javax.net.ssl.SSLHandshakeException:收到致命警报:unknown_ca
我必须通过SSL双重身份validation连接到服务器。 我已将自己的私钥加证书添加到keystore.jks ,将服务器的自签名证书添加到truststore.jks ,这两个文件都复制到/ usr / share / tomcat7。 我的代码使用的套接字工厂由以下提供者提供:
@Singleton public static class SecureSSLSocketFactoryProvider implements Provider { private SSLSocketFactory sslSocketFactory; public SecureSSLSocketFactoryProvider() throws RuntimeException { try { final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); final InputStream trustStoreFile = new FileInputStream("/usr/share/tomcat7/truststore.jks"); trustStore.load(trustStoreFile, "changeit".toCharArray()); final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); final InputStream keyStoreFile = new FileInputStream("/usr/share/tomcat7/keystore.jks"); keyStore.load(keyStoreFile, "changeit".toCharArray()); final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, "changeit".toCharArray()); final SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); this.sslSocketFactory = sslContext.getSocketFactory(); } catch (final KeyStoreException e) { Log.error("Key store exception: {}", e.getMessage(), e); } catch (final CertificateException e) { Log.error("Certificate exception: {}", e.getMessage(), e); } catch (final UnrecoverableKeyException e) { Log.error("Unrecoverable key exception: {}", e.getMessage(), e); } catch (final NoSuchAlgorithmException e) { Log.error("No such algorithm exception: {}", e.getMessage(), e); } catch (final KeyManagementException e) { Log.error("Key management exception: {}", e.getMessage(), e); } catch (final IOException e) { Log.error("IO exception: {}", e.getMessage(), e); } } @Override public SSLSocketFactory get() { return sslSocketFactory; } } 当我尝试连接到服务器上的端点时,我得到以下exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.7.0_45] at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.7.0_45] at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959) ~[na:1.7.0_45] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077) ~[na:1.7.0_45] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) ~[na:1.7.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ~[na:1.7.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) ~[na:1.7.0_45] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[na:1.7.0_45] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[na:1.7.0_45] at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) ~[na:1.7.0_45]
知道我错过了什么吗?
如果从服务器返回警告unknown_ca ,则服务器不喜欢您作为客户端证书发送的证书,因为它不是由服务器信任的CA签署的客户端证书。