我编写了小型 Java 7 客户端和服务器应用程序。我有带有 3 个自签名 X.509 RSA 证书的密钥库。当客户端通过 SSL 连接时,服务器发送的 SSL 证书消息只有一个证书。我对 SSL/TLS 有点陌生。我还查看了 JSSE 代码 sun.security.ssl.X509KeyManagerImpl,发现以下注释:
/*
* Return the best alias that fits the given parameters.
* The algorithm we use is:
* . scan through all the aliases in all builders in order
* . as soon as we find a perfect match, return
* (i.e. a match with a cert that has appropriate key usage
* and is not expired).
* . if we do not find a perfect match, keep looping and remember
* the imperfect matches
* . at the end, sort the imperfect matches. we prefer expired certs
* with appropriate key usage to certs with the wrong key usage.
* return the first one of them.
*/
private String More ...chooseAlias(List<KeyType> keyTypeList,
Principal[] issuers, CheckType checkType)
评论很清楚,服务器将发送单个最佳匹配证书,但我似乎不明白原因。就像我的情况一样,我希望服务器发送所有 3 个证书,以便客户端可以选择一个并验证链。此外,如果我的客户端没有服务器发送的证书,则连接将被 SSLHandshakeException 'No trust trust found' 断开。所以我的问题是,如果客户端请求的信息(来自 ClientHello)与所有 3 个证书匹配,为什么服务器不能发送所有 3 个证书?这与 TLS 1.0 与 TLS 1.2 有关吗?