1

我正在尝试使用 APR 将客户端证书身份验证(相互 SSL 身份验证)与 tomcat 服务器(8.0.23)一起使用。这一切都适用于使用常规基于 java 的 io 的 tomcat,但在使用本机 io(和基于 openssl 的密码)时验证客户端签名时失败。我可以使用 openssl s_client(见下文)使其失败 - 它记录 SSL 警报编号 51(我在没有帮助的情况下广泛搜索了这个)。

当我运行 openssl s_server 并将其配置为尽可能接近 tomcat 配置时,它可以工作!在这两种情况下,我都使用完全相同的 s_client 命令(只有端口不同)——所有服务器和客户端都在同一台机器上运行。

任何帮助将不胜感激。

Tomcat:8.0.23
Openssl:1.0.2a-fips 2015 年 3 月 19 日
操作系统:CentOS Linux 7(核心)
CPE 操作系统名称:cpe:/o:centos:centos:7
内核:Linux 3.10.0-229.el7.x86_64

Tomcat 连接器配置:
<Connector port="8444" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
SSLCipherSuite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:ECDHE-RSA-AES256-SHA384 :DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128 -GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA" SSLHonorCipherOrder="true"
SSLCertificateFile="/var/keys/star_dmiapps_com.cer"
SSLCertificateChainFile="/ var/keys/star_dmiapps_com.chain.cer"
SSLCertificateKeyFile="/var/keys/star_dmiapps_com.key"
SSLPassword="xxxxxxx"
SSLVerifyClient="可选"
SSLVerifyDepth="4"
SSLCACertificateFile="/usr/local/keys/uberChain.crt"/>

s_server 命令行

openssl s_server -cert /var/keys/star_dmiapps_com.cer -cipher "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA :ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128 -SHA" -serverpref -key /var/keys/star_dmiapps_com.key -pass pass:xxxxxxxx -CAfile /usr/local/keys/uberChain.crt -verify 4

与 tomcat 对话时 s_client 的输出:

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = Maryland, L = Bethesda, O = "Digital Management, Inc.", CN = .dmiapps.com
验证 return:1
140679845054368:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1警报解密错误:s3_pkt.c:1259:SSL 警报号 51
140679845054368:错误:140790E5:SSL 例程:SSL23_WRITE:ssl 握手失败:s23_lib.c:184:
CONNECTED(00000003)

证书链
0 s:/C=US/ST =Maryland/L=Bethesda/O=Digital Management, Inc./CN=.dmiapps.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc /OU=www.digicert.com/CN=DigiCert 全球根 CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert 全球根 CA
i:/C=US/O =DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

Server certificate
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIQA+HdMPwp8NAjvkVYy+Y4fDANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQxMTE3MDAwMDAwWhcN
.
.
.
89v8qonrsSCd7AGtKTqf+wp6S0LT5KIbvCAq2ZnJ2O8UI1wESSwSzZsq1CMOmdl2
gOlXzAf6+sF9jWIyvB8EQYF057zNk0zKEmBs0cyBRLgnV9Zj3bZQxFt+5ZMdODCn
D8d/WE5cE70nnsqcCIiBM5du
-----结束证书-----
subject=/C=US/ST=Maryland/L=Bethesda/O=Digital Management, Inc./CN=*.dmiapps.com issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
可接受的客户端证书 CA 名称
/C=US/ST=Maryland/O=DMI/CN=DMI 中间 CA
/C=US/O=DigiCert Inc/CN=DigiCert SHA2 安全服务器 CA
/C=US/ST=Maryland/L=Bethesda/O=DMI/CN=DMI 根 CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN =DigiCert 全球根 CA
服务器临时密钥:ECDH,prime256v1,256 位

SSL 握手已读取 4278 字节并写入 4612 字节
新,TLSv1/SSLv3,密码为 ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: DEEA668F36C1D567B3CA327338737E674BB89D8A117D31466DC3104E6E02C7CF8009BD41F509A17104096BCAFE95F240
Key -Arg:无
Krb5 主体:无
PSK 身份:无
PSK 身份提示:无
开始时间:1452722344
超时:300(秒)
验证返回码:0(正常)

与 s_server 交谈时 s_client 的输出

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = Maryland, L = Bethesda, O = "Digital Management, Inc.", CN = .dmiapps.com
验证 return:1
CONNECTED(00000003)

证书链 0 s:/C= US/ST=马里兰/L=Bethesda/O=Digital Management, Inc./CN= .dmiapps.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US /O=DigiCert Inc/CN=DigiCert SHA2 安全服务器 CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert 全球根 CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert 全球根 CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

Server certificate
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgIQA+HdMPwp8NAjvkVYy+Y4fDANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQxMTE3MDAwMDAwWhcN
.
.
.
89v8qonrsSCd7AGtKTqf+wp6S0LT5KIbvCAq2ZnJ2O8UI1wESswSzZsq1CMOmdl2
gOlXzAf6+sF9jWIyvB8EQYF057zNk0zKEmBs0cyBRLgnV9Zj3bZQxFt+5ZMdODCn
D8d/WE5cE70nnsqcCATE
-----END
subject=/C=US/ST=Maryland/L=Bethesda/O=Digital Management, Inc./CN=*.dmiapps.com issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
Acceptable客户端证书 CA 名称
/C=US/ST=Maryland/O=DMI/CN=DMI 中间 CA
/C=US/ST=Maryland/L=Bethesda/O=DMI/CN=DMI 根 CA
/C=US/O =DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Server Temp Key: ECDH, prime256v1, 256 bits
SSL handshake has read 5849字节并写入 4861 字节

新,TLSv1/SSLv3,密码为 ECDHE-RSA-AES256-SHA384
服务器公钥为 2048 位
支持安全重新协商
压缩:无
扩展:无
SSL-会话:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: A2978962A54C12A5EEB008A55BAD06872EA1B6BBBFCFF48C62FD026776BB0AAF
Session-ID-ctx:
Master-Key: 5D55FD5EF5B5CBDD052F2420FC0D154771F655074BDD58A23B44A20B415E0C404F1F4848E658657685FB797386C28B88
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session票证生命周期提示:300(秒)
TLS 会话票证:
0000 - 2d 07 bf e6 1e 1d c0 b4-f8 4c 3a 4d f1 c5 4d b7 -........L:M..M.
0010 - 36 c9 d6 b2 43 ae c1 ea-2c 5a 2c 81 5a 7b 0f 09 6...C...,Z,.Z{..
0020 - b0 01 66 直流 b6 d1 c7 88-7a a2 d6 38 7b 82 75 02 ..f..z..8{.u.
.
.
.
0590 - 46 b9 db b2 03 b4 4d 54-f3 27 7c 8e bf a2 44 17 F.....MT.'|...D.
05a0 - 54 e5 61 c9 f0 ea 13 aa-4d f4 84 fb b7 34 c5 b1 Ta....M....4..

Start Time: 1452722382<br/>
Timeout   : 300 (sec)<br/>
Verify return code: 0 (ok)<br/>
4

0 回答 0