Java没有为相互SSL提供客户端证书?
我正在尝试使用Java SpringBoot应用程序中的相互SSL连接到NetScaler端点。 我能够通过OpenSSL在命令行上按预期连接以下命令:
openssl s_client -connect xxxx.xxxx.xxxx.xxx:443 -cert cert.cer -key private.key 这给出了以下输出:
CONNECTED(00000003) --- Certificate chain 0 s:/C=GB/ST=London/L=London/O=XXXX XXXXX XXX/OU=Infrastructure Services/CN=sit1.xxxxxxx.xxxxxxx.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 --- Server certificate -----BEGIN CERTIFICATE----- MIIGEDCCBPigAwIBAgIQfcfqyYG0Xonen/ZVJX6uGzANBgkqhkiG9w0BAQsFADB+ ... /mYUOtT8fbbe1v+erDvbwbXikyE= -----END CERTIFICATE----- subject=/C=GB/ST=London/L=London/O=XXXX XXXXX XXX/OU=Infrastructure Services/CN=sit1.xxxxxxx.xxxxxxx.com issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 Client Certificate Types: RSA sign, DSA sign Requested Signature Algorithms: RSA+MD5:RSA+SHA1:RSA+SHA256:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA1:RSA+SHA256:DSA+SHA1 --- SSL handshake has read 4672 bytes and written 2489 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA Session-ID: BFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0D Session-ID-ctx: Master-Key: F7FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX65 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1467272199 Timeout : 300 (sec) Verify return code: 0 (ok)
为了从Java应用程序连接,我使用以下命令将密钥和cert.cer和private.key文件中的证书组合在一起:
openssl pkcs12 -export -in cert.cer -inkey private.key -out keystore.p12
我使用以下参数启动Spring应用程序:
-Djavax.net.debug=ssl -Djavax.net.ssl.keyStore=C:/opt/wtr-certs/keystore.p12 -Djavax.net.ssl.keyStorePassword=XXXXXXXXX
我可以清楚地看到我的密钥库在Java应用程序尝试连接时被加载,但在尝试将客户端证书提供给服务器时似乎失败了。
加载密钥库:
trigger seeding of SecureRandom done seeding SecureRandom keyStore is : C:/opt/wtr-certs/keystore.p12 keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 *** found key for : xxxx.xxxx.xxx.xxxxxxxx.xxx chain [0] = [ [ Version: V3 Subject: CN=xxxx.xxxx.xxx.xxxxxxxx.xxx, OU=Infrastructure Services, O=XXXX XXXX XXX, L=London, ST=London, C=GB Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: ...
我相信Java应用程序没有正确显示证书,如日志的这一部分所示:
*** CertificateRequest Cert Types: RSA, DSS Supported Signature Algorithms: MD5withRSA, SHA1withRSA, SHA256withRSA, SHA1withDSA Cert Authorities: *** ServerHelloDone Warning: no suitable certificate found - continuing without client authentication *** Certificate chain ***
这里似乎有一个类似的,较旧的问题: Java没有发送客户端证书但它没有答案。 我怎样才能说服Java找到发送正确的证书? 如果需要,我可以提供额外的日志。