAS_ONE
chain [0] = [
[
  Version: V3
  Subject: CN=mycn, OU=myou, 
  Signature Algorithm: SHA1withRSA, OID = xxxxx

  Key:  Sun RSA public key, 2048 bits
  modulus: xxx
  public exponent: xxx
  Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
           To: Wed Aug 27 05:12:07 EDT 2014]
  Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
  SerialNumber: [    xxx

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ca.url, 
   accessMethod: 1.3.6.1.5.5.7.48.2
   accessLocation: URIName: http://gtssldv-aia.geotrust.com/gtssldv.crt]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]

]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: xxx]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [xxx]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: mycn
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:

]
***
adding as trusted cert:
  Subject: CN=mycn, OU=myou, 
  Issuer:  CN=GeoTrust DV SSL CA, OU=Domain Validated SSL, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x6f6aa
  Valid from Tue Jun 25 06:48:52 EDT 2013 until Wed Aug 27 05:12:07 EDT 2014

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1373718630 bytes = { 45, 50, 83, 121, 185, 87, 15, 156, 174, 186, 215, 252, 210, 107, 14, 19, 172, 248, 56, 25, 231, 241, 37, 54, 112, 176, 190, 36 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie:  GMT: -1105040847 bytes = { 16, 23, 184, 87, 110, 87, 29, 130, 248, 27, 222, 32, 33, 115, 97, 142, 220, 156, 82, 25, 208, 181, 219, 152, 205, 115, 123, 184 }
Session ID:  {69, 58, 206, 144, 22, 133, 165, 252, 186, 223, 39, 102, 91, 170, 133, 90, 27, 58, 195, 5, 57, 147, 222, 112, 205, 227, 143, 154, 228, 220, 68, 100}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
main, READ: TLSv1 Handshake, length = 1406
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=mycn, OU=myou, 
  Signature Algorithm: SHA1withRSA, OID = xxx

  Key:  Sun RSA public key, 2048 bits
  modulus: xxx
  public exponent: xxx
  Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
           To: Wed Aug 27 05:12:07 EDT 2014]
  Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
  SerialNumber: [    06f6aa]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ca.url, 
   accessMethod: 1.3.6.1.5.5.7.48.2
   accessLocation: URIName: http://gtssldv-aia.geotrust.com/gtssldv.crt]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 8C F4 D9 93 0A 47 BC 00   A0 4A CE 4B 75 6E A0 B6  .....G...J.Kun..
0010: B0 B2 7E FC                                        ....
]

]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: xxx]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: mycn
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=mycn, OU=myou, 
  Signature Algorithm: SHA1withRSA, OID = xxx

  Key:  Sun RSA public key, 2048 bits
  modulus: xxx
  public exponent: 65537
  Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
           To: Wed Aug 27 05:12:07 EDT 2014]
  Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
  SerialNumber: [    06f6aa]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ca.url, 
   accessMethod: 1.3.6.1.5.5.7.48.2
   accessLocation: URIName: http://ca.url/ca.crt]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]

]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: xxx]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: mycn
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:

]
main, READ: TLSv1 Handshake, length = 8
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
matching alias: ALIAS_ONE
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=mycn, OU=myou, 
  Signature Algorithm: SHA1withRSA, OID = xxx

  Key:  Sun RSA public key, 2048 bits
  modulus: xxx
  public exponent: 65537
  Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
           To: Wed Aug 27 05:12:07 EDT 2014]
  Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
  SerialNumber: [    xxx]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ca.url, 
   accessMethod: 1.3.6.1.5.5.7.48.2
   accessLocation: URIName: http://ca.url/ca.crt]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]

]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: xxx]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: mycn
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:

]
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 1668
SESSION KEYGEN:
PreMaster Secret:

CONNECTION KEYGEN:
Client Nonce:

Server Nonce:

Master Secret:

Client MAC write Secret:

Server MAC write Secret:

Client write key:

Server write key:

... no IV used for this cipher
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 262
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { xxx }
***
main, WRITE: TLSv1 Handshake, length = 36
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2014-01-23 11:50:47,034 FATAL (Main.java:main():70)  - There was an error calling the service
com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:134)
    at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:135)
    at com.sun.xml.xwss.XWSSClientPipe.process(XWSSClientPipe.java:118)
    at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
    at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
    at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
    at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
    at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
    at com.sun.xml.ws.client.Stub.process(Stub.java:248)
    at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
    at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
    at com.sun.proxy.$Proxy34.testMethod(Unknown Source)
    at Main.main(Main.java:66)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:122)
    ... 14 more
4

0 回答 0