警告:找不到合适的证书 – 继续没有客户端身份validation
团队在尝试使用HTTPS完成相互握手时遇到以下问题
main, READ: TLSv1.2 Handshake, length = 30 *** CertificateRequest Cert Types: RSA, DSS, ECDSA Supported Signature Algorithms: SHA1withRSA, SHA1withDSA, SHA1withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA Cert Authorities: main, READ: TLSv1.2 Handshake, length = 4 *** ServerHelloDone Warning: no suitable certificate found - continuing without client authentication *** Certificate chain 我的JAVA课程如下
public class ClientCustomSSL { @SuppressWarnings("deprecation") public final static void main(String[] args) throws Exception { // Trust own CA and all self-signed certs final String CLIENT_KEYSTORE = "yourkeystore.jks"; final String CLIENT_TRUSTSTORE = "catruststore.jks"; final char[] KEYPASS_AND_STOREPASS_VALUE = "Hello1".toCharArray(); System.setProperty("https.protocols", "TLSv1"); //SSLContext sslcontext = SSLContexts.custom().loadKeyMaterial(keystore, keyPassword)(YK,"Hello1".toCharArray(),"Hello1".toCharArray()).loadTrustMaterial(CA, "Hello1".toCharArray(), (TrustStrategy) new TrustSelfSignedStrategy()).build(); KeyStore clientTrustStore = getStore(CLIENT_TRUSTSTORE, KEYPASS_AND_STOREPASS_VALUE); KeyStore clientKeyStore = getStore(CLIENT_KEYSTORE, KEYPASS_AND_STOREPASS_VALUE); SSLContext sslContext = SSLContexts.custom().loadKeyMaterial(clientKeyStore, "Hello1".toCharArray()).loadTrustMaterial(clientTrustStore,(TrustStrategy) new TrustSelfSignedStrategy()).build(); CloseableHttpClient httpclient = HttpClients.custom().setSSLContext(sslContext).build(); System.out.println("SSLCONETXT **** " + sslContext.getProvider()); try { HttpGet httpget = new HttpGet("https://myserver:10220"); CloseableHttpResponse response = httpclient.execute(httpget); try { System.out.println("Inside TRY blcok"); HttpEntity entity = response.getEntity(); System.out.println("----------------------------------------"); System.out.println(response.getStatusLine()); EntityUtils.consume(entity); } catch (Exception e) { e.getMessage(); e.printStackTrace(); } finally { response.close(); } } finally { httpclient.close(); } } public static KeyStore getStore(final String storeFileName, final char[] password) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException { final String JAVA_KEYSTORE = "jks"; final KeyStore store = KeyStore.getInstance(JAVA_KEYSTORE); URL url = ClientCustomSSL.class.getClassLoader().getResource(storeFileName); String workingDir = System.getProperty("user.dir"); System.out.println("Current working directory : " + workingDir); System.out.println("Value of URL *** " + url); InputStream inputStream = url.openStream(); try { store.load(inputStream, password); } finally { inputStream.close(); } return store; } }
我正在准备一个jar文件并在UNIX框中测试它
使用以下命令java -Djavax.net.debug = ssl -cp snSSLclientTrustWithStoreCCC.jar cassandra.cass.ClientCustomSSL
我跟着发帖为什么在SSL握手期间java不发送客户端证书? 并完成了布鲁诺提到的所有步骤。
我不确定我在这里缺少什么。 任何帮助将不胜感激
- 客户端无法在其密钥库中找到由
CertificateRequest消息中提到的任何签名者直接或间接签名的CertificateRequest。 - 原因是服务器没有在该消息中指定任何可信签名者。
- 这反过来意味着服务器的信任库是空的。
这实际上是TLS 1.0规范和TLS 1.1 / 1.2不同的领域。
特别是, 在TLS 1.1中的7.4.4节(证书请求)中添加了以下内容:
如果certificate_authorities列表为空,则客户端可以发送任何相应ClientCertificateType的证书,除非有相反的外部安排。
因此空的证书颁发机构只是意味着客户可以自由地向服务器发送任何证书,服务器的内部规则可能接受也可能不接受。