彻底弄懂“PKIX path building failed”问题

Posted huqiaoblog

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了彻底弄懂“PKIX path building failed”问题相关的知识,希望对你有一定的参考价值。

SSL的基础知识

SSL的全称是Secure Socket Layer。它的通信流程如下图所示,客户端与服务端会通过几次通信,通过非对称加密创建出一个加密密钥,用于以后的对称信息加密。

1,客户端明文向服务器打招呼,告诉服务器自己支持的加密算法、随机数A;

2,服务器明文返回给客户端自己的证书和另外一个随机数B;

3,客户端验证收到的证书。验证通过则使用这个证书的公钥加密一个密码发送给服务器;

4,服务器通过自己的私钥解密客户端发送过来的密码;

5,服务器使用这个密码进行对称加密通信。

技术分享图片

 

-Djavax.net.debug=all跟踪调试,确定对的证书

任何一个环节出错,都可能出现下面的错误:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

用-Djavax.net.debug=all来开启调试信息的输出,SSL的握手过程一目了然:

2018-02-01 17:05:24 --INFO-- ***Helper : https://xxx.xxx.com:8443/***/ws/***Service
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% Client cached [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA]
%% Try resuming [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA] from port 12371
##客户端跟服务器第一次打招呼##
*** ClientHello, TLSv1 
RandomCookie:  GMT: 1517410388 bytes = { 95, 120, 132, 216, 69, 34, 205, 73, 133, 30, 240, 178, 37, 187, 228, 127, 73, 149, 1, 216, 19, 3, 35, 236, 29, 111, 125, 132 }
Session ID:  {248, 40, 73, 62, 46, 20, 43, 249, 49, 73, 148, 196, 222, 200, 202, 68, 221, 241, 33, 57, 128, 93, 149, 1, 7, 112, 248, 66, 173, 203, 187, 1}
##支持的加密算法##
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: idmtest.dcpc.com]
***
[write] MD5 and SHA1 hashes:  len = 220
0000: 01 00 00 D8 03 01 5A 72   D8 54 5F 78 84 D8 45 22  ......Zr.T_x..E"
0010: CD 49 85 1E F0 B2 25 BB   E4 7F 49 95 01 D8 13 03  .I....%...I.....
...

DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Handshake, length = 220
[Raw write]: length = 225
0000: 16 03 01 00 DC 01 00 00   D8 03 01 5A 72 D8 54 5F  ...........Zr.T_
0010: 78 84 D8 45 22 CD 49 85   1E F0 B2 25 BB E4 7F 49  x..E".I....%...I
...

[Raw read]: length = 5
0000: 16 03 01 06 22                                     ...."
[Raw read]: length = 1570
0000: 02 00 00 46 03 01 5A 72   63 4E F2 CF 4B 0F CE 58  ...F..ZrcN..K..X
0010: 0E EF 36 D4 F3 3E C0 85   AD 6D 4B 8D DB CA FB 77  ..6..>...mK....w
0020: 80 B3 A1 D2 A7 90 20 D5   A6 FD 6E A7 FF 5A D4 DF  ...... ...n..Z..
...

DefaultQuartzScheduler_Worker-3, READ: TLSv1 Handshake, length = 1570

##服务器响应
*** ServerHello, TLSv1
RandomCookie:  GMT: 1517445966 bytes = { 242, 207, 75, 15, 206, 88, 14, 239, 54, 212, 243, 62, 192, 133, 173, 109, 75, 141, 219, 202, 251, 119, 128, 179, 161, 210, 167, 144 }
Session ID:  {213, 166, 253, 110, 167, 255, 90, 212, 223, 9, 221, 44, 82, 61, 249, 50, 79, 110, 177, 174, 106, 198, 101, 47, 213, 191, 119, 128, 106, 200, 188, 1}
##服务器选定的加密算法
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized:  [Session-8, TLS_RSA_WITH_AES_256_CBC_SHA]
** TLS_RSA_WITH_AES_256_CBC_SHA
[read] MD5 and SHA1 hashes:  len = 74
0000: 02 00 00 46 03 01 5A 72   63 4E F2 CF 4B 0F CE 58  ...F..ZrcN..K..X
0010: 0E EF 36 D4 F3 3E C0 85   AD 6D 4B 8D DB CA FB 77  ..6..>...mK....w
...

##服务器返回给客户端的证书链,证明“我是我”
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.****.com, ST=北京市, L=北京市, O=***公司, C=CN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 256891288892062675553247103925...
  public exponent: 65537
  Validity: [From: Wed May 17 16:15:30 CST 2017,
               To: Fri May 15 16:15:30 CST 2020]
  Issuer: CN=WoSign OV SSL CA, O=WoSign CA Limited, C=CN
  SerialNumber: [    363fa17d 5c46082c dc707c24 6a8d81b2]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [[
   accessMethod: ocsp
   accessLocation: URIName: http://wosign-ovca.ocsp-certum.com, 
   accessMethod: caIssuers
   accessLocation: URIName: http://repository.certum.pl/wosign-ovca.cer]]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A1 13 54 DC 56 73 2C 27   82 CA C8 84 EF EE BF 00  ..T.Vs,........
0010: FD 5F AB 56                                        ._.V
]]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://wosign.crl.certum.pl/wosign-ovca.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
  [CertificatePolicyId: [1.2.616.1.113527.2.5.1.12.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 
0000: 30 81 E4 30 1F 16 18 41   73 73 65 63 6F 20 44 61  0..0...Asseco Da
0010: 74 61 20 53 79 73 74 65   6D 73 20 53 2E 41 2E 30  ta Systems S.A.0
...

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.dcpc.com
  DNSName: dcpc.com
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 A6 53 AD 96 D8 B7 51   09 D5 E1 07 E5 B2 BC E6  ..S....Q........
0010: B5 F2 82 2B                                        ...+
]]]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 9A 38 A4 8F B2 A8 CE 9A   B6 98 2F 8F 18 AA 45 79  .8......../...Ey
0010: DE D6 31 22 99 6E D7 14   45 5E C1 1F 06 EC 7F C9  ..1".n..E^......
...

]
***
==客户端从本地找到的信赖证书(如果找不到会直接报certificate_unknow)==
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=*.****.com, ST=北京市, L=北京市, O=****公司, C=CN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 2568912888920626755532471039254124....
  public exponent: 65537
  Validity: [From: Wed May 17 16:15:30 CST 2017,
               To: Fri May 15 16:15:30 CST 2020]
  Issuer: CN=WoSign OV SSL CA, O=WoSign CA Limited, C=CN
  SerialNumber: [    363fa17d 5c46082c dc707c24 6a8d81b2]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://wosign-ovca.ocsp-certum.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://repository.certum.pl/wosign-ovca.cer
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A1 13 54 DC 56 73 2C 27   82 CA C8 84 EF EE BF 00  ..T.Vs,........
0010: FD 5F AB 56                                        ._.V
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://wosign.crl.certum.pl/wosign-ovca.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
  [CertificatePolicyId: [1.2.616.1.113527.2.5.1.12.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 
0000: 30 81 E4 30 1F 16 18 41   73 73 65 63 6F 20 44 61  0..0...Asseco Da
0010: 74 61 20 53 79 73 74 65   6D 73 20 53 2E 41 2E 30  ta Systems S.A.0
...

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.dcpc.com
  DNSName: dcpc.com
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 A6 53 AD 96 D8 B7 51   09 D5 E1 07 E5 B2 BC E6  ..S....Q........
0010: B5 F2 82 2B                                        ...+
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 9A 38 A4 8F B2 A8 CE 9A   B6 98 2F 8F 18 AA 45 79  .8......../...Ey
0010: DE D6 31 22 99 6E D7 14   45 5E C1 1F 06 EC 7F C9  ..1".n..E^......
...

]
[read] MD5 and SHA1 hashes:  len = 1492
0000: 0B 00 05 D0 00 05 CD 00   05 CA 30 82 05 C6 30 82  ..........0...0.
0010: 04 AE A0 03 02 01 02 02   10 36 3F A1 7D 5C 46 08  .........6?..\\F.
...

*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
[write] MD5 and SHA1 hashes:  len = 262
0000: 10 00 01 02 01 00 85 BD   72 17 92 EA 05 0F 0A BD  ........r.......
0010: 90 92 72 51 08 0F 6E 29   C4 A2 F0 D2 BA 78 0B A0  ..rQ..n).....x..
...

DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Handshake, length = 262
[Raw write]: length = 267
0000: 16 03 01 01 06 10 00 01   02 01 00 85 BD 72 17 92  .............r..
0010: EA 05 0F 0A BD 90 92 72   51 08 0F 6E 29 C4 A2 F0  .......rQ..n)...
...
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 80 92 4B 03 FA 1D   39 CE F4 82 3D 4A 96 A7  ....K...9...=J..
...
CONNECTION KEYGEN:
Client Nonce:
0000: 5A 72 D8 54 5F 78 84 D8   45 22 CD 49 85 1E F0 B2  Zr.T_x..E".I....
...
Server Nonce:
0000: 5A 72 63 4E F2 CF 4B 0F   CE 58 0E EF 36 D4 F3 3E  ZrcN..K..X..6..>
...
Master Secret:
0000: 93 05 C4 97 B7 FB 23 5F   11 15 8A 8E 2C C1 C7 72  ......#_....,..r
...
Client MAC write Secret:
0000: 22 84 BA CD 61 27 D9 62   5F 84 FA 7A DF 05 DE 0A  "...a‘.b_..z....
...
Server MAC write Secret:
0000: D2 AC 73 AC CE F2 D2 00   31 E6 4F 8A DE E3 97 8D  ..s.....1.O.....
0010: 73 52 BA D2                                        sR..
Client write key:
0000: CA FB B2 02 E7 3F 79 93   55 61 CB AB FF EF 1E 76  .....?y.Ua.....v
0010: 10 4C DD DE 83 55 99 6F   28 8E 19 5D 18 25 33 A2  .L...U.o(..].%3.
Server write key:
0000: 1A 25 31 69 D2 3B 45 D7   70 09 5F 9A FF D5 B3 71  .%1i.;E.p._....q
0010: 73 9D D6 52 F0 10 21 8B   8E 13 97 BE B1 02 75 46  s..R..!.......uF
Client write IV:
0000: 68 49 14 C3 A2 97 75 A0   F3 AC 89 DA 31 84 C3 EF  hI....u.....1...
Server write IV:
0000: 2C 03 9D 28 6F C2 7D BD   37 B1 AA E5 30 6E 09 EA  ,..(o...7...0n..
DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 01 00 01 01                                  ......
*** Finished
verify_data:  { 56, 169, 160, 43, 198, 100, 229, 140, 160, 251, 76, 146 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 38 A9 A0 2B   C6 64 E5 8C A0 FB 4C 92  ....8..+.d....L.
Padded plaintext before ENCRYPTION:  len = 48
0000: 14 00 00 0C 38 A9 A0 2B   C6 64 E5 8C A0 FB 4C 92  ....8..+.d....L.
0010: F5 B1 BB DE F4 25 ED A2   3A 18 9D C8 8E EE 2B A6  .....%..:.....+.
0020: 4A 1E 3A C7 0B 0B 0B 0B   0B 0B 0B 0B 0B 0B 0B 0B  J.:.............
DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Handshake, length = 48
[Raw write]: length = 53
0000: 16 03 01 00 30 4E 92 1F   3A 1F 91 C8 1B 9F 6B 3A  ....0N..:.....k:
0010: CC 2C 67 2C 9D CA 58 DA   4F 91 21 01 8E D8 5A 37  .,g,..X.O.!...Z7
0020: 67 B8 BD A9 E4 F3 79 E9   9C E6 E1 52 BB 8D 39 0E  g.....y....R..9.
0030: 45 5F F5 7E 7A                                     E_..z
[Raw read]: length = 5
0000: 14 03 01 00 01                                     .....
[Raw read]: length = 1
0000: 01                                                 .
DefaultQuartzScheduler_Worker-3, READ: TLSv1 Change Cipher Spec, length = 1
[Raw read]: length = 5
0000: 16 03 01 00 30                                     ....0
[Raw read]: length = 48
0000: A9 B4 AB 6C 68 BA 47 DB   CF 6E EF 8A F2 6F BD 73  ...lh.G..n...o.s
0010: E4 44 55 C8 93 1B 4B C6   D9 A3 DB 4D 03 3B E0 8D  .DU...K....M.;..
0020: 67 ED E8 35 CA 63 D8 F8   C8 11 40 1B 54 DD 6F F2  g..5[email protected]
DefaultQuartzScheduler_Worker-3, READ: TLSv1 Handshake, length = 48
Padded plaintext after DECRYPTION:  len = 48
0000: 14 00 00 0C 58 5A F4 F0   FA C9 BE 1D 27 6A A5 3A  ....XZ......j.:
0010: DC 90 D1 52 C8 53 16 DD   CB 04 E9 F0 F7 46 E2 9F  ...R.S.......F..
0020: 9E A6 EF 63 0B 0B 0B 0B   0B 0B 0B 0B 0B 0B 0B 0B  ...c............
*** Finished
verify_data:  { 88, 90, 244, 240, 250, 201, 190, 29, 39, 106, 165, 58 }
***
%% Cached client session: [Session-8, TLS_RSA_WITH_AES_256_CBC_SHA]
[read] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 58 5A F4 F0   FA C9 BE 1D 27 6A A5 3A  ....XZ......j.:
DefaultQuartzScheduler_Worker-3, setSoTimeout(9000000) called
Padded plaintext before ENCRYPTION:  len = 960
##发送数据
0000: 50 4F 53 54 20 2F 69 64   6D 2F 77 73 2F 55 6E 69  POST /idm/ws/Uni
0010: 74 53 65 72 76 69 63 65   20 48 54 54 50 2F 31 2E  tService HTTP/1.
0020: 30 0D 0A 43 6F 6E 74 65   6E 74 2D 54 79 70 65 3A  0..Content-Type:
0030: 20 74 65 78 74 2F 78 6D   6C 3B 20 63 68 61 72 73   text/xml; chars
0040: 65 74 3D 75 74 66 2D 38   0D 0A 41 63 63 65 70 74  et=utf-8..Accept
0050: 3A 20 61 70 70 6C 69 63   61 74 69 6F 6E 2F 73 6F  : application/so
0060: 61 70 2B 78 6D 6C 2C 20   61 70 70 6C 69 63 61 74  ap+xml, applicat
0070: 69 6F 6E 2F 64 69 6D 65   2C 20 6D 75 6C 74 69 70  ion/dime, multip
0080: 61 72 74 2F 72 65 6C 61   74 65 64 2C 20 74 65 78  art/related, tex
0090: 74 2F 2A 0D 0A 55 73 65   72 2D 41 67 65 6E 74 3A  t/*..User-Agent:
00A0: 20 41 78 69 73 2F 31 2E   34 0D 0A 48 6F 73 74 3A   Axis/1.4..Host:
00B0: 20 69 64 6D 74 65 73 74   2E 64 63 70 63 2E 63 6F   ***.***.co
00C0: 6D 3A 38 34 34 33 0D 0A   43 61 63 68 65 2D 43 6F  m:8443..Cache-Co
...

DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Application Data, length = 960
[Raw write]: length = 965
0000: 17 03 01 03 C0 76 73 C9   5C 37 18 B3 8D 85 B6 4A  .....vs.\\7.....J
0010: A5 FF 06 E0 81 74 E2 46   22 C7 32 12 51 A6 C4 10  .....t.F".2.Q...
0020: 7E 1D 14 C6 1E 1B 44 95   57 6E AC 83 AA 8D A7 92  ......D.Wn......
0030: 4C 34 01 5D E9 A1 1E 8C   BB 03 55 D9 7A 09 0F 1E  L4.]......U.z...
0040: 5D C4 71 46 CA 29 72 0D   C1 CC F8 CE 6E F9 51 3A  ].qF.)r.....n.Q:
...

[Raw read]: length = 5
0000: 17 03 01 01 60                                     ....`
[Raw read]: length = 352
0000: CD C2 06 A2 9F EA 9F 00   C7 27 5E F0 B3 C4 3D 78  .........‘^...=x
0010: 2E 9B F4 52 08 FF D7 05   2E A8 1B 42 3F 9A 3D 73  ...R.......B?.=s
...
DefaultQuartzScheduler_Worker-3, READ: TLSv1 Application Data, length = 352
##接收数据
Padded plaintext after DECRYPTION:  len = 352
0000: 48 54 54 50 2F 31 2E 31   20 32 30 30 20 0D 0A 43  HTTP/1.1 200 ..C
0010: 6F 6E 74 65 6E 74 2D 54   79 70 65 3A 20 74 65 78  ontent-Type: tex
0020: 74 2F 78 6D 6C 3B 63 68   61 72 73 65 74 3D 55 54  t/xml;charset=UT
0030: 46 2D 38 0D 0A 44 61 74   65 3A 20 54 68 75 2C 20  F-8..Date: Thu, 
0040: 30 31 20 46 65 62 20 32   30 31 38 20 30 39 3A 30  01 Feb 2018 09:0
0050: 35 3A 32 35 20 47 4D 54   0D 0A 43 6F 6E 6E 65 63  5:25 GMT..Connec
0060: 74 69 6F 6E 3A 20 63 6C   6F 73 65 0D 0A 0D 0A 3C  tion: close....<
0070: 73 6F 61 70 3A 45 6E 76   65 6C 6F 70 65 20 78 6D  soap:Envelope xm
0080: 6C 6E 73 3A 73 6F 61 70   3D 22 68 74 74 70 3A 2F  lns:soap="http:/
0090: 2F 73 63 68 65 6D 61 73   2E 78 6D 6C 73 6F 61 70  /schemas.xmlsoap
00A0: 2E 6F 72 67 2F 73 6F 61   70 2F 65 6E 76 65 6C 6F  .org/soap/envelo
...
[Raw read]: length = 5
0000: 15 03 01 00 20                                     .... 
[Raw read]: length = 32
0000: 10 E4 3E EF D9 D6 A2 0F   F3 11 85 6F 8F 68 48 C8  ..>........o.hH.
0010: 26 73 2E C8 FA 9D 00 03   AB 3B 79 46 DE ED CC 40  &s.......;[email protected]
DefaultQuartzScheduler_Worker-3, READ: TLSv1 Alert, length = 32
Padded plaintext after DECRYPTION:  len = 32
0000: 01 00 C2 40 0A 51 E1 F1   28 06 65 73 E4 84 81 01  [email protected](.es....
0010: 8F A9 A1 FD A9 6E 09 09   09 09 09 09 09 09 09 09  .....n..........
DefaultQuartzScheduler_Worker-3, RECV TLSv1 ALERT:  warning, close_notify
DefaultQuartzScheduler_Worker-3, called closeInternal(false)
DefaultQuartzScheduler_Worker-3, SEND TLSv1 ALERT:  warning, description = close_notify
Padded plaintext before ENCRYPTION:  len = 32
0000: 01 00 4F BB 75 8C 9C 8A   12 64 D7 62 F6 AF 81 90  ..O.u....d.b....
0010: 92 0E 91 25 6F 9B 09 09   09 09 09 09 09 09 09 09  ...%o...........
DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Alert, length = 32
[Raw write]: length = 37
0000: 15 03 01 00 20 C1 60 66   8A 2A 1D A5 6C 82 C3 59  .... .`f.*..l..Y
0010: A8 D5 E9 28 70 1D 93 F1   DD 34 00 14 1F 56 12 46  ...(p....4...V.F
0020: 33 0C 4C 3F 51                                     3.L?Q
DefaultQuartzScheduler_Worker-3, called closeSocket(selfInitiated)
DefaultQuartzScheduler_Worker-3, called close()
DefaultQuartzScheduler_Worker-3, called closeInternal(true)
DefaultQuartzScheduler_Worker-3, called close()
DefaultQuartzScheduler_Worker-3, called closeInternal(true)

 如果遇到了前面的报错信息,首先应该做的就是到这里来看看服务器给客户端发送的到底是个什么证书!知道是什么证书之后,尝试获取到这个证书,导入到本地就行了。

正确地导入证书

服务器办法给我们的cer证书文件需要导入到keystore文件中,Java才能识别。

keytool工具实现了对keystore文件中的证书进行曾删查功能。

证书管理

增加(导入证书)

keytool -import -noprompt -trustcacerts -alias test -file  D:\\certs\\some.cer -keystore cacerts -storepass changeit

 

-keystore:指定证书导入到的文件位置,文件不存在时会自动创建,存在时会追加

-file:指定导入的cer文件

-storepass:指定keystore文件的访问密码

-alias:指定别名,其实可以理解为ID,别名不能重复,删除的时候也依靠它

查询

keytool -list -keystore cacerts |findstr /s test

 因为结果可能很多,这里用windows的findstr来过滤。

删除

keytool -delete -alias test -keystore cacerts

 

证书识别

Java程序对受信证书的查找顺序是:

1,javax.net.ssl.trustStore  

就是System.setProperty("javax.net.ssl.trustStore","D:\\\\cacert.keystore");活着通过JVM参数指定:-Djavax.net.ssl.trustStore=D:\\cacert.keystore。

2,JAVA_HOmE\\jre\\lib\\security\\jssecacerts

默认没有jssecacerts,一般把cacerts复制成jssecacerts,然后再使用keytool来修改它。jsse的全称是Java Secure Socket Extension。

3,JAVA_HOmE\\jre\\lib\\security\\cacerts

 通常情况下不就建议通过-Djavax.net.ssl.trustStore=D:\\cacert.keystore来直接修改keystore文件的位置,因为这样会造成系统中其他模块可能找不到自己对应的证书了。推荐使用jssecacerts。我们需要什么证书直接往这个位置导就行了。程序不需要做调整。

 

其他注意事项

System.setProperty("javax.net.ssl.trustStore",..)可能不会生效

写一个JUnit单元测试可以这么改:

技术分享图片

但是在Spring的Service中动态修改就不见得会生效了。你虽然动态调整了System的属性,但是别人用不用就不确定了。

https://stackoverflow.com/questions/271506/why-cant-system-setproperty-change-the-classpath-at-runtime

使用JVM参数强制指定keystore

 用JVM参数的形式就比上面这种方式更有效,程序肯定会使用这个参数指定位置的keystore。

-Djavax.net.ssl.trustStore=C:\\Java\\jre\\lib\\security\\jssecacerts
-Djavax.net.ssl.trustStorePassword=changeit

 

后话

密码和安全相关的主体确实太有意思了,应该专题研究一下,什么是PKI、什么是X.509,要扫清盲点,知其所以然,这样才能在遇到异常时知道那个环节出了问题。 

 

个人学习总结,有不对之处还望赐教。 


 

参考:

阮一峰:图解SSL/TLS协议,http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html

What is SSL:https://www.youtube.com/watch?v=dsuVPxuU_hc

Java Secure Socket Extension:https://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

以上是关于彻底弄懂“PKIX path building failed”问题的主要内容,如果未能解决你的问题,请参考以下文章

彻底弄懂 JavaScript 执行机制

一文让你彻底弄懂MySQL自增列

彻底弄懂最短路径问题(图论)

这一次,彻底弄懂javascript执行机制

这一次,彻底弄懂 JavaScript 执行机制

彻底弄懂Java中的equals()方法以及与"=="的区别