Java服务器自签名证书+客户端证书和SSL – 连接重置

(我已经问过类似的问题了 ,事实certificate我的客户端密钥没有被加载,但我只有一个例外,所以我发布了另一个问题。)

我正在连接到成功之前使用的Web服务,但现在他们已经更改了主机名并向我发送了两个.pem文件; 一个是CA,另一个是我的新客户证书。

(我正在使用Java 1.5,Spring + Spring Web Services和Apache httpclient,但我怀疑我的问题是证书,密钥和SSL本身。)

我已经导入了两个.pem文件,以及我从Firefox导出到我的cacerts的主机.crt。 但是,由于我遇到这个exception,我显然做错了什么: 

org.springframework.ws.client.WebServiceIOException: I/O error: Connection reset; nested exception is java.net.SocketException: Connection reset Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:168) at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:284) at com.sun.net.ssl.internal.ssl.InputRecord.readV3Record(InputRecord.java:396) at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:348) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:720) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:619) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324) at org.springframework.ws.transport.http.CommonsHttpConnection.onSendAfterWrite(CommonsHttpConnection.java:83) at org.springframework.ws.transport.AbstractWebServiceConnection.send(AbstractWebServiceConnection.java:42) at org.springframework.ws.client.core.WebServiceTemplate.sendRequest(WebServiceTemplate.java:547) at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:405) at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:358) at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:304) at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:289) ...

当我使用System.setProperty(“javax.net.debug”,“all”)打开SSL日志记录时,我看到服务器证书被接受,然后在客户端密钥交换期间或之后发生这种情况: 

 setting up default SSLSocketFactory use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded keyStore is : D:\AdriaticaCentral\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps\AdriaticaCentralOnlineServer\WEB-INF\classes\keystore keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 *** found key for : ypsilonclient chain [0] = [ [ Version: V1 Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 103786554737956184369138386227517475430156404603922533481712260490997247291004352385079204978431207687092828117962473600295977103686791448953158848873575487907656378655168840104433047747570602454550203304683174555325033654946526304210710782190667961616217273402229863778090825217190222869236148684215668636483 public exponent: 65537 Validity: [From: Fri Mar 26 13:14:36 CET 2010, To: Mon Mar 23 13:14:36 CET 2020] Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE SerialNumber: [ 94778886 f4ca92c2] ] Algorithm: [SHA1withRSA] Signature: 0000: 86 EE 6C 03 20 76 E5 0C C7 1D E5 44 60 C0 D0 40 ..lv....D`..@ 0010: 02 96 EE 05 39 31 E8 5A FE F4 72 7B 9B CC E7 0F ....91.Z..r..... 0020: 97 E6 41 7E EC E3 65 C5 A2 B0 41 61 93 B4 48 EE ..A...e...Aa..H. 0030: DE 44 76 94 C1 48 E4 05 96 C2 0A 9B 1C 94 1B 85 .Dv..H.......... 0040: 96 9F F3 00 D3 AC B7 95 C5 2C D5 ED 52 FA D7 79 .........,..R..y 0050: A1 10 BB CB A4 BD 30 08 51 71 50 EE DC 60 88 AD ......0.QqP..`.. 0060: 31 6E 88 D9 97 F3 8B 5B 01 B3 80 B2 B2 06 62 FB 1n.....[......b. 0070: DE A4 74 87 D9 2A 2B 2F AF 31 22 97 4A F6 B8 9F ..t..*+/.1".J... ] *** trustStore is: D:\AdriaticaCentral\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps\AdriaticaCentralOnlineServer\WEB-INF\classes\cacerts trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network Algorithm: RSA; Serial number: 0x1 Valid from Sat Jun 26 02:19:54 CEST 1999 until Wed Jun 26 02:19:54 CEST 2019 adding as trusted cert: Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE Algorithm: RSA; Serial number: 0x2 Valid from Fri Mar 26 11:37:00 CET 2010 until Mon Mar 23 11:37:00 CET 2020 adding as trusted cert: Subject: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 3 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE Issuer: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 3 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE Algorithm: RSA; Serial number: 0x3eb Valid from Mon Mar 09 12:59:59 CET 1998 until Sat Jan 01 12:59:59 CET 2011 adding as trusted cert: Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE Algorithm: RSA; Serial number: 0x94778886f4ca92c2 Valid from Fri Mar 26 13:14:36 CET 2010 until Mon Mar 23 13:14:36 CET 2020 [unimportant certificates snipped] adding as trusted cert: Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192 Valid from Mon May 18 02:00:00 CEST 1998 until Wed Aug 02 01:59:59 CEST 2028 init context trigger seeding of SecureRandom done seeding SecureRandom instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl http-8080-Processor25, setSoTimeout(90000) called http-8080-Processor25, setSoTimeout(90000) called %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1296423943 bytes = { 233, 32, 138, 106, 31, 235, 174, 62, 53, 252, 155, 255, 248, 43, 255, 58, 99, 70, 232, 17, 220, 98, 42, 40, 101, 157, 26, 113 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] Compression Methods: { 0 } *** http-8080-Processor25, WRITE: TLSv1 Handshake, length = 73 http-8080-Processor25, WRITE: SSLv2 client hello message, length = 98 http-8080-Processor25, READ: TLSv1 Handshake, length = 74 *** ServerHello, TLSv1 RandomCookie: GMT: 1296423943 bytes = { 201, 241, 99, 38, 140, 0, 132, 20, 231, 186, 165, 243, 178, 143, 146, 172, 108, 161, 126, 74, 70, 56, 138, 165, 39, 99, 254, 173 } Session ID: {1, 78, 15, 139, 52, 55, 227, 34, 190, 155, 208, 146, 92, 216, 197, 173, 214, 218, 238, 194, 255, 48, 34, 171, 219, 162, 231, 250, 183, 158, 235, 63} Cipher Suite: SSL_RSA_WITH_RC4_128_MD5 Compression Method: 0 *** %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5] ** SSL_RSA_WITH_RC4_128_MD5 http-8080-Processor25, READ: TLSv1 Handshake, length = 1378 *** Certificate chain chain [0] = [ [ Version: V1 Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 105158323961649143261675059370957210288137897982882368398075567460896421730512351351129218695072925445303830065152794594929017968110838209795249871435238567060656353603426816451022832577131638028495007888967083020723809918589055189033188525472465535607293377867184162059586888049098196531889988723950292830313 public exponent: 65537 Validity: [From: Fri Mar 26 11:37:00 CET 2010, To: Mon Mar 23 11:37:00 CET 2020] Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE SerialNumber: [ 02] ] Algorithm: [SHA1withRSA] Signature: 0000: 3A F3 91 84 EA B1 CF 28 7B 52 EC 50 34 56 CB A5 :......(.R.P4V.. 0010: 22 B2 3C 62 9B 8C 45 30 BE 89 C6 8C D5 CD D0 4C ".<b..E0.......L 0020: 0A 92 3C AB C6 72 5C 7E A4 4B 12 B5 3D 90 6F D1 ..<..r\..K..=.o. 0030: 8D 23 8F FE 46 9E D5 15 BA 8D 32 12 79 86 D8 42 .#..F.....2.y..B 0040: A9 AF 95 3A 58 D6 F0 1C C9 44 B7 AB 78 F8 0E 16 ...:X....D..x... 0050: E5 B1 30 29 56 D5 C1 4F 06 D2 5C 9B 7F 61 22 7D ..0)V..O..\..a". 0060: 6C EB C5 7C 02 8B D4 3B 3B 66 20 55 72 2D 1B F1 l......;;f Ur-.. 0070: 3A 28 3F 10 80 BC 9F 46 DA 0E 8F DC 53 0E 0B 85 :(?....F....S... ] chain [1] = [ [ Version: V1 Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 103786554737956184369138386227517475430156404603922533481712260490997247291004352385079204978431207687092828117962473600295977103686791448953158848873575487907656378655168840104433047747570602454550203304683174555325033654946526304210710782190667961616217273402229863778090825217190222869236148684215668636483 public exponent: 65537 Validity: [From: Fri Mar 26 13:14:36 CET 2010, To: Mon Mar 23 13:14:36 CET 2020] Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE SerialNumber: [ 94778886 f4ca92c2] ] Algorithm: [SHA1withRSA] Signature: 0000: 86 EE 6C 03 20 76 E5 0C C7 1D E5 44 60 C0 D0 40 ..lv....D`..@ 0010: 02 96 EE 05 39 31 E8 5A FE F4 72 7B 9B CC E7 0F ....91.Z..r..... 0020: 97 E6 41 7E EC E3 65 C5 A2 B0 41 61 93 B4 48 EE ..A...e...Aa..H. 0030: DE 44 76 94 C1 48 E4 05 96 C2 0A 9B 1C 94 1B 85 .Dv..H.......... 0040: 96 9F F3 00 D3 AC B7 95 C5 2C D5 ED 52 FA D7 79 .........,..R..y 0050: A1 10 BB CB A4 BD 30 08 51 71 50 EE DC 60 88 AD ......0.QqP..`.. 0060: 31 6E 88 D9 97 F3 8B 5B 01 B3 80 B2 B2 06 62 FB 1n.....[......b. 0070: DE A4 74 87 D9 2A 2B 2F AF 31 22 97 4A F6 B8 9F ..t..*+/.1".J... ] *** Found trusted certificate: [ [ Version: V1 Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 1024 bits modulus: 105158323961649143261675059370957210288137897982882368398075567460896421730512351351129218695072925445303830065152794594929017968110838209795249871435238567060656353603426816451022832577131638028495007888967083020723809918589055189033188525472465535607293377867184162059586888049098196531889988723950292830313 public exponent: 65537 Validity: [From: Fri Mar 26 11:37:00 CET 2010, To: Mon Mar 23 11:37:00 CET 2020] Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE SerialNumber: [ 02] ] Algorithm: [SHA1withRSA] Signature: 0000: 3A F3 91 84 EA B1 CF 28 7B 52 EC 50 34 56 CB A5 :......(.R.P4V.. 0010: 22 B2 3C 62 9B 8C 45 30 BE 89 C6 8C D5 CD D0 4C ".<b..E0.......L 0020: 0A 92 3C AB C6 72 5C 7E A4 4B 12 B5 3D 90 6F D1 ..5... 0010: F8 2B FF 3A 63 46 E8 11 DC 62 2A 28 65 9D 1A 71 .+.:cF...b*(e..q Server Nonce: 0000: 4D 46 DC 07 C9 F1 63 26 8C 00 84 14 E7 BA A5 F3 MF....c&........ 0010: B2 8F 92 AC 6C A1 7E 4A 46 38 8A A5 27 63 FE AD ....l..JF8..'c.. Master Secret: 0000: DE 21 44 E2 E9 3B E8 1E EE 64 D3 44 B2 41 D6 F8 .!D..;...dDA. 0010: 06 67 95 7B 4C 8C D3 DB AC C4 85 1E 35 67 30 1A .g..L.......5g0. 0020: 36 F2 15 EE 5E 1D 3F 67 35 74 4F 0B 0B EE 02 92 6...^.?g5tO..... Client MAC write Secret: 0000: 9E AF AB 0F D1 71 21 ED 0B B5 BB 65 12 F2 F9 0A .....q!....e.... Server MAC write Secret: 0000: BD 17 61 C4 3F FE 61 8D 85 EF 5A E9 2D 8E 06 CD ..a.?.a...Z.-... Client write key: 0000: C0 0D 6C 01 63 74 1D E6 53 04 92 BC 6D 12 A6 8F ..l.ct..S...m... Server write key: 0000: 32 B4 99 5C 37 A2 83 67 78 09 95 55 C8 63 72 6F 2..\7..gx..U.cro ... no IV for cipher *** CertificateVerify http-8080-Processor25, WRITE: TLSv1 Handshake, length = 134 http-8080-Processor25, WRITE: TLSv1 Change Cipher Spec, length = 1 *** Finished verify_data: { 47, 74, 83, 184, 225, 220, 176, 197, 212, 45, 72, 182 } *** http-8080-Processor25, WRITE: TLSv1 Handshake, length = 32 http-8080-Processor25, handling exception: java.net.SocketException: Connection reset http-8080-Processor25, SEND TLSv1 ALERT: fatal, description = unexpected_message http-8080-Processor25, WRITE: TLSv1 Alert, length = 18 http-8080-Processor25, Exception sending alert: java.net.SocketException: Connection reset by peer: socket write error http-8080-Processor25, called closeSocket() http-8080-Processor25, called close() http-8080-Processor25, called closeInternal(true) http-8080-Processor25, called close() http-8080-Processor25, called closeInternal(true) http-8080-Processor25, called close() http-8080-Processor25, called closeInternal(true)

为什么我的连接会继续重置?如何解决此问题?

问题解决了。

我这样做了: 

 openssl pkcs8 -topk8 -nocrypt -outform der -in clientkey.pem -out clientkey.der

但我没有这样做: 

 openssl x509 -outform der -in clientkey.pem -out clientkey.cer

这两个文件都需要通过Java导入密钥库,而不是keytool。 我只导入了clientkey.der。

原来你必须在密钥库中单独导入客户端密钥和服务器证书; 我不知道将.pem转换为.der也没有导出附加的服务器证书。

“连接重置”通常意味着您已写入已被另一端关闭的连接。 还有很多其他原因,但这是最有可能的。 在这种情况下,您似乎处于SSL握手的中间。 可能需要在启用的协议中禁用SSLv2ClientHello。

Interesting Posts

使用HTTPClient或HttpUrlConnection?

通过HttpClient接受所有Cookie

如何在Android中将JSON参数作为Web服务请求发送?

Android无效使用SingleClientConnManager:仍然分配了连接

无法找到所请求目标的有效证书路径 – java

签名小程序和服务器端控制器之间的通信

使用HttpClient模拟HTTP POST的问题

如何在Java中以编程方式检查SSL证书到期日期

常见的HTTP客户端和代理

Solr – 使用Httpclient实例化HttpSolrServer