5
嘗試實施客戶端身份驗證(使用自簽名ca)。使用HttpClient進行客戶端身份驗證
代碼如下所示:
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("client.p12"), "changeit".toCharArray())
SSLContext sslcontext = SSLContexts.custom()
.loadTrustMaterial(null, new TrustSelfSignedStrategy()) //DONT DO THAT, IT'S JUST TO SIMPLIFY THIS EXAMPLE. USE REAL TrustStore WITH REAL SERVER CERTIFICATE IMPORTED. DONT TRUST SELF SIGNED
.loadKeyMaterial(keyStore, "changeit".toCharArray())
.build();
socketFactory = new SSLConnectionSocketFactory(
sslcontext,
new String[] {"TLSv1.2", "TLSv1.1"},
null,
new NoopHostnameVerifier()
);
HttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(socketFactory)
.build();
隨着-Djavax.net.debug=all我可以看到它正確地選擇我的證書,我看到的簽名,我看到的證書請求,並有ECDHClientKeyExchange等,都看起來很好。
但無論如何,我碰到的Nginx以下響應(具有狀態400):
<head><title>400 The SSL certificate error</title></head>
通知書的,不正確的證書/密鑰nginx的通常會下降,W/O提供純文本響應的任何細節。
這client.p12命令行的作品,如:
$ curl -ivk --cert client.p12:changeit https://192.168.1.1
* Rebuilt URL to: https://192.168.1.1/
* Trying 192.168.1.1...
* Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* Client certificate: client-es.certs.my
* TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* Server certificate: server.certs.my
* Server certificate: ca.my
> GET/HTTP/1.1
> Host: 192.168.1.1
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
因此,這關鍵是絕對有效的。但爲什麼它不適用於Java?有沒有什麼我在java ssl配置中錯過了?
您的證書是否已導入您的密鑰庫? – STaefi
它直接從'client.p12'加載。我也嘗試將它導入到密鑰庫中,但它不會改變任何東西 –