我有一个基于Java的客户端,它通过Tomcat 8与我的Java服务器对话。我需要让ClientAuthSSL在客户端和服务器之间工作。根据我是否将Tomcat配置为使用Http11NioProtocol进行SSL或使用本机APR(openssl)进行SSL,我有两个不同的问题。我需要Tomcat配置才能工作。我试图缩小问题范围。
客户端代码如下。我切换到使用自定义X509ExtendedTrustManager(ServerTrustManager)和X509ExtendedKeyManager(ClientAuthKeyManager)类,以确保提供正确的数据并帮助调试。
ServerTrustManager serverTm = new ServerTrustManager(getCaCertificates());
TrustManager [] trustManagers = new TrustManager[] { serverTm };
ClientAuthKeyManager mykm =
new ClientAuthKeyManager(getSessionContext().getProductAgentCertificate(), getSessionContext());
KeyManager[] keyManagers = new KeyManager[] { mykm };
SSLContext sslContext = SSLContexts.createDefault();
sslContext.init(keyManagers, trustManagers, null);
Client clientHttps = ClientBuilder.newBuilder()
.withConfig(getClientConfig())
.sslContext(sslContext)
.build();
TOMCAT与APR(OPENSSL)
Tomcat 8配置为:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
SSLVerifyClient="require"
SSLCertificateFile="...\dim.magnicomp.com-productserver.crt"
SSLCertificateKeyFile="...\dim.magnicomp.com-productserver.key"
SSLPassword="..."
SSLCertificateChainFile="...\ca-bundle.crt"
maxThreads="200"
scheme="https"
secure="true"/>
问题:我可以为Apr/OpenSSL代码启用调试输出/日志记录吗?我在谷歌上找不到任何结果。
使用此Tomcat配置,我的Java客户端无法连接(从客户端进行ssl调试):
... snip ...
*** CertificateVerify
Signature Algorithm SHA512withRSA
main, WRITE: TLSv1.2 Handshake, length = 264
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
main, handling exception: java.net.SocketException: Software caused connection abort: socket write error
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
main, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1.2 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
17:05:17,709 ERROR JAX-RS ProcessingException for https://dim.magnicomp.com:8443/cabridge/v1/device/configuration - java.net.SocketException: Software caused connection abort: socket write error
使用相同的配置,带有ClientAuth证书的“openssls_client…”命令可以工作:
# openssl s_client -connect localhost:8443 -CAfile ca-bundle.crt -cert dim.magnicomp.com-productagent.crt -key dim.magnicomp.com-productagent.key
CONNECTED(00000003)
depth=2 CN = MagniComp Root CA
verify return:1
depth=1 DC = com, DC = magnicomp, CN = MagniComp Issuing CA3
verify return:1
depth=0 CN = dim.magnicomp.com
verify return:1
write:errno=113
---
Certificate chain
0 s:/CN=dim.magnicomp.com
i:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
1 s:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
i:/CN=MagniComp Root CA
2 s:/CN=MagniComp Root CA
i:/CN=MagniComp Root CA
---
... snip ...
TOMCAT与Http11NioProtocol
Tomcat端似乎无法接受ClientAuth证书(Tomcat/Apr的输出):
http-nio-8443-exec-2, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-8443-exec-2, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
上述Tomcat错误发生在我的Java客户端或"openssls_connect":
# openssl s_client -connect localhost:8443 -CAfile ca-bundle.crt -cert dim.magnicomp.com-productagent.crt -key dim.magnicomp.com-productagent.key
CONNECTED(00000003)
depth=2 CN = MagniComp Root CA
verify return:1
depth=1 DC = com, DC = magnicomp, CN = MagniComp Issuing CA3
verify return:1
depth=0 CN = dim.magnicomp.com
verify return:1
6870300:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1472:SSL alert number 46
6870300:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/CN=dim.magnicomp.com
i:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
1 s:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
i:/CN=MagniComp Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
... snip ...
-----END CERTIFICATE-----
subject=/CN=dim.magnicomp.com
issuer=/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
---
Acceptable client certificate CA names
/CN=MagniComp Root CA
/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1:RSA+MD5
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4528 bytes and written 5835 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 57102D9B932A1CBBCEFB687A74885A204D3473D8154EBA09D8E073173B18CC17
Session-ID-ctx:
Master-Key: 9BDC26F7CD11D05F2EFF07764F280D167E1547306B6626EF9955C97805816A13F7A0ABB9CCC3BF883282998881DDFFB3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1460678043
Timeout : 300 (sec)
Verify return code: 0 (ok)
Tomcat服务器. xml:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
clientAuth="true"
keyAlias="privatekey"
keyPass="..."
keystoreFile="...\dim.magnicomp.com-productserver.jks"
keystorePass="..."
keystoreType="JKS"
maxThreads="200"
port="8443"
scheme="https"
secure="true"
truststoreFile="...\cacerts.jks"
truststorePass="changeit"/>
DEV环境我正在使用OracleJava1.8.65。我已经在JVM中安装了完整的JCE并验证其启用。代理和服务器是同一个视窗10系统。
>
在APR环境中,您尚未将OpenSSL配置为信任任何证书颁发机构。您需要设置
SSLCACertificatePath
或
SSLCACertificateFile
看留档。
在非APR的情况下,您的信任库不信任客户端证书。如果它是自签名的,则需要将其导入信任库,这意味着您应该将JDK/JRE信任库复制到本地信任库并导入其中,这样您就不会在下一次Java更新时受到破坏。如果它不是自签名的,则需要如上所述导入CA的证书。在这两种情况下,都必须使用keytools-Trust cacerts
选项。