相互 TLS 适用于 Postman 或 SoapUI,但不适用于 Java/Springboot [英] Mutual TLS works with Postman or SoapUI but doesnt work with Java / Springboot
本文介绍了相互 TLS 适用于 Postman 或 SoapUI,但不适用于 Java/Springboot的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我尝试通过 HTTP Post 方法调用端点,该方法通过相互 TLS 进行保护,这意味着我正在使用密钥库/信任库来进行身份验证.当我通过 SoapUI/Postman 尝试时,它工作正常,当然我必须在我的设置中为这两个工具提供密钥库.
I try to call an endpoint via HTTP Post method which is secured via Mutual TLS which means that I am using a keystore / truststore in order to authenticate. When I try via SoapUI / Postman it works fine, of course I have to provide the keystore in my settings for both tools.
但是通过 Springboot 应用程序它不起作用(使用 Java 14.0.2 的 Spring Boot v2.4.4、Spring v5.3.5).以下是相应代码的片段(因为类很大):
However via Springboot app it does not work (Spring Boot v2.4.4, Spring v5.3.5 using Java 14.0.2). Here are snippets of the corresponding code (since the class is pretty big):
@PostConstruct
private void init() {
spKeyStore = FilenameUtils.normalize(spKeyStore, true);
requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(createHttpClient());
insuranceCertificationOutputTemplate = new RestTemplate(requestFactory);
insuranceCertificationOutputTemplate.getMessageConverters().add(0, getMapping());
authTemplate = new RestTemplate(requestFactory);
}
@PreDestroy
private void destroy() {
if (requestFactory != null && requestFactory.getHttpClient() != null) {
try {
CloseableHttpClient httpClient = (CloseableHttpClient) requestFactory.getHttpClient();
httpClient.close();
}
catch (Exception e) {
LogUtil.log(LOGGER, LogLevel.ERROR, "Error closing http client");
throw new NestedException(e);
}
}
}
private HttpClient createHttpClient() {
HttpHost proxy = new HttpHost(proxyHost, proxyPort);
DefaultProxyRoutePlanner routePlanner = new DefaultProxyRoutePlanner(proxy);
CredentialsProvider credentialsProvider = null;
if (adapterTools.isLocalEnvironment()) {
LogUtil.log(LOGGER, LogLevel.INFO,
credentialsProvider = new SystemDefaultCredentialsProvider();
}
else { //not relevant
}
PoolingHttpClientConnectionManager poolingConnManager = new PoolingHttpClientConnectionManager();
poolingConnManager.setDefaultMaxPerRoute(CONNECTION_MANAGER_MAX_PER_ROUTE); //10
poolingConnManager.setMaxTotal(CONNECTION_MANAGER_MAX_TOTAL); //20
CloseableHttpClient httpClient = null;
InputStream fileInputStream = null;
try {
System.setProperty(SYS_PROP_KEY_STORE, spKeyStore);
System.setProperty(SYS_PROP_KEY_STORE_PASSWORD, spKeyStorePassword);
System.setProperty(SYS_PROP_KEY_STORE_TYPE, spKeyStoreType);
KeyStore keystore = KeyStore.getInstance(spKeyStoreType);
fileInputStream = new FileInputStream(spKeyStore);
keystore.load(fileInputStream, spKeyStorePassword.toCharArray());
SSLContext sslContext =
SSLContexts.custom().loadKeyMaterial(keystore, spKeyStorePassword.toCharArray())
// .loadTrustMaterial(new TrustAllStrategy()) //tried this, didnt help
.build();
SSLConnectionSocketFactory sslSocketFactory =
new SSLConnectionSocketFactory(sslContext, SUPPORTED_PROTOCOLS, null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
//tried TLSv1.2 and TLSv1.3
httpClient =
HttpClients.custom().setSSLSocketFactory(sslSocketFactory)
.setDefaultCredentialsProvider(credentialsProvider).disableCookieManagement()
.setConnectionManager(poolingConnManager).setRoutePlanner(routePlanner).build();
}
catch (Exception e) {
LogUtil.log(LOGGER, LogLevel.ERROR, "Error initializing http client ");
throw new NestedException(e);
}
return httpClient;
}
private boolean endpointHttpPostCall() {
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
String KeyJson = String.format("{ \"key\": \"%s\" }", Token);
HttpEntity<String> entity = new HttpEntity<>(KeyJson, headers);
String uriString = UriComponentsBuilder.fromHttpUrl(Endpoint).toUriString();
ResponseEntity<String> reply = authTemplate.exchange(uriString, HttpMethod.POST, entity, String.class);
...
}
如您所见,我最终使用 org.springframework.web.client.RestTemplate.exchange 方法进行 POST.但是,我尝试通过一个小型 Java 应用程序复制该行为,以确保它与 Springboot 无关,并且它也失败了(通过 Apache HttpPost 方法).我收到了 403 并且我也调试了 TLS.在比较 Soap 与 Springboot/Java TLS 调试时,我发现以下内容:
So as you can see I finally use the org.springframework.web.client.RestTemplate.exchange Method for the POST. However I tried to replicate the behaviour via a small Java app to make sure it´s not Springboot related and it failed as well (via Apache HttpPost Method). I am receiving a 403 and I debugged TLS as well. What I found out when comparing Soap vs Springboot/Java TLS debug was the following:
关键部分似乎是 *** CertificateRequest 部分,因为当它失败时我可以看到:警告:找不到合适的证书 - 无需客户端身份验证即可继续.
The crucial part seems to be the *** CertificateRequest part, cause here when it´s failing I can see: Warning: no suitable certificate found - continuing without client authentication.
我读到这意味着服务器信任库是空的,但是为什么它不会通过 SoapUI 失败呢?
I read that this means that the servers truststore is empty, however why doesnt it fail via SoapUI then?
在比较 TLS 调试时突出的另一件事是 Cert Authorities 以干净的方式为 Springboot 列出,例如:
Another thing that stood out when comparing TLS debugs is that the Cert Authorities are listed in a clean way for Springboot like:
Cert Authorities:
<CN=localhost, OU=Dummy, O=OtherComp, L=Frankfurt, ST=Hessen, C=DE>
<CN=myapp.domain.company, O=MyComp, C=DE>
...
对于 SoapUI,它看起来像:
While for SoapUI it looks like:
Cert Authorities:
0000: 64 61 74<CN=localhost, OU=Dummy, O=OtherComp, L=Cologne, ST=Hessen, C=DE>
61 3D 57 33 73 69 5A 58 5A 6C 62 6E 51 data=W3siZXZlbnQ
0010: 69 4F 69 4A 54 5A 57 35 6B 55 6D 56 78 64 57 56 iOiJTZW5kUmVxdWV
0020: 7A 64 ...
<CN=myapp.domain.company, O=MyComp, C=DE> 57 39 vZHVjdF92ZXJzaW9 0090: 75 49 6A 6F 69 4E 53 34 31 4C 6A 41 69 4C 43 4A uIjoiNS41LjAiLCJ 00A0: 51 63 6D 39 6B 64 57 4E 30 51 58 4A 6C 59 53 49 Qcm9kdWN0QXJlYSI ...
坦率地说,我不确定为什么这会有所不同,我希望两者看起来相同.但是当然 SoapUI 使用不同的 Java 版本(我也尝试将其用于 Springboot/Java,但没有帮助,我也没有比较提到的部分).
I am not sure why this differs to be frank, I expect both to look equal. But of course SoapUI uses a different Java Version (which I tried to use as well for Springboot/Java, didn´t help and I haven´t compared the mentioned part).
我还读到这可能意味着我的密钥库没有被正确创建,但这里还有一个问题是为什么它没有通过 SoapUI 或 Postman 失败?还是我做错了什么?
I also read that this could mean that my keystore has not been created correctly but here also the question is why it does not fail then via SoapUI or Postman? Or am I doing anything else not properly?
所以这里是 SSL Debug,我修改了它以提高可读性,同时删除所有私人信息:
So here is the SSL Debug which I modified for readability, also to remove all private infos:
javax.net.ssl|DEBUG|01|main|2021-06-10 14:10:15.471 CEST|X509TrustManagerImpl.java:79|添加为可信证书(证书":...很多证书
javax.net.ssl|DEBUG|01|main|2021-06-10 14:10:15.471 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates ( "certificate" :... lots of certificates
那么:
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.212 CEST|SignatureScheme.java:294|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.212 CEST|SignatureScheme.java:294|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|INFO|7A|myFunction-step-db|2021-06-10 14:10:52.217 CEST|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.218 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.218 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.241 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.241 CEST|PreSharedKeyExtension.java:633|No session to resume.
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.241 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.242 CEST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "0....",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302),....]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=api.marketplace.syncier.com
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256...]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256...]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": secp256r1
"key_exchange": {
0000: 04 ..
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.354 CEST|ServerHello.java:871|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "9B ...,
"cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
},
"server_name (0)": {
<empty extension_data field>
},
"ec_point_formats (11)": {
"formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
},
"extended_master_secret (23)": {
<empty>
}
]
}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.354 CEST|SSLExtensions.java:170|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.355 CEST|ServerHello.java:967|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.355 CEST|SSLExtensions.java:189|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:189|Consumed extension: server_name
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:170|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:170|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:189|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:170|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:189|Consumed extension: extended_master_secret
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:160|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:160|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:189|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:160|Ignore unsupported extension: pre_shared_key
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.358 CEST|SSLExtensions.java:204|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.358 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.358 CEST|SSLExtensions.java:204|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.363 CEST|CertificateMessage.java:357|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "04 EF A8 05 97 22 6F 87 E2 5A FC 22 7E 89 BB 1F CC 81",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=R3, O=Let's Encrypt, C=US",
"not before" : "2021-03-12 15:31:23.000 CET",
"not after" : "2021-06-10 16:31:23.000 CEST",
"subject" : "CN=api.marketplace.syncier.com",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
},
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://r3.o.lencr.org
,
accessMethod: caIssuers
accessLocation: URIName: http://r3.i.lencr.org/
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 14 ...
0010: 8B 14 C2 C6 ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 66C 65 74 ..http://cps.let
0010: 73 ... sencrypt.org
]] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: api.marketplace.syncier.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1C 2F 4C 87 8A BE 65 82 48 92 B9 44 EE CE 14 FE ./L...e.H..D....
0010: D9 5F 85 7E ._..
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "40 01 75 04 83 14 A4 C8 21 8C 84 A9 0C 16 CD DF",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=DST Root CA X3, O=Digital Signature Trust Co.",
"not before" : "2020-10-07 21:21:40.000 CEST",
"not after" : "2021-09-29 21:21:40.000 CEST",
"subject" : "CN=R3, O=Let's Encrypt, C=US",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]
},
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 `...
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
},
{
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]
},
{
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 22 ... .org
]] ]
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 14 2E B3 1 ....
]
]
}
]}
]
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.429 CEST|X509TrustManagerImpl.java:238|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "44 AF B0 80 D6 A3 27 BA 89 30 39 86 2E F8 40 6B",
"signature algorithm": "SHA1withRSA",
"issuer" : "CN=DST Root CA X3, O=Digital Signature Trust Co.",
"not before" : "2000-09-30 23:12:19.000 CEST",
"not after" : "2021-09-30 16:01:15.000 CEST",
"subject" : "CN=DST Root CA X3, O=Digital Signature Trust Co.",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u...
0010: 60 85 89 10 `...
]
]
}
]}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.436 CEST|ECDHServerKeyExchange.java:534|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
"parameters": {
"named group": "secp256r1"
"ecdh public": {
0000: 04 28 25 ... .
},
},
"digital signature": {
"signature algorithm": "rsa_pss_rsae_sha256"
"signature": {
0000: 7E 37 D2 8...
0070: ...
},
}
}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.438 CEST|CertificateRequest.java:671|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [...]
"certificate authorities": [CN=localhost, OU=Marketplace, O=Syncier, L=Munich, ST=Bayern, C=DE, CN=myurl.mycomp, O=mycomp, C=DE, CN=myurl.mycomp1, O=mycomp, C=DE, CN=mycomp, O=mycomp, C=DE, CN=myurl.mycomp1, O=mycomp, C=DE, CN=mycomp CA II, O=mycomp, C=DE, CN=mycomp Root CA, O=mycomp, C=DE]
}
)
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.439 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:743|Unable to produce CertificateVerify for signature scheme: ed25519
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:743|Unable to produce CertificateVerify for signature scheme: ed448
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|X509Authentication.java:213|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_pss_sha256
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|X509Authentication.java:213|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_pss_sha384
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|X509Authentication.java:213|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_pss_sha512
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_rsae_sha256
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_rsae_sha384
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_rsae_sha512
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:774|No available authentication scheme
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.445 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.445 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.445 CEST|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.452 CEST|ECDHClientKeyExchange.java:396|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 04 53 8E 83F(..
0040: F .
},
}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.473 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.474 CEST|Finished.java:398|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: 9...
}'}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.523 CEST|ChangeCipherSpec.java:149|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.525 CEST|Finished.java:535|Consuming server Finished handshake message (
"Finished": {
"verify data": {
0000: 53 ...
}'}
)
推荐答案
最后我可以通过添加/替换这种方式来解决它:
Finally I could solve it by adding / replacing this way:
KeyStore trustStore = KeyStore.getInstance("JKS");
fileInputStream = new FileInputStream("C:/Program Files/Java/jdk1.8.0_181/jre/lib/security/cacerts");
trustStore.load(fileInputStream, "changeit".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keystore, keyStorePassword.toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder
.<ConnectionSocketFactory> create()
.register("https", sslSocketFactory)
.register("http", PlainConnectionSocketFactory.INSTANCE)
.build();
PoolingHttpClientConnectionManager poolingConnManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
poolingConnManager.setDefaultMaxPerRoute(CONNECTION_MANAGER_MAX_PER_ROUTE);
poolingConnManager.setMaxTotal(CONNECTION_MANAGER_MAX_TOTAL);
HttpClientBuilder builder = HttpClientBuilder.create();
builder.disableCookieManagement()
.setDefaultCredentialsProvider(credentialsProvider)
.setConnectionManager(poolingConnManager)
.setSSLSocketFactory(sslSocketFactory)
.setRoutePlanner(routePlanner);
httpClient = builder.build();
在回顾中真正有帮助的是调试与 SSL 相关的所有内容,尤其是 restTemplate,以防您使用它.在我的例子中,这个对象路径是修复的关键:authTemplate-requestFactory-httpClient-connManager-connectionOperator-socketFactoryRegistry.在这里,我可以看到一个属性,其值类似于DummyX509Keymanager";尚未设置.在我尝试了几件事之后,终于正确设置了 KeyManager.
What really helped in retrospective was debugging literally everything related to SSL especially the restTemplate in case you use it. In my case this object path was key to fix: authTemplate-requestFactory-httpClient-connManager-connectionOperator-socketFactoryRegistry. Here I coud see a Property with an value like "DummyX509Keymanager" which has not been set. After I tried several things finally the KeyManager was set properly.
这篇关于相互 TLS 适用于 Postman 或 SoapUI,但不适用于 Java/Springboot的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
