1. 首頁
  2. 問答
  3. Java的SSL握手失敗 - 沒有客戶端證書

Java的SSL握手失敗 - 沒有客戶端證書

2015-10-19 92 views
2

我在SSL客戶端使用第三方庫,構建執行對PKCS#7簽名CRL檢查。Java的SSL握手失敗 - 沒有客戶端證書

我創建了一個密鑰庫和信任,並把服務器的CA在我的信任。

展望下面的調試,該證書頒發機構和證書鏈都是空的。我的客戶沒有寄回他的證書。

你能解釋一下它發生了什麼嗎?

編輯

由於下面的評論,我理解,客戶端的「空CA」是沒有問題的。

的問題是,服務器請求客戶端證書,但我的客戶不將其發送到服務器。

爲什麼客戶端不發送他的證書?

keyStore is : [...] 
keyStore type is : jks 
keyStore provider is : 
init keystore 
init keymanager of type SunX509 
*** 
found key for : [...] 
chain [0] = [ 
... 
] 
*** 
trustStore is: [...] 
trustStore type is : jks 
trustStore provider is : 
init truststore 
adding as trusted cert: 
[...] 

trigger seeding of SecureRandom 
done seeding SecureRandom 
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
[...] 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
main, setSoTimeout(10000) called 
%% No cached client session 
*** ClientHello, TLSv1 
RandomCookie: GMT: 1445266954 bytes = { 44, 84, 229, 125, 84, 33, 145, 120, 170, 228, 77, 65, 146, 200, 227, 227, 48, 200, 116, 240, 140, 55, 227, 162, 119, 75, 116, 47 } 
Session ID: {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods: { 0 } 
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 
Extension ec_point_formats, formats: [uncompressed] 
Extension server_name, server_name: [host_name: ...] 
*** 
[write] MD5 and SHA1 hashes: len = 176 
[...] 
main, WRITE: TLSv1 Handshake, length = 176 
[Raw write]: length = 181 
[...] 
[Raw read]: length = 5 
[...] 
[Raw read]: length = 85 
[...] 
main, READ: TLSv1 Handshake, length = 85 
*** ServerHello, TLSv1 
RandomCookie: GMT: 1929314415 bytes = { 133, 174, 213, 209, 239, 104, 185, 151, 182, 150, 87, 234, 171, 201, 244, 45, 171, 118, 159, 20, 148, 138, 19, 5, 1, 44, 188, 76 } 
Session ID: {144, 227, 198, 123, 46, 241, 49, 85, 156, 181, 102, 130, 42, 23, 39, 17, 11, 64, 23, 39, 166, 11, 119, 139, 12, 51, 60, 252, 170, 105, 23, 161} 
Cipher Suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA 
Compression Method: 0 
Extension renegotiation_info, renegotiated_connection: <empty> 
Extension server_name, server_name: 
*** 
%% Initialized: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA] 
** SSL_RSA_WITH_3DES_EDE_CBC_SHA 
[read] MD5 and SHA1 hashes: len = 85 
[...] 
[Raw read]: length = 5 
[...] 
[Raw read]: length = 1024 
[...] 
main, READ: TLSv1 Handshake, length = 1024 
*** Certificate chain 
chain [0] = [ 
[ 
[...] 
] 
    Algorithm: [SHA1withRSA] 
    Signature: 
[...] 

] 
*** 
Found trusted certificate: 
[ 
[...] 
] 
[read] MD5 and SHA1 hashes: len = 1024 
[...] 
[Raw read]: length = 5 
[...] 
[Raw read]: length = 8 
[...] 
main, READ: TLSv1 Handshake, length = 8 
*** CertificateRequest 
Cert Types: RSA 
Cert Authorities: 
<Empty> 
[read] MD5 and SHA1 hashes: len = 8 
[...] 
[Raw read]: length = 5 
[...] 
[Raw read]: length = 4 
[...] 
main, READ: TLSv1 Handshake, length = 4 
*** ServerHelloDone 
[read] MD5 and SHA1 hashes: len = 4 
[...] 
*** Certificate chain 
*** 
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1 
[write] MD5 and SHA1 hashes: len = 269 
[...] 
main, WRITE: TLSv1 Handshake, length = 269 
[Raw write]: length = 274 
[...] 
SESSION KEYGEN: 
PreMaster Secret: 
[...] 
CONNECTION KEYGEN: 
Client Nonce: 
[...] 
Server Nonce: 
[...] 
Master Secret: 
[...] 
Client MAC write Secret: 
[...] 
Server MAC write Secret: 
[...] 
Client write key: 
[...] 
Server write key: 
[...] 
Client write IV: 
[...] 
Server write IV: 
[...] 
main, WRITE: TLSv1 Change Cipher Spec, length = 1 
[Raw write]: length = 6 
[...] 
*** Finished 
verify_data: { 212, 27, 4, 13, 87, 128, 70, 120, 43, 97, 111, 135 } 
*** 
[write] MD5 and SHA1 hashes: len = 16 
[...] 
Padded plaintext before ENCRYPTION: len = 40 
[...] 
main, WRITE: TLSv1 Handshake, length = 40 
[Raw write]: length = 45 
[...] 
[Raw read]: length = 5 
[...] 
[Raw read]: length = 2 
[...] 
main, READ: TLSv1 Alert, length = 2 
main, RECV TLSv1 ALERT: fatal, handshake_failure 
%% Invalidated: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA] 
main, called closeSocket() 
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

來源

2015-10-19 jBravo

+0

我很驚訝做CRL檢查(在PKCS#7或其他任何東西)做任何SSL/TLS連接。 CRL獲取和OCSP的最佳做法是使用普通HTTP或其他簡單的LDAP,以避免無限循環。 * data *(CRL或OCSP主體)已經簽名,不需要進一步的完整性或通常的任何保密性。 –

+0

「ServerHelloDone」後面的'Certificate chain'消息中是否有任何內容(不確定是否刪除了一些行)。 – Bruno

+0

證書鏈是空的。 – jBravo

回答

1

我是缺少客戶端的證書必須由經過認證簽名請求(CSR)的服務器生成的事實。

的過程是:

  1. 產生一個密鑰對(經由密鑰工具-genkey)
  2. 生成PKCS#10 CSR(經由密鑰工具-certreq)
  3. 將CSR發送到有關當局
  4. 取回SSL證書

感謝您的評論,這些評論幫助我提高了我對ssl的理解。不發送任何證書

來源

2015-10-21 09:56:07 jBravo

0

的證書頒發機構和證書鏈都是空的。

這意味着服務器信任庫中沒有可信的CA證書。

我的客戶也不要扔回去了他的證書。

沒有發回他的證書。拋出異常,而不是證書。不要濫用標準術語。他不允許發送證書,除非他的證書被服務器稱爲他信任的證書請求消息中的一個CA信任。

來源

2015-10-19 16:32:14 EJP

+0

但是,如果服務器不信任任何人,我還可以建立SSL連接嗎?這是我的問題嗎? – jBravo

+0

我編輯了我的帖子來糾正我的術語錯誤。對不起。 – jBravo

+0

如果服務器沒有人信任,則沒有人可以通過客戶端證書進行身份驗證。然而,你的服務器正在請求一個,並且在沒有連接的時候放棄連接。你只需要下決心是否要客戶證書,如果是的話,你會信任哪些發行人。 – EJP

0

客戶端設備兩件事情:1。 服務器沒有要求任何證書(所以沒有CertificateRequest) 2.服務器已請求證書,但密鑰庫不要求有證書。

來源

2016-12-23 05:17:24 maddy10

相關問題

 相關問題