如何配置与apache.commons.net.ftps客户端身份验证？ [英] How to configure client authentication with apache.commons.net.ftps?

问题描述

我使用的 apache.commons.net 的-framework在Java中实现一个FTPS客户端（FTP通过SSL / TLS）。
它配置做默认的端口21上的明确的安全性。

I implemented a FTPS client (FTP over SSL/TLS) in java using the apache.commons.net-framework. It is configured to do explicit security on the default port 21.

ftpsClient = new FTPSClient(false);
ftpsClient.setTrustManager(getConfiguration().getCertificatesManager());
ftpsClient.connect(getConfiguration().getHostName(), getConfiguration().getPort());

只要我不在服务器上执行客户身份验证，一切工作正常。
但我需要启用客户端身份验证，所以我实施在服务器上和配置客户端系统属性：

As long as I don't enforce client-authentication on the server, everything works fine. But I need to enable client-authentication, so I enforce it on the server and configured the client-system properties:

-Djavax.net.ssl.keyStore="D:/.../ftps-client-auth.keystore"
-Djavax.net.ssl.keyStorePassword="*****"
-Djavax.net.ssl.keyStoreType=JKS

我得到的是一样的，如果我没有设置系统属性：

What I got was the same as if I did not set the system properties:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1806)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:986)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
    at org.apache.commons.net.ftp.FTPSClient.sslNegotiation(FTPSClient.java:265)
    at org.apache.commons.net.ftp.FTPSClient._connectAction_(FTPSClient.java:207)
    at org.apache.commons.net.SocketClient.connect(SocketClient.java:172)
    at org.apache.commons.net.SocketClient.connect(SocketClient.java:192)

服务器日志说：

DEBUG: Client "<my ip address>", "SSL_accept failed: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate"

似乎是正确的 - 我启用的 -Djavax.net.debug =所有的，有什么显示服务器发送的CN清单它接受，但客户端发送一个空证书链。

Seems right - I enabled -Djavax.net.debug=all, what shows that the server sends a list of CNs it accepts, but the client sends an empty certificate chain.

• 我做了什么错？


• 我需要做一些配置编程？


• 执行证书或私钥需要支持SSL / TLS什么特别的吗

• What have I done wrong?
• Do I need to do some configuration programatically?
• Do the certificates or the private key need to support anything special for SSL/TLS?

推荐答案

想通了：你需要以编程方式设置的KeyManager 。
设置系统属性（ -Djavax.net.ssl​​.keyStore ，...）是不够的，因为该框架不使用太阳的SSLSocketFactory 。

Figured it out: you need to programmatically set a KeyManager. Setting the system properties (-Djavax.net.ssl.keyStore, ...) is not sufficient, because the the framework does not use Suns SSLSocketFactory.

例如：

ftpsClient = new FTPSClient(false);
ftpsClient.setTrustManager(getConfiguration().getCertificatesManager());
KeyManager keyManager = org.apache.commons.net.util.KeyManagerUtils.createClientKeyManager(new File(keystorePath), keystorePass);
ftpsClient.setKeyManager(keyManager);
ftpsClient.connect(getConfiguration().getHostName(), getConfiguration().getPort());

这篇关于如何配置与apache.commons.net.ftps客户端身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！