Java SSL握手异常-“无法找到有效的证书路径" [英] Java SSL handshake exception - "unable to find valid certification path"
问题描述
我尝试使用安全的SSL(TLS)连接和2路SSL身份验证在Java上制作服务器和客户端应用程序.单向SSL(无客户端身份验证)效果很好.启用了客户端身份验证后,客户端将无法进行异常握手:
I try to make server and client apps on Java with secure SSL (TLS) connection and 2-way SSL authentication. 1-way SSL (without client authentication) works well. With enabled client authentication client can't make handshake with exception:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
服务器没有任何例外.我在服务器和客户端中使用Netty. 我对服务器和客户端使用自签名证书.服务器和客户端-现在是一台物理主机.我已经使用此工具在信任库中添加了服务器的证书:
Server don't have any exceptions. I use Netty in server and client. I use self-signed certificates for server and client. Server and client - it's one physical host now. I'm already added server's certificate in truststore with this tool:
https://java-use-examples.googlecode.com/svn/trunk/src/com/aw/ad/util/InstallCert.java
客户代码.主要.
public class SClientApp {
public static final String HOST = "127.0.0.1";
public static final int PORT = 8888;
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.ssl.trustStore", "/etc/ssl/certs/java/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
// Configure SSL (TLS)
File tls_cert = new File("tls/client1.pem");
SslContext sslCtx = null;
try {
sslCtx = SslContext.newClientContext(tls_cert);
} catch (SSLException e) {
e.printStackTrace();
}
EventLoopGroup group = new NioEventLoopGroup();
try {
Bootstrap b = new Bootstrap();
b.group(group)
.channel(NioSocketChannel.class)
.handler(new SClientInitializer(sslCtx));
// Start the connection attempt.
Channel ch = b.connect(HOST, PORT).sync().channel();
...
} finally {
// The connection is closed automatically on shutdown.
group.shutdownGracefully();
}
}
}
客户代码. SClientInitializer.
Client code. SClientInitializer.
public class SClientInitializer extends ChannelInitializer<SocketChannel> {
private final SslContext sslCtx;
public SClientInitializer(SslContext sslCtx) {
this.sslCtx = sslCtx;
}
@Override
protected void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline pipeline = ch.pipeline();
SSLEngine ssl_engine = sslCtx.newEngine(ch.alloc(), SClientApp.HOST, SClientApp.PORT);
ssl_engine.setUseClientMode(true);
pipeline.addLast(new SslHandler(ssl_engine));
// On top of the SSL handler, add the text line codec.
pipeline.addLast(new DelimiterBasedFrameDecoder(8192, Delimiters.lineDelimiter()));
pipeline.addLast(new StringDecoder());
pipeline.addLast(new StringEncoder());
// and then business logic.
pipeline.addLast(new SClientHandler());
}
}
服务器代码.主要.
public class ServerApp {
static final int PORT = Integer.valueOf(Params.get(Const.SERVER_PORT));
public static void main(String[] args) {
System.setProperty("javax.net.ssl.trustStore", "/etc/ssl/certs/java/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
// Configure SSL (TLS)
File tls_cert = new File("tls/server.pem"); // SSL-cert
File tls_key = new File("tls/server.key.pkcs8"); // Private key
SslContext sslCtx = null;
try {
sslCtx = SslContext.newServerContext(tls_cert, tls_key);
} catch (SSLException e) {
e.printStackTrace();
}
EventLoopGroup bossGroup = new NioEventLoopGroup(1);
EventLoopGroup workerGroup = new NioEventLoopGroup(2);
try {
ServerBootstrap b = new ServerBootstrap();
b.group(bossGroup, workerGroup)
.channel(NioServerSocketChannel.class)
.childHandler(new ServerNetInitializer(sslCtx));
ChannelFuture f = null;
try {
f = b.bind(PORT).sync();
f.channel().closeFuture().sync();
} catch (InterruptedException e) {
e.printStackTrace();
}
} finally {
bossGroup.shutdownGracefully();
workerGroup.shutdownGracefully();
}
}
}
服务器代码.初始化程序.
Server code. Initializer.
public class ServerNetInitializer extends ChannelInitializer<SocketChannel> {
private final SslContext sslCtx;
public ServerNetInitializer(SslContext sslCtx) {
this.sslCtx = sslCtx;
}
@Override
protected void initChannel(SocketChannel ch) {
ChannelPipeline pipeline = ch.pipeline();
SSLEngine ssl_engine = sslCtx.newEngine(ch.alloc());
ssl_engine.setUseClientMode(false);
ssl_engine.setNeedClientAuth(true);
pipeline.addLast(new SslHandler(ssl_engine));
// On top of the SSL handler, add the text line codec.
pipeline.addLast(new DelimiterBasedFrameDecoder(8192, Delimiters.lineDelimiter()));
pipeline.addLast(new StringDecoder());
pipeline.addLast(new StringEncoder());
// and then business logic.
pipeline.addLast(new ServerNetHandler());
}
}
更新1.
JdkSslClientContext和JdkSslServerContext类可以帮助我.
Classes JdkSslClientContext and JdkSslServerContext helps me.
在服务器端:
sslCtx = new JdkSslServerContext(client_tls_cert, null,
server_tls_cert, server_tls_key, "", null,
null, IdentityCipherSuiteFilter.INSTANCE, (ApplicationProtocolConfig) null, 0, 0);
在客户端:
sslCtx = new JdkSslClientContext(server_tls_cert,null,client_tls_cert,client_tls_key,"", null, null,IdentityCipherSuiteFilter.INSTANCE,(ApplicationProtocolConfig) null,0,0);
更新2
在服务器端,最好使用TrustManagerFactory而不是客户端证书的File对象,因为您可能有很多客户端:
On server side better use TrustManagerFactory instead of File object of client certificate, because you may have many clients:
KeyStore ts = null;
ts = KeyStore.getInstance("JKS");
ts.load(new FileInputStream(System.getProperty("javax.net.ssl.trustStore")),
System.getProperty("javax.net.ssl.trustStorePassword").toCharArray());
// set up trust manager factory to use our trust store
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ts);
SslContext sslCtx = null;
try {
sslCtx = new JdkSslServerContext(null, tmf,
server_tls_cert, server_tls_key, "", null,
null, IdentityCipherSuiteFilter.INSTANCE, (ApplicationProtocolConfig) null, 0, 0);
} catch (SSLException e) {
log.error("Making ssl context for server - Exception: " + e.toString());
e.printStackTrace();
}
推荐答案
由于不建议使用JdkSslClientContext
,请使用io.grpc.netty.GrpcSslContexts
创建io.netty.handler.ssl.SslContextBuilder
.
Since JdkSslClientContext
is deprecated, use io.grpc.netty.GrpcSslContexts
to create a io.netty.handler.ssl.SslContextBuilder
.
示例(无相互身份验证):
Examples (no mutual auth):
客户
InputStream trustCertCollection = new FileInputStream("certs/ca.crt");
SslContextBuilder builder = GrpcSslContexts.forClient();
builder.trustManager(trustCertCollection);
SslContext sslContext = builder.build();
服务器
InputStream certChain = new FileInputStream("certs/server.crt")
InputStream privateKey = new FileInputStream("certs/server.pk8");
SslClientContextBuilder sslClientContextBuilder = SslContextBuilder.forServer(certChain, privateKey);
SslContext sslContext = GrpcSslContexts.configure(sslClientContextBuilder).build();
这篇关于Java SSL握手异常-“无法找到有效的证书路径"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!