Java 服务器自签名证书 + 客户端证书和 SSL handshake_failure
Posted
技术标签:
【中文标题】Java 服务器自签名证书 + 客户端证书和 SSL handshake_failure【英文标题】:Java server self-signed certificate + client certificate and SSL handshake_failure 【发布时间】:2011-06-11 22:10:33 【问题描述】:我正在连接之前成功使用的网络服务,但是现在他们更改了主机名并向我发送了两个 .pem 文件;一个是 CA,另一个是我的新客户端证书。
(我正在使用 Java 1.5、Spring + Spring Web Services 和 Apache httpclient,但我怀疑我的问题出在证书、密钥和 SSL 本身。)
我已经导入了两个 .pem 文件,以及我从 Firefox 导出到我的 cacerts 的主机的 .crt。但是,自从我得到这个异常以来,我显然做错了:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1542)
...
当我使用 System.setProperty("javax.net.debug", "all") 打开 SSL 日志记录时,我看到服务器证书被接受,然后在客户端密钥交换之后或期间发生这种情况:
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: D:\Central\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps\CentraServer\WEB-INF\classes\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Sat Jun 26 02:19:54 CEST 1999 until Wed Jun 26 02:19:54 CEST 2019
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000bf
Valid from Wed May 17 16:01:00 CEST 2000 until Sun May 18 01:59:00 CEST 2025
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x374ad243
Valid from Tue May 25 18:09:40 CEST 1999 until Sat May 25 18:39:40 CEST 2019
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 20:46:00 CEST 2000 until Tue May 13 01:59:00 CEST 2025
adding as trusted cert:
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Algorithm: RSA; Serial number: 0x2
Valid from Fri Mar 26 11:37:00 CET 2010 until Mon Mar 23 11:37:00 CET 2020
adding as trusted cert:
Subject: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 3 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
Issuer: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 3 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
Algorithm: RSA; Serial number: 0x3eb
Valid from Mon Mar 09 12:59:59 CET 1998 until Sat Jan 01 12:59:59 CET 2011
adding as trusted cert:
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Algorithm: RSA; Serial number: 0x94778886f4ca92c2
Valid from Fri Mar 26 13:14:36 CET 2010 until Mon Mar 23 13:14:36 CET 2020
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
Valid from Fri Oct 01 02:00:00 CEST 1999 until Thu Jul 17 01:59:59 CEST 2036
adding as trusted cert:
Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 19:39:16 CEST 2004 until Thu Jun 29 19:39:16 CEST 2034
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Aug 02 01:59:59 CEST 2028
adding as trusted cert:
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Algorithm: RSA; Serial number: 0x35def4cf
Valid from Sat Aug 22 18:41:51 CEST 1998 until Wed Aug 22 18:41:51 CEST 2018
adding as trusted cert:
Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Algorithm: RSA; Serial number: 0x3770cfb5
Valid from Wed Jun 23 14:14:45 CEST 1999 until Sun Jun 23 14:14:45 CEST 2019
adding as trusted cert:
Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0x4
Valid from Mon Jun 21 06:00:00 CEST 1999 until Sun Jun 21 06:00:00 CEST 2020
adding as trusted cert:
Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1b6
Valid from Fri Aug 14 16:50:00 CEST 1998 until Thu Aug 15 01:59:00 CEST 2013
adding as trusted cert:
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Aug 02 01:59:59 CEST 2028
adding as trusted cert:
Subject: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
Issuer: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
Algorithm: RSA; Serial number: 0x3ea
Valid from Mon Mar 09 12:59:59 CET 1998 until Sat Jan 01 12:59:59 CET 2011
adding as trusted cert:
Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a3
Valid from Sat Feb 24 00:01:00 CET 1996 until Fri Feb 24 00:59:00 CET 2006
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389b113c
Valid from Fri Feb 04 18:20:00 CET 2000 until Tue Feb 04 18:50:00 CET 2020
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
Valid from Mon May 18 02:00:00 CEST 1998 until Wed Aug 02 01:59:59 CEST 2028
adding as trusted cert:
Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: CN=Emporion CA, DC=emporion, DC=hr
Issuer: CN=Emporion CA, DC=emporion, DC=hr
Algorithm: RSA; Serial number: 0x52fbeae95112b2aa48647da355f35330
Valid from Thu Dec 14 08:53:07 CET 2006 until Wed Dec 14 08:55:04 CET 2011
adding as trusted cert:
Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
Valid from Wed Nov 09 01:00:00 CET 1994 until Fri Jan 08 00:59:59 CET 2010
adding as trusted cert:
Subject: EMAILADDRESS=aw@ypsilon.net, CN=adriatic, O=ypsilon.net ag, L=Frankfurt, C=DE
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Algorithm: RSA; Serial number: 0x3c
Valid from Thu Jan 13 16:07:12 CET 2011 until Sun Jan 12 16:07:12 CET 2014
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x380391ee
Valid from Tue Oct 12 21:24:30 CEST 1999 until Sat Oct 12 21:54:30 CEST 2019
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389ef6e4
Valid from Mon Feb 07 17:16:40 CET 2000 until Fri Feb 07 17:46:40 CET 2020
[snip more irrelevant cerificates]
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
Valid from Mon May 18 02:00:00 CEST 1998 until Wed Aug 02 01:59:59 CEST 2028
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
http-8080-Processor25, setSoTimeout(90000) called
http-8080-Processor25, setSoTimeout(90000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1295536786 bytes = 74, 39, 25, 138, 201, 29, 231, 172, 208, 86, 159, 87, 97, 159, 118, 69, 60, 76, 126, 1, 3, 113, 32, 74, 124, 197, 227, 100
Session ID:
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: 0
***
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 4D 38 53 92 4A 27 19 8A C9 1D ...E..M8S.J'....
...
0040: 03 00 08 00 14 00 11 01 00 .........
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
...
0060: E3 64 .d
http-8080-Processor25, WRITE: SSLv2 client hello message, length = 98
[Raw write]: length = 100
0000: 80 62 01 03 01 00 39 00 00 00 20 00 00 04 01 00 .b....9... .....
...
0060: 7C C5 E3 64 ...d
[Raw read]: length = 5
0000: 16 03 01 00 4A ....J
[Raw read]: length = 74
0000: 02 00 00 46 03 01 4D 38 53 92 91 2B 9B 04 40 75 ...F..M8S..+..@u
...
0040: CF 80 63 11 83 EF 78 00 04 00 ..c...x...
http-8080-Processor25, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1295536786 bytes = 145, 43, 155, 4, 64, 117, 29, 20, 155, 104, 148, 67, 38, 191, 176, 32, 226, 210, 15, 208, 38, 62, 186, 93, 161, 102, 98, 43
Session ID: 170, 186, 169, 17, 103, 4, 99, 63, 183, 238, 23, 232, 183, 145, 193, 146, 7, 27, 157, 237, 100, 139, 163, 244, 30, 207, 128, 99, 17, 131, 239, 120
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 01 4D 38 53 92 91 2B 9B 04 40 75 ...F..M8S..+..@u
...
0040: CF 80 63 11 83 EF 78 00 04 00 ..c...x...
[Raw read]: length = 5
0000: 16 03 01 05 62 ....b
[Raw read]: length = 1378
0000: 0B 00 05 5E 00 05 5B 00 02 A4 30 82 02 A0 30 82 ...^..[...0...0.
...
0550: 62 FB DE A4 74 87 D9 2A 2B 2F AF 31 22 97 4A F6 b...t..*+/.1".J.
0560: B8 9F ..
http-8080-Processor25, READ: TLSv1 Handshake, length = 1378
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 105158323961649143261675059370957210288137897982882368398075567460896421730512351351129218695072925445303830065152794594929017968110838209795249871435238567060656353603426816451022832577131638028495007888967083020723809918589055189033188525472465535607293377867184162059586888049098196531889988723950292830313
public exponent: 65537
Validity: [From: Fri Mar 26 11:37:00 CET 2010,
To: Mon Mar 23 11:37:00 CET 2020]
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
SerialNumber: [ 02]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 3A F3 91 84 EA B1 CF 28 7B 52 EC 50 34 56 CB A5 :......(.R.P4V..
...
]
chain [1] = [
[
Version: V1
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 103786554737956184369138386227517475430156404603922533481712260490997247291004352385079204978431207687092828117962473600295977103686791448953158848873575487907656378655168840104433047747570602454550203304683174555325033654946526304210710782190667961616217273402229863778090825217190222869236148684215668636483
public exponent: 65537
Validity: [From: Fri Mar 26 13:14:36 CET 2010,
To: Mon Mar 23 13:14:36 CET 2020]
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
SerialNumber: [ 94778886 f4ca92c2]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 86 EE 6C 03 20 76 E5 0C C7 1D E5 44 60 C0 D0 40 ..l. v.....D`..@
...
]
***
Found trusted certificate:
[
[
Version: V1
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 105158323961649143261675059370957210288137897982882368398075567460896421730512351351129218695072925445303830065152794594929017968110838209795249871435238567060656353603426816451022832577131638028495007888967083020723809918589055189033188525472465535607293377867184162059586888049098196531889988723950292830313
public exponent: 65537
Validity: [From: Fri Mar 26 11:37:00 CET 2010,
To: Mon Mar 23 11:37:00 CET 2020]
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
SerialNumber: [ 02]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 3A F3 91 84 EA B1 CF 28 7B 52 EC 50 34 56 CB A5 :......(.R.P4V..
...
]
[read] MD5 and SHA1 hashes: len = 1378
0000: 0B 00 05 5E 00 05 5B 00 02 A4 30 82 02 A0 30 82 ...^..[...0...0.
...
[Raw read]: length = 5
0000: 16 03 01 00 0E .....
[Raw read]: length = 14
0000: 0D 00 00 06 03 01 02 40 00 00 0E 00 00 00 .......@......
http-8080-Processor25, READ: TLSv1 Handshake, length = 14
*** CertificateRequest
Cert Types: RSA, DSS, Type-64,
Cert Authorities:
[read] MD5 and SHA1 hashes: len = 10
0000: 0D 00 00 06 03 01 02 40 00 00 .......@..
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: 3, 1, 171, 173, 40, 115, 135, 189, 1, 133, 123, 112, 14, 101, 81, 12, 110, 67, 184, 222, 191, 39, 146, 61, 195, 70, 149, 67, 178, 129, 141, 29, 160, 92, 198, 213, 71, 6, 35, 92, 141, 155, 111, 161, 88, 150, 14, 217
[write] MD5 and SHA1 hashes: len = 141
0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 2F 50 23 ............./P#
...
0080: 32 A0 09 CB 0E AE 42 4F 25 7A AE 41 DF 2.....BO%z.A.
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 141
[Raw write]: length = 146
0000: 16 03 01 00 8D 0B 00 00 03 00 00 00 10 00 00 82 ................
...
0090: 41 DF A.
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 AB AD 28 73 87 BD 01 85 7B 70 0E 65 51 0C ....(s.....p.eQ.
0010: 6E 43 B8 DE BF 27 92 3D C3 46 95 43 B2 81 8D 1D nC...'.=.F.C....
0020: A0 5C C6 D5 47 06 23 5C 8D 9B 6F A1 58 96 0E D9 .\..G.#\..o.X...
CONNECTION KEYGEN:
Client Nonce:
0000: 4D 38 53 92 4A 27 19 8A C9 1D E7 AC D0 56 9F 57 M8S.J'.......V.W
0010: 61 9F 76 45 3C 4C 7E 01 03 71 20 4A 7C C5 E3 64 a.vE<L...q J...d
Server Nonce:
0000: 4D 38 53 92 91 2B 9B 04 40 75 1D 14 9B 68 94 43 M8S..+..@u...h.C
0010: 26 BF B0 20 E2 D2 0F D0 26 3E BA 5D A1 66 62 2B &.. ....&>.].fb+
Master Secret:
0000: 13 9A 7A E6 A0 60 FA 39 20 54 B1 5B 11 C0 1C 8E ..z..`.9 T.[....
0010: 0C 1E DD 6D 81 F3 87 BB 55 C5 04 5E EF 92 9D 56 ...m....U..^...V
0020: F8 A5 BE 3C 63 41 49 5D 28 C6 CB 39 2B AC 2B 01 ...<cAI](..9+.+.
Client MAC write Secret:
0000: C6 9B B2 39 8A B2 0D 8E D2 4F ED 8B 41 2A 5E 24 ...9.....O..A*^$
Server MAC write Secret:
0000: 0F EC E3 F0 A0 23 B0 06 3A E1 27 17 51 D5 63 D4 .....#..:.'.Q.c.
Client write key:
0000: 84 00 3C F3 A6 64 8B FC EC 24 34 E5 98 37 2D 4B ..<..d...$4..7-K
Server write key:
0000: 15 71 17 98 7F BF 96 CF B5 84 0D 27 53 92 FA D6 .q.........'S...
... no IV for cipher
http-8080-Processor25, WRITE: TLSv1 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 01 00 01 01 ......
*** Finished
verify_data: 242, 229, 163, 78, 24, 68, 97, 187, 238, 159, 79, 121
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C F2 E5 A3 4E 18 44 61 BB EE 9F 4F 79 .......N.Da...Oy
Padded plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C F2 E5 A3 4E 18 44 61 BB EE 9F 4F 79 .......N.Da...Oy
0010: 7D 95 FF FE 93 4D C5 18 4B C0 DD 31 EB 12 39 DF .....M..K..1..9.
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 32
[Raw write]: length = 37
0000: 16 03 01 00 20 43 6D 0D E1 CD D5 D7 7A 9C 25 61 .... Cm.....z.%a
0010: 1A 58 2C E4 3E 18 EB B1 C9 80 9C C5 E7 30 E5 23 .X,.>........0.#
0020: 6E 10 C9 2A AE n..*.
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
http-8080-Processor25, READ: TLSv1 Alert, length = 2
http-8080-Processor25, RECV TLSv1 ALERT: fatal, handshake_failure
http-8080-Processor25, called closeSocket()
http-8080-Processor25, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)
这是什么意思?消息“no IV for cipher”是什么意思?
编辑:经过一番调查,我发现了一个愚蠢的错误 - 因为 javax.net.ssl.keyStore 属性设置不正确,所以根本没有加载密钥库。但是,现在我得到连接重置异常,我仍然得到“没有密码的 IV”......所以我再次问基本相同的问题 here。
【问题讨论】:
我认为您已经删除了跟踪的一些重要部分,但我的猜测是服务器想要对客户端进行身份验证,而您的客户端未正确配置为这样做。 我现在已经发布了完整的调试输出;二进制部分被剪断,因为 *** 不允许我发布超过 30K 的字符... 请注意,客户端证书链(紧接在 ClientKeyExchange 之前)是空的。 【参考方案1】:no IV for cipher 表示使用的密码不需要 IV(RC4 就是这样一种密码,很可能是这里选择的一种)。
编辑根据 GregS 的评论,handshake_failure 可能是由于服务器请求客户端身份验证,而客户端未能提供证书。
【讨论】:
张贴的痕迹显然是经过大量编辑的。它可能表明服务器要求客户端身份验证但没有收到。 RFC 2246 的第 7.4.6 节对于谁可以发送 handshake_failure 不明确,在这种情况下没有更好的警报选择。 啊,你是对的。我认为这将表现为一个不同的警报,但 7.4.6 表明这将是一个handshake_failure。
Jumbogram,我走得更远了,我的客户端证书确实有问题没有被加载......但是我仍然被困得更远。我接受答案并提出另一个问题,请查看。以上是关于Java 服务器自签名证书 + 客户端证书和 SSL handshake_failure的主要内容,如果未能解决你的问题,请参考以下文章