为什么我会出现握手失败（Java SSL） [英] Why do I get a handshake failure (Java SSL)

问题描述

我通过HTTPS连接到Web服务。我已经做了所有我认为需要的工作，但最终我得到了握手失败。

I'm connecting to a web service over HTTPS. I've done all that I think is required to make it work, but in the end I get a handshake failure.

我发现作为一个新用户，我可以由于垃圾邮件保护而发布超过2个链接 - 比很多堆栈溢出...无论如何这里是一个指向所有链接拼写的pastebin帖子的链接...所以当我在这里写链接＃1时它是一个参考这些链接： http://pastebin.com/y4zGNRC7

I found out that as a new user I can't post more than 2 links due to "spam protection" - thanx a lot stackoverflow...anyway here's a link to a pastebin post with all the links spelled out...so when I write "link#1" here it's a reference to these links: http://pastebin.com/y4zGNRC7

• 我使用HttpClient验证了相同的行为（服务URL上的GET），并通过CXF代理实际调用Web服务


• 我正在设置密钥库和信任库 - 我尝试了in code方式（链接＃1）和设置系统属性 - 即System.setProperty（javax.net.ssl.keyStore，mykeystore.jks）;


• 启用SSL调试（javax.net.debug = all）


• SSL调试脱口而出密钥库和信任库的内容（即看起来像java知道这件事em） - 链接＃2


• 似乎正在进行一些客户端 - 服务器通信，但由于某种原因它会崩溃链接＃3


• 我在浏览器（Chrome）中使用客户端和CA证书成功连接到服务器并使用openssl s_client


• wireshark显示来自java（链接＃4）的客户端 - 服务器通话较少，然后是来自Chrome的示例（链接＃5）

• I verified the same behavior using HttpClient (GET on the service URL) and actually calling the web service via a CXF proxy
• I'm setting both the keystore and truststore - I tried both the "in code" way ( link#1 ) and setting the system properties - i.e. System.setProperty("javax.net.ssl.keyStore", "mykeystore.jks");
• SSL debug is on ( javax.net.debug=all )
• SSL debug blurts out the contents of both keystore and truststore (i.e. looks like java "knows about them") - link#2
• seems like there's some client-server communication going on, but then it crashes for some reason link#3
• I successfully connected to the server using the client and CA certificates both in a browser (Chrome) and using openssl s_client
• wireshark shows less client-server talk from java ( link#4 ) then for example from Chrome ( link#5 )

另一个奇怪的事情是，我似乎在获得相同的行为时设置密钥库，当我不这样做时（唯一的区别是当我在控制台中打印密钥库内容时，就是这样）。

我试过谷歌搜索问题，我在stackoverflow上看到了很多类似的帖子，但没有任何帮助。
我尝试更改协议版本（TLSv1，SSLv3，甚至是奇怪的v2 Hello）。
任何帮助都会受到赞赏 - 也许有一些基本的东西我可能会忽略......我在这里绝望...
Thanx

I tried googling the problem and I saw numerous similar posts here on stackoverflow, but nothing helped. I tried changing the protocol version ("TLSv1", "SSLv3", even the weird v2 Hello). Any help would be appreciated - maybe there's some fundamental thing I might have overlooked...I'm getting desperate here... Thanx

PS我在Fedora Core 15（64位）上运行java 1.6 update 30

PS I'm running java 1.6 update 30 on Fedora Core 15 (64bit)

推荐答案

问题是即使是密钥库并且设置了truststore，java决定不将客户端证书发送到服务器。原因是服务器请求由RootCA机构签署的证书，但客户端证书由SubCA机构（由RootCA颁发）签名。

The problem was that even though the keystore and truststore was set, java decided not to send the client certificate to the server. The reason for this was the fact, that the server requested a certificate signed by the RootCA authority, but the client certificate is signed by a SubCA authority (which is issued by the RootCA).

最初，密钥库仅包含客户端证书，而信任库包含SubCA证书。
然后我尝试将SubCA证书添加到密钥库中，但是java只是忽略它。

Originally the keystore only contained the client cert and the truststore the SubCA cert. I then tried to add the SubCA cert to the keystore too, but java just ignored it.

所以这解决了hanshake失败之谜，但不是我的问题。

So this solves the hanshake failure mystery, but not my problem.

我为此创建了一个单独的问题...叹息:-(
为什么在SSL握手期间java不发送客户端证书？

I created a separate question for that...sigh :-( why doesn't java send the client certificate during SSL handshake?

这篇关于为什么我会出现握手失败（Java SSL）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！