在相互身份验证时收到致命警报:unknown_ca [英] Received fatal alert: unknown_ca while mutual authentication

问题描述

我正在开发一个 Web 服务客户端，它需要与启用了相互身份验证的服务器进行通信.

I'm working on a web service client which need to communicate with a server who has mutual authentication enabled.

我已经完成了以下步骤.

I've done the following steps.

1. 将服务器证书(自签名)添加到信任存储并使用SSLSocketFactory 将其设置为HttpsURLConnection.
2. 将客户端证书(CA 签名)提供给服务器管理员，以将其添加到受信任的存储中.
3. 通过导入客户端证书创建了一个密钥库，并为 `HttpsURLConnection' 创建了一个密钥管理器.

当我尝试运行此示例时，出现异常提示

When I try to run this sample I'm getting an exception saying

org.springframework.ws.soap.axiom.AxiomSoapMessageException: Could not write message to OutputStream: java.net.SocketException: Software caused connection abort: recv failed; nested exception is javax.xml.stream.XMLStreamException: java.net.SocketException: Software caused connection abort: recv failed
        at org.springframework.ws.soap.axiom.AxiomSoapMessage.writeTo(AxiomSoapMessage.java:261)
        at org.springframework.ws.transport.AbstractWebServiceConnection.send(AbstractWebServiceConnection.java:45)
        at org.springframework.ws.client.core.WebServiceTemplate.sendRequest(WebServiceTemplate.java:586)
        at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:549)
        at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:502)
        at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:480)
        at test.SamlTest.request(SamlTest.java:29)
        at test.SamlTest.main(SamlTest.java:63)
    Caused by: javax.xml.stream.XMLStreamException: java.net.SocketException: Software caused connection abort: recv failed
        at com.sun.xml.internal.stream.writers.XMLStreamWriterImpl.writeStartDocument(Unknown Source)
        at org.apache.axiom.soap.impl.llom.SOAPEnvelopeImpl.internalSerialize(SOAPEnvelopeImpl.java:193)
        at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerialize(OMElementImpl.java:756)
        at org.apache.axiom.soap.impl.llom.SOAPMessageImpl.internalSerialize(SOAPMessageImpl.java:71)
        at org.apache.axiom.om.impl.llom.OMDocumentImpl.internalSerialize(OMDocumentImpl.java:324)
        at org.apache.axiom.om.impl.llom.OMDocumentImpl.serialize(OMDocumentImpl.java:375)
        at org.springframework.ws.soap.axiom.AxiomSoapMessage.writeTo(AxiomSoapMessage.java:252)
        ... 7 more
    Caused by: java.net.SocketException: Software caused connection abort: recv failed
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.read(Unknown Source)
        at com.sun.net.ssl.internal.ssl.InputRecord.readFully(Unknown Source)
        at com.sun.net.ssl.internal.ssl.InputRecord.readV3Record(Unknown Source)
        at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
        at org.springframework.ws.transport.http.HttpUrlConnection.getRequestOutputStream(HttpUrlConnection.java:81)
        at org.springframework.ws.transport.AbstractSenderConnection$RequestTransportOutputStream.createOutputStream(AbstractSenderConnection.java:101)
        at org.springframework.ws.transport.TransportOutputStream.getOutputStream(TransportOutputStream.java:41)
        at org.springframework.ws.transport.TransportOutputStream.write(TransportOutputStream.java:64)
        at com.sun.xml.internal.stream.writers.UTF8OutputStreamWriter.write(Unknown Source)
        at com.sun.xml.internal.stream.writers.UTF8OutputStreamWriter.write(Unknown Source)
        ... 14 more

我错过了什么?

更新

请在启用jvm日志后查找日志

Please find the log after enabling jvm log

trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie:  GMT: 1274794757 bytes = { 250, 192, 120, 159, 84, 244, 96, 103, 128, 221, 36, 200, 229, 95, 84, 152, 179, 202, 161, 56, 95, 161, 234, 136, 128, 52, 45, 228 }
    Session ID:  {}
    Compression Methods:  { 0 }
    ***
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, READ: TLSv1 Handshake, length = 74
    *** ServerHello, TLSv1
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    ***
    %% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    main, READ: TLSv1 Handshake, length = 976
    *** Certificate chain
    chain [0] = [
    [
      Version: V3
      Subject: EMAILADDRESS=email@email.com, CN=email@email.com, OU=MyOU, O=xyz
      Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

      Key:  Sun RSA public key, 1024 bits
      public exponent: 65537
      Validity: [From: Tue Jul 18 02:30:07 IST 2006,
                   To: Mon Jul 13 02:30:07 IST 2026]
      Issuer: EMAILADDRESS=email@email.com, CN=email@email.com, OU=MyOU, O=xyz
      SerialNumber: [   ]

    Certificate Extensions: 3
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    ]
    ]

    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    ]

    [EMAILADDRESS=email@email.com, CN=email@email.com, OU=MyOU, O=xyz]
    SerialNumber: [    ecbcae10 2ba4c279]
    ]

    [3]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]

    ]
      Algorithm: [MD5withRSA]
      Signature:

    ]
    ***
    main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
    main, WRITE: TLSv1 Alert, length = 2
    main, called closeSocket()
    main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
        at com.arun.test.http.TiMutualAuthClient.main(TiMutualAuthClient.java:71)
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
        at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
        at sun.security.validator.Validator.validate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 13 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
        at java.security.cert.CertPathBuilder.build(Unknown Source)
        ... 19 more

谢谢

推荐答案

我认为问题出在我使用的客户端证书上.它设置了以下扩展值

I think the problem was with the client certificate used by me. It has the following extension values set

证书密钥使用
关键
签约
不可否认
密钥加密
数据加密

扩展密钥使用
不重要
TLS Web 服务器认证 (1.3.6.1.5.5.7.3.1)
TLS Web 客户端身份验证 (1.3.6.1.5.5.7.3.2)

Certificate Key Usage
Critical
Signing
Non-repudiation
Key Encipherment
Data Encipherment

Extended Key Usage
Not Critical
TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

一旦我创建了一个没有任何扩展的自签名证书并将其用作我的客户端证书，它就可以正常工作.

Once I created a self signed certificate without any extensions and used it as my client certificate, it worked fine.

这篇关于在相互身份验证时收到致命警报:unknown_ca的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！