15

团队尝试使用 HTTPS 完成相互握手时遇到以下问题

main, READ: TLSv1.2 Handshake, length = 30
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA
Cert Authorities:
<Empty>
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>

我的 JAVA 课程如下

public class ClientCustomSSL {

    @SuppressWarnings("deprecation")
    public final static void main(String[] args) throws Exception {
        // Trust own CA and all self-signed certs
        final String CLIENT_KEYSTORE = "yourkeystore.jks";
        final String CLIENT_TRUSTSTORE = "catruststore.jks";
        final char[] KEYPASS_AND_STOREPASS_VALUE = "Hello1".toCharArray();


        System.setProperty("https.protocols", "TLSv1");

        //SSLContext sslcontext = SSLContexts.custom().loadKeyMaterial(keystore, keyPassword)(YK,"Hello1".toCharArray(),"Hello1".toCharArray()).loadTrustMaterial(CA, "Hello1".toCharArray(), (TrustStrategy) new TrustSelfSignedStrategy()).build();

        KeyStore clientTrustStore = getStore(CLIENT_TRUSTSTORE, KEYPASS_AND_STOREPASS_VALUE);
        KeyStore clientKeyStore = getStore(CLIENT_KEYSTORE, KEYPASS_AND_STOREPASS_VALUE);  


        SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(clientKeyStore, "Hello1".toCharArray()).loadTrustMaterial(clientTrustStore,(TrustStrategy) new TrustSelfSignedStrategy()).build();
       CloseableHttpClient httpclient = HttpClients.custom().setSSLContext(sslContext).build();

        System.out.println("SSLCONETXT   **** " + sslContext.getProvider());
        try {

            HttpGet httpget = new HttpGet("https://myserver:10220");

            CloseableHttpResponse response = httpclient.execute(httpget);

            try {
                System.out.println("Inside TRY blcok"); 
                HttpEntity entity = response.getEntity();
                System.out.println("----------------------------------------");
                System.out.println(response.getStatusLine());
                EntityUtils.consume(entity);

            } catch (Exception e) {
                e.getMessage();
                e.printStackTrace();
            }
            finally {
                response.close();
            }
        } finally {
            httpclient.close();
        }
    }


    public static KeyStore getStore(final String storeFileName, final char[] password) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException 
    {
        final String JAVA_KEYSTORE = "jks";
        final KeyStore store = KeyStore.getInstance(JAVA_KEYSTORE);
        URL url = ClientCustomSSL.class.getClassLoader().getResource(storeFileName);
        String workingDir = System.getProperty("user.dir");
        System.out.println("Current working directory : " + workingDir);

        System.out.println("Value of URL *** " + url);
        InputStream inputStream = url.openStream();
        try {
            store.load(inputStream, password);
} finally {
    inputStream.close();
}

return store;
}

}

我正在准备一个 jar 文件并从 UNIX 框中测试它

使用以下命令 java -Djavax.net.debug=ssl -cp snSSLclientTrustWithStoreCCC.jar cassandra.cass.ClientCustomSSL

我关注了 为什么在 SSL 握手期间 java 不发送客户端证书? 并且还完成了布鲁诺提到的所有步骤。

我不确定我在这里缺少什么。任何帮助将不胜感激

4

4 回答 4

13
  1. CertificateRequest客户端无法在其密钥库中找到由消息中提到的任何签名者直接或间接签名的证书。
  2. 原因是服务器没有在该消息中指定任何受信任的签名者。
  3. 这反过来意味着服务器的信任库是空的。
于 2016-08-23T08:38:56.707 回答
1

就我而言,问题原来是我null在加载密钥库时作为密码传入:

KeyStore keyStore = KeyStore.getInstance("PKCS12")
InputStream inputStream = new FileInputStream('/path/to/mykeystore.p12')

try {
    keyStore.load(inputStream, null); // <-- PROBLEM HERE!
}
finally {
    inputStream.close();
}

这没有产生任何错误消息,但它默默地未能加载客户端密钥和证书

解决方案是传递密码:

keyStore.load(inputStream as InputStream, 'mypassword'.toCharArray());
于 2018-12-31T06:50:02.930 回答
1

这实际上是 TLS 1.0 规范和 TLS 1.1/1.2 不同的地方。

特别是,在 TLS 1.1 的第 7.4.4 节(证书请求)中添加了以下内容:

如果 certificate_authorities 列表为空,则客户端可以发送任何适当的 ClientCertificateType 证书,除非有一些相反的外部安排。

所以空的 Cert Authorities 只是意味着客户端可以自由地将任何证书发送到服务器,服务器的内部规则可能会也可能不会接受。

于 2018-05-28T14:06:45.113 回答
1

我有一个类似的问题

ServerHelloDone
警告:未找到合适的证书 - 无需客户端身份验证即可继续

证书链

对我来说,问题是我错误地创建了密钥库:

keytool -importcert -keystore keystore.jks -alias client-cert -file client-cert.pem  -storepass password

对我有帮助的是:

openssl pkcs12 -export -chain -in client-cert.pem  -inkey client-key.pem  -out keystore.p12 -name client-cert -CAfile ca-cert.pem
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -alias client-cert

我在这里找到了这个解决方案: https ://blogs.oracle.com/jtc/installing-trusted-certificates-into-a-java-keystore

于 2020-07-02T03:34:21.057 回答