在自定义的ClosableHttpClient上为zuul发送客户端证书 [英] Sending client certificates on custom ClosableHttpClient for zuul
问题描述
我正在尝试发送带有zuul forwardproxy传出请求的X.509客户端证书.证书包含在我使用SSLContext上的 loadKeyMaterial()
加载的密钥库中.
I'm trying to send an X.509 client certificate with outgoing requests for zuul forwardproxy. Certificate is included in the keystore which i'm loading with loadKeyMaterial()
on SSLContext.
这是代码:
@Bean
public CloseableHttpClient httpClient() throws Throwable {
SSLContext sslcontext = SSLContexts.custom()
.loadKeyMaterial(new File(keyStorePath), keyStorePass, keyStorePass, new PrivateKeyStrategy() {
@Override
public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
return alias;
}
})
.loadTrustMaterial(new File(keyStorePath), keyStorePass, new TrustSelfSignedStrategy())
.build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslcontext,
new String[] { "TLSv1.3" },
new String[] { "TLS_DHE_RSAWITH_AES_256_GCM_SHA384" },
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
return HttpClients.custom().setSSLSocketFactory(sslsf)
.build();
}
当我发出测试请求时,我收到收到的致命警报:handshake_failure
,并且在详细的日志上,我看到消息没有用于客户端身份验证的X.509证书,请使用空的证书消息代替
.我如何使httpClient将证书作为X.509客户端证书发送?
when i make a test request i'm getting Received fatal alert: handshake_failure
and on the verbose logs i see the message No X.509 certificate for client authentication, use empty Certificate message instead
. How i can make the httpClient send the certificate as X.509 client certificate?
推荐答案
在我的情况下,我遇到了类似的问题,这是两部分解决方案.
I had encountered simmilar problem in my case it was two part solution.
- 正确导入证书,
我错误地创建了密钥库:
I had incorrectly created keystore:
keytool -importcert -keystore keystore.jks -alias client-cert -file client-cert.pem -storepass password
对我有帮助的是:
openssl pkcs12 -export -chain -in client-cert.pem -inkey client-key.pem -out keystore.p12 -name client-cert -CAfile ca-cert.pem
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -alias client-cert
我在这里找到了: https://blogs.oracle.com/jtc/将信任的证书安装到Java密钥库中
- spring-cloud-starter-zuul 1.1.5.RELEASE的问题.Zuul没有使用我自定义的CloseableHttpClient,此问题已在 https:/中解决/github.com/spring-cloud/spring-cloud-netflix/issues/2026 ,升级到1.4.2.后,此问题已解决.
- Problem with spring-cloud-starter-zuul 1.1.5.RELEASE. Zuul did not used my custom CloseableHttpClient, this issue was solved in https://github.com/spring-cloud/spring-cloud-netflix/issues/2026 and after upgrading to 1.4.2.RELEASE this problem was fixed.
这篇关于在自定义的ClosableHttpClient上为zuul发送客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!