javax.net.ssl.SSLProtocolException: 证书链长度 (11) 超过允许的最大长度 (10) [英] javax.net.ssl.SSLProtocolException: The certificate chain length (11) exceeds the maximum allowed length (10)
问题描述
自从我的 java MVC Web 应用程序在尝试创建具有特定 https 地址的 WebService 时开始抛出异常(https://barramento.caixa.gov.br/sibar/ManutencaoCobrancaBancaria/Boleto/Externo?xsd=xsd0).
I'm struggling since my java MVC web application started throwing an exception when trying to create a WebService that has an specific https address (https://barramento.caixa.gov.br/sibar/ManutencaoCobrancaBancaria/Boleto/Externo?xsd=xsd0).
启用 javax.net.debug 后,我发现问题的根本原因似乎是我尝试连接的服务器应用程序的证书链长度.
After enabling the javax.net.debug I figured out that the root cause of the problem seems to be the length of the certificate chain of the server application where I'm trying to connect to.
一开始,我怀疑是 TLS 版本,但是使用 nmap 我能够找到服务器正在使用的 TLS 版本以及密码,它们不是问题.服务器支持TLS1.1.我已经将我的服务器配置为使用此版本,但它根本没有帮助.
In a first moment, I suspected from the TLS version, but using nmap I was able to find the version of TLS the server is using as well as the ciphers, and they are not the problem. The server suports TLS1.1. I've already configured my server to work with this version, but it did not help at all.
我在整个网络上搜索了一些可以提供帮助的信息,但我无法在 Google 上找到任何指向javax.net.ssl.SSLProtocolException:证书链长度"的内容;.
I've searched all over the web for some information that could help but I was not able to find anything at Google pointing to nothing even close to "javax.net.ssl.SSLProtocolException: The certificate chain length".
她是堆栈跟踪:
javax.net.ssl|FINE|26|http-nio-8080-exec-2|2020-11-06 17:30:36.178 BRT|Logger.java:765|READ: TLSv1.1 handshake, length = 3835
javax.net.ssl|SEVERE|26|http-nio-8080-exec-2|2020-11-06 17:30:36.188 BRT|Logger.java:765|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLProtocolException: The certificate chain length (11) exceeds the maximum allowed length (10)
at sun.security.ssl.CertificateMessage$T12CertificateMessage.<init>(CertificateMessage.java:143)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:363)
Caused by: javax.net.ssl.SSLProtocolException: The certificate chain length (11) exceeds the maximum allowed length (10)
at sun.security.ssl.CertificateMessage$T12CertificateMessage.<init>(CertificateMessage.java:143)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:363)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
这篇帖子澄清了很多,并给了我一些指导了解问题.但还不够.
This post clarified a lot and gave me some guidance to understand the problem. But was not enought.
注意:奇怪的是,这个问题是在使用 Java 1.8.0_272 从 ubuntu 实例运行我的应用程序时发生的.从 Windows 机器(也使用 Java 1.8.0_272)运行我的应用程序时,它不会发生.
Note: the stranger thing is that this problem happens when running my application from an ubuntu instance using Java 1.8.0_272. When run my application from a Windows machine (also using Java 1.8.0_272) it doesn't happen.
是否有任何 JVM 参数或任何其他方式来设置允许的证书链的长度?
Is there any JVM argument or any other way of set the lengh of the allowed certificate chain?
有没有人遇到过这样的事情?
Has anyone already faced something like that?
推荐答案
正如 @dave_thompson_085 所指出的,实际链只有 4 个.问题是服务器发送的证书很多(也由 @dave_thompson_085 指出)a>).
As pointed by @dave_thompson_085, the actual chain is only 4. The problem was the many certificates sent by the server (also pointed by @dave_thompson_085).
添加-Djdk.tls.maxCertificateChainLength=15"JVM 参数解决了这个问题.
Adding the "-Djdk.tls.maxCertificateChainLength=15" JVM argument solved the issue.
非常感谢@dave_thompson_085.
这篇关于javax.net.ssl.SSLProtocolException: 证书链长度 (11) 超过允许的最大长度 (10)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
