2016-05-19 68 views
0

我無法配置在Wildfly 9有效證書(不是自簽名!)我已經配置了HTTPS連接器Wildfly:Java的拒絕證書的瀏覽器接受

  <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" /> 

安全域:

 <security-realm name="UndertowRealm"> 
      <server-identities> 
      <ssl> 
       <keystore path="domain.p12" relative-to="jboss.server.config.dir" keystore-password="password" 
       alias="appcert" /> 
      </ssl> 
      </server-identities> 
     </security-realm> 

而產生與此命令的密鑰庫:

 
openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.p12 -name appcert -CAfile cafile.crt -caname root 

現在,當我打開應用程序瀏覽器一切正常。瀏覽器將該證書識別爲有效證書,而不會像在自簽名證書中那樣提示異常。

然而,當我嘗試連接到通過SSLPoke.java非常相同的URL,我得到以下異常:

 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) 
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) 
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) 
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) 
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) 
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) 
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) 
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) 
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) 
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) 
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) 
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) 
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138) 
    at SSLPoke.main(SSLPoke.java:26) 
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) 
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) 
    at sun.security.validator.Validator.validate(Validator.java:260) 
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) 
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) 
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) 
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) 
    ... 9 more 
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) 
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) 
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) 
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) 
    ... 15 more 

如果我輸入這個錯誤消失了客戶證書,但我認爲我不應該這樣做,因爲這是一個有效的證書。

測試代碼如下:

 
import java.io.InputStream; 
import java.io.OutputStream; 

import javax.net.ssl.SSLSocket; 
import javax.net.ssl.SSLSocketFactory; 

/** Establish a SSL connection to a host and port, writes a byte and 
* prints the response. See 
* http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services 
*/ 
public class SSLPoke { 
    public static void main(String[] args) { 

       if (args.length != 2) { 
         System.out.println("Usage: "+SSLPoke.class.getName()+" "); 
         System.exit(1); 
       } 
       try { 
         SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); 
         SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1])); 

         InputStream in = sslsocket.getInputStream(); 
         OutputStream out = sslsocket.getOutputStream(); 

         // Write a test byte to get a reaction :) 
         out.write(1); 

         while (in.available() > 0) { 
           System.out.print(in.read()); 
         } 
         System.out.println("Successfully connected"); 

       } catch (Exception exception) { 
         exception.printStackTrace(); 
       } 
     } 
} 

這是怎麼回事,什麼是正確的方法來設置SSL證書?

回答

0

發生這種情況的原因是鏈中的任何證書都不受Java信任庫的信任。

最普遍的解決辦法是導入頂部證書(最後一個鏈,最上面的簽名者)到JRE的lib/security/cacerts文件。

1

這裏的問題是,默認情況下,Java會附帶一組非常有限的根CA證書。它「接受」比典型瀏覽器少得多的CA。解決此問題的最簡單方法是從Chrome或Firefox等瀏覽器中導出一組CA證書,然後使用keytool將它們導入Java的密鑰存儲庫。