带有效证书的spring boot https获取ERR_SSL_VERSION_OR_CIPHER_MISMATCH,自签名工作正常 [英] spring boot https with valid cert get ERR_SSL_VERSION_OR_CIPHER_MISMATCH, self signed works fine
问题描述
我正在运行Spring Boot 1.4.0.RELEASE。
我从我的IT部门获得了有效的证书。
我使用IT_cert.cer生成了一个tomcat keystore.jks文件
keytool -keystore tomcat-keystore.jks - storepass密码-import -aliastomcat-file it_issued_cert.cer
配置我的application.yml转向在SSL上
服务器:
context-path:/ uaa
port:9999
ssl :
启用:true
key-store:classpath:tomcat-keystore.jks
key-store-password:password
key-password:password
enabled-protocols :TLSv1.2#确保只使用最新的TLS版本
用于签署证书的算法是
签名算法名称:SHA256withRSA
当我运行spring-boot应用程序时,它启动并找到我的证书。
当我在HTTPS上使用chrome时端口,浏览器不再出现不受信任的警告。
但是现在有一个来自Chrome和IE11的ERR_SSL_VERSION_OR_CIPHER_MISMATCH声称我可能正在使用RC4加密...
我尝试过指定低于TLSv1.2的非安全协议并采用默认值..但它们都会导致相同的错误。
我相信最新的Chrome / IE11有TLSv1.2
所以我对浏览器的错误感到困惑。
如果我使用自签名,一切正常,但我得到关于信任自签名的安全警告。
我的结论是我配置我的证书导致此错误的方式,或者它可以是我的IT部门的签名算法吗?
近dupe Java SSLHandshakeException:没有共同的密码套件
HTTPS服务器
首先查看你的文件 it_issued_cert.cer
,看看它是否采用PEM格式:它是否包含所有可读内容字符分组为行,至少一个块以行开头
----- BEGIN sometype_in_caps -----
然后一些行完全由字母,数字,plussign +
和斜线 /
组成,可能等于 =
最后,最后一行
----- END same_type ----
?
如果PEM并且至少有两个区块,其中一个类型 [RSA | DSA | EC | ENCRYPTED]私钥
和其他人有(有)类型 [X.509 | maybesomethingelse] CERTIFICATE
,您可以使用OpenSSL转换为PKCS12,然后使用keytool转换为JKS 。首先检查是否需要任何链或中间证书:如果文件已经包含多个证书并且没有通过完整的doofus准备那些多个证书形成所需的chai,那么继续。如果文件只包含一个证书,请使用 openssl x509 -in $ file -noout -subject -issuer
以确保主题是您的服务器并查看颁发者;如果发行人是您所在环境中信任的CA(例如我的公司CA),则继续。否则,询问IT,如果需要任何链证书,请以PEM格式获取它们,并将它们添加到文件中。然后执行:
openssl pkcs12 -export -in $ file -out temp.p12 -friendlyname alias_you_want
keytool -importkeystore -srcstore temp.p12 -srcstoretype pkcs12 -deststore new.jks
#并使用new.jks作为服务器密钥库
如果文件是PEM但是只有一个类型为CERTIFICATE的块,或者文件根本不是PEM,则必须发出此证书以响应某人的CSR(证书签名请求): / p>
如果您向他们提供了CSR,请提供详细信息(编辑您的问题)生成CSR的方式和位置。这就是私钥的位置,你需要使用该密钥,复制它,或转换(并复制)它,具体取决于你所做的。
如果你没有给他们CSR,请问他们在哪里得到它。如果他们自己生成密钥和CSR,请询问他们PEM格式的密钥。如果他们从其他人那里获得CSR,请向其他人询问PEM格式的密钥。获得后,将其添加到文件中,然后返回上面的案例。如果他们坚持给你一些PEM格式以外的东西,请提供详细信息。
如果没有人拥有此证书的私钥,则无法使用该证书。丢弃并重新开始。
I am Running Spring Boot 1.4.0.RELEASE.
I got a valid cert from my IT dept.
I Generated a tomcat keystore.jks file using the IT_cert.cer
keytool -keystore tomcat-keystore.jks -storepass password -import -alias "tomcat" -file it_issued_cert.cer
config my application.yml to turn on SSL
server:
context-path: /uaa
port: 9999
ssl:
enabled: true
key-store: classpath:tomcat-keystore.jks
key-store-password: password
key-password: password
enabled-protocols: TLSv1.2 # make sure only to use the latest TLS version
The algorithm used to sign the cert is
Signature algorithm name: SHA256withRSA
When I run the spring-boot app, it starts up and finds my cert.
When I use chrome on my HTTPS port, there's no longer a "untrusted" warning from the browser.
But now there's a ERR_SSL_VERSION_OR_CIPHER_MISMATCH from Chrome and IE11 claims I may be using RC4 encryption...
I've tried specifying non-safe protocols lower than TLSv1.2 and taking the defaults.. but they all result in the same error.
I am sure the latest Chrome/IE11 has TLSv1.2 So I am baffled by the error from the browser.
Also if I used a self signed, everything works, but I get the security warning about trusting self signed.
My conclusion is it the way I configure my cert that causes this error, or can it be the Signature algorithm from my IT dept?
Near dupe Java SSLHandshakeException: no cipher suites in common
An HTTPS server needs both PRIVATE KEY AND matching certificate, and depending on how the certificate is issued the server may also need a 'chain' or 'intermediate' cert (and occasionally more than one). You imported only a certificate and that is not enough.
First look at your file it_issued_cert.cer
to see if it is in PEM format: does it contain all readable characters grouped into lines, with at least one block starting with a line
-----BEGIN sometype_in_caps-----
then some lines consisting entirely of letters, numbers, plussign +
and slash /
and maybe equals =
at the end, and finally a line
-----END same_type----
?
If PEM and there are at least two blocks where one has type [RSA|DSA|EC|ENCRYPTED] PRIVATE KEY
and the other(s) has(have) type [X.509|maybesomethingelse] CERTIFICATE
, you can use OpenSSL to convert to PKCS12 and then keytool to convert to JKS. First check if any 'chain' or 'intermediate' cert(s) is required: if the file already contains multiple certs and wasn't prepared by a complete doofus those multiple certs form the required chai, just proceed. If the file contains only one cert, use openssl x509 -in $file -noout -subject -issuer
to make sure the subject is your server and look at the issuer; if the issuer is a CA trusted in your environment (like 'My Company CA') just proceed. Otherwise, ask IT what if any chain cert(s) are needed, get them in PEM format, and add them to the file. Then do:
openssl pkcs12 -export -in $file -out temp.p12 -friendlyname alias_you_want
keytool -importkeystore -srcstore temp.p12 -srcstoretype pkcs12 -deststore new.jks
# and use new.jks as your server keystore
If file is PEM but there is only one block with type CERTIFICATE, or if the file is not PEM at all, this cert must have been issued in response to a CSR (Certificate Signing Request) from somebody:
If you gave them the CSR, give details (edit your question) how and where you generated the CSR. That is where the privatekey was and you will need to either use that key, make a copy of it, or convert (and copy) it, depending on what you did.
If you did not give them the CSR, ask them where they got it. If they generated the key and CSR themselves, ask them for the key in PEM format. If they got the CSR from someone else, ask that someone else for the key in PEM format. Once you get it, add it to the file, and return to the case above. If they insist on giving you something other than PEM format, give details.
If no one has the privatekey for this certificate, the certificate cannot be used. Discard it and start over.
这篇关于带有效证书的spring boot https获取ERR_SSL_VERSION_OR_CIPHER_MISMATCH,自签名工作正常的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!