.NET和Java客户端与身份验证之间的SSL套接字 [英] SSL Socket between .Net and Java with client authentication

问题描述

我想创建.NET和Java之间的SSL套接字服务器/客户端。在这种情况下，我的SSL套接字服务器将在.NET运行和客户端在Java中的Linux下运行。我的问题是，握手期间连接失败，特别是当服务器从客户端请求证书，客户端不能送东西回来，连接失败。

I am trying to create an SSL Socket Server/Client between .NET and Java. In this case, my SSL Socket Server will run in .net and the client runs in Java under Linux. My problem is that the connection fails during the handshaking, specifically when the server request a certificate from the client, the client is unable to send something back and the connection fails.

在.NET中我使用sslStream建立连接和基于Java我使用的是标准的SSLSocket。有些code片段是下面，但是这是我迄今为止：

In .net I am using sslStream to establish the connection and on Java I am using the standard SSLSocket. Some code snippets are below, but this is what I have so far:

在服务器端（Windows）中，我有下MMC个人/证书文件夹专用证书。我从客户的信任的人/证书公共证书。这两个证书是由相同的CA颁发两个证书的证书链有多个级别，但它是对于这两个是相同的。在链中的根级证书也被安装在受信任的证书颁发机构/证书文件夹。

On the server side (Windows), I have a private certificate in the Personal/Certificates folders under MMC. I have a public certificate from the client in the Trusted People/Certificates. Both certificates were issued by the same CA. The certificate chain for both certificates have multiple levels, but it is the same for both. The root level certificate in the chain is also installed in the trusted Certification Authorities/Certificates folder.

在客户端（Linux）的，我有一个包含了安装在服务器上的公证书匹配的专用证书密钥库。我有一个包含从服务器公证书，匹配服务器专用一个信任存储区。

On the client side (Linux), I have a keystore that contains the private certificate that matches the public certificate installed at the server. I have a trust store that contains the public certificate from the server, matching the server's private one.

在服务器端（.NET）我使用的是插座，做一个异步读取，然后它被包裹成一个SSLStream中，code段是这样的：

On the server side (.net) I am using a Socket that does an asynchronous read and then it gets wrapped into an SSLStream, the code snippet is like this:

NetworkStream ns = new NetworkStream(socket, false);
SslStream ssl = new SslStream(ns, true);
ssl.AuthenticateAsServer(serverCertificate, true, SslProtocols.Default, true);

客户端code是pretty多标准code：

The client code is pretty much standard code:

SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
InetAddress addr = InetAddress.getByName(servername);
SSLSocket socket = (SSLSocket) factory.createSocket(addr,port);
socket.setUseClientMode(true);
socket.setNeedClientAuth(true);
socket.setWantClientAuth(true);
socket.startHandshake();
os = new DataOutputStream(socket.getOutputStream());
is = new DataInputStream(socket.getInputStream());
byte[] outBuf = new byte[50];
os.write("SEND SOMETHING".getBytes("UTF-8"));
is.read(outBuf);

在java中我已经设置了适当的varialbes指向信任和密钥存储与他们的密码。

In java I have set the proper varialbes to point to the trust and key store with their password.

现在，遵循标准SSL握手，这是发生了什么：

Now, following the standard SSL Handshake, this is what happens:

• 的ClientHello


• ServerHello


• 服务器发送公证书


• 客户端与信任存储
一公证书相匹配

• 服务器发送证书请求


• 随着证书请求的服务器发送有效CA的列表，该列表中只有我的根CA发送的（除其他知名CA的一个长长的清单）。


• 客户端证书为null。


• 服务器收到来自客户端的证书无效，从而关闭连接。

• ClientHello
• ServerHello
• Server sends public certificate
• Client matches the public certificate with the one on the trust store
• Server sends the Certificate request
• With the certificate request the server sends a list of valid CAs, on this list only the my root CA is sent (among a long list of other well known CAs.).
• Client certificate is null.
• Server receives a null certificate from the client, thus closes the connection.

，就是这样，客户端将不会发送有效证书回服务器。我对此一些问题：

And that is it, the client won't send a valid certificate back to the server. I have some questions on this:

有没有人经历过这样的事情？
对于服务器（Windows）中发送的CA该名单，如何确定.NET送什么给客户？是否有修改列表的方法吗？
我是否需要发送的所有当局用于登录我在CA的该列表证书链？或者是根1就够了吗？

Has anybody experienced something like this? Regarding that list of CAs sent by the server (Windows), How does .net determine what to send to the client? Is there a way to modify that list? Do I need to send the all the authorities in the chain used to sign my certificate in that list of CAs? or is the Root one enough?

我缺少的东西在我的code两侧的？

Am I missing something on either side of my code?

任何帮助将大大AP preciated它。
在

Any help will be greatly appreciated it. In

推荐答案

下面的两个语句是在客户端无用的（虽然他们不应该伤害）：

The following two statements are useless on the client side (although they shouldn't hurt):

socket.setNeedClientAuth(true);
socket.setWantClientAuth(true);

您看到的证书请求消息和客户端证书的信息，这表明服务器配置正确。

The fact that you see the Certificate Request message and the Client Certificate message shows that the server is configured properly.

这是想到了没有客户端证书消息证书的最可能的原因是密钥库（在客户端）可能未正确配置。你可能有兴趣在这个答案，以确保您的客户端密钥存储配置正确。更具体地讲，您需要确保您的客户端证书的私钥是在相同的别名证书链导入（以及它的链条回到过去的证书请求消息登报CA）。

The most likely cause that comes to mind for the absence of certificate in the client certificate message is that the keystore (on the client side) might not be configured properly. You may be interested in this answer to make sure that your client key store is configured properly. More specifically, you need to make sure that the private key for your client certificate was imported in the same alias as the certificate chain (and that it's the chain going back to a CA advertised in the Certificate Request message).

（关于你的问题的其余部分，我不知道如何修改在C＃中使用时， SslStream 服务器发送的CA列表的This前面的问题似乎表明没有办法解决，虽然净的新版本可能有地址的问题，因为这个问题被问，我的天堂'T能够找到任何会通过看 SslStream API文档和相关类做到这一点，但是这并不意味着它不存在。）

(Regarding the rest of your question, I'm not sure how to modify the CA list sent by the server when using SslStream in C#. This earlier question would seem to suggest there is no solution, although newer versions of .Net may have addresses the issue since this question was asked. I haven't been able to find anything that would do it by looking at the SslStream API documentation and related classes, but this doesn't mean it doesn't exist.)

这篇关于.NET和Java客户端与身份验证之间的SSL套接字的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！