Java 使用 SSL 握手失败连接到 SOAP Web 服务

Posted 2023-02-22

【中文标题】Java 使用 SSL 握手失败连接到 SOAP Web 服务

【英文标题】：Java connect to SOAP web service using SSL handshake failure

【发布时间】：2019-01-09 23:47:18

【问题描述】：

谁能告诉我，这个 ssl 握手的问题是什么？我无法解释此消息以了解发生了什么问题。

我使用 Java 1.8u171 和自定义密钥库和信任库。

由于 ssl 调试跟踪太大，无法在此处发布，所以我只添加了它的结尾。如果我需要添加更多行，请告诉我。

*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 22370889587224987359608899225847605413175776292485254209693360141628593926267
  public y coord: 46421316867312726832394508124945403534455242739986432133408176290773445555000
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 1296
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, Unknown (hash:0x3, signature:0x1), Unknown (hash:0x3, signature:0x2), Unknown (hash:0x3, signature:0x3), SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Admin-Root-CA, OU=Certification Authorities, OU=Services, O=admin, C=ch>
<CN=SwissDefence-CA1, OU=Certification Authorities, OU=Verteidigung, O=Admin, C=CH>
<CN=SwissDefence-RootCA, OU=Certification Authorities, OU=Verteidigung, O=Admin, C=CH>
<CN=Swiss Government Regular CA 01, OU=Certification Authorities, OU=Services, O=Admin, C=CH>
<CN=Swiss Government Enhanced CA 01, OU=Certification Authorities, OU=Services, O=Admin, C=CH>
<CN=Swiss Government Enhanced CA 02, OU=Certification Authorities, OU=Services, O=Admin, C=CH>
<CN=Swiss Government SSL CA 01, OU=Certification Authorities, OU=Services, O=Swiss Government PKI, C=CH>
<CN=Swiss Government Root CA I, OU=Certification Authorities, OU=Services, O=The Federal Authorities of the Swiss Confederation, C=CH>
<CN=Swiss Government Root CA II, OU=Certification Authorities, OU=Services, O=The Federal Authorities of the Swiss Confederation, C=CH>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value:   4, 151, 224, 196, 1, 182, 164, 65, 41, 7, 83, 83, 219, 245, 182, 17, 252, 77, 121, 12, 239, 156, 93, 141, 201, 209, 209, 105, 133, 211, 170, 214, 7, 186, 20, 184, 229, 154, 102, 83, 241, 182, 65, 201, 230, 178, 162, 155, 233, 13, 238, 236, 66, 132, 154, 131, 234, 253, 232, 127, 96, 123, 113, 254, 173 
main, WRITE: TLSv1.2 Handshake, length = 101
SESSION KEYGEN:
PreMaster Secret:
0000: 5B 6B 22 F4 DA 84 39 7D   6D BC 0D 78 BF 12 8D 9E  [k"...9.m..x....
0010: A8 AE 84 1D 77 FC F1 9D   1B 4D 2C E3 15 65 D2 FC  ....w....M,..e..
CONNECTION KEYGEN:
Client Nonce:
0000: 5B 60 8F D8 9A F6 63 29   DB AE 52 4A 85 C5 7D 92  [`....c)..RJ....
0010: 5F 24 BE 3D 42 30 C0 F1   18 60 AD 6B C9 CA 77 12  _$.=B0...`.k..w.
Server Nonce:
0000: 8B 00 1C 8A 53 D6 F0 0E   0E 1C 11 6C 36 56 21 E5  ....S......l6V!.
0010: 85 E6 C6 F9 6F F7 26 D9   1B 8C 58 A8 B5 48 A5 9E  ....o.&...X..H..
Master Secret:
0000: 46 48 BA 0A 40 0F CD 0F   93 C0 60 35 07 08 EA 3E  FH..@.....`5...>
0010: E3 44 EC 4A 65 58 E3 38   32 56 47 17 5E DB B7 AB  .D.JeX.82VG.^...
0020: 13 15 00 A7 25 3B 89 DE   2D B7 89 F4 D1 2C EC 92  ....%;..-....,..
... no MAC keys used for this cipher
Client write key:
0000: 85 A7 0F CF F3 26 14 49   C3 9F F9 7D FF 92 88 75  .....&.I.......u
0010: 44 0E 1B 3E BE B2 B0 A9   27 CB FD 02 3D E3 07 4F  D..>....'...=..O
Server write key:
0000: 01 A7 47 C1 BB F1 FE C0   BC 62 DF 6D BD 06 74 63  ..G......b.m..tc
0010: AB 98 3A 12 D2 99 C3 1A   9E D4 7D 27 F7 21 45 C0  ..:........'.!E.
Client write IV:
0000: 6D D5 5C 6E                                        m.\n
Server write IV:
0000: 53 C2 4A F9                                        S.J.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 25
*** Finished
verify_data:   232, 49, 11, 141, 224, 91, 146, 66, 124, 158, 201, 90 
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 26
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
%% Invalidated:  [Session-4, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)

这里是堆栈跟踪的一部分：

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_172]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[?:1.8.0_172]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038) ~[?:1.8.0_172]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135) ~[?:1.8.0_172]
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:940) ~[?:1.8.0_172]
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[?:1.8.0_172]
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) ~[?:1.8.0_172]
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) ~[?:1.8.0_172]
    at java.io.BufferedInputStream.read(BufferedInputStream.java:345) ~[?:1.8.0_172]
    at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:735) ~[?:1.8.0_172]
    at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:678) ~[?:1.8.0_172]
    at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:706) ~[?:1.8.0_172]
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587) ~[?:1.8.0_172]
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) ~[?:1.8.0_172]
    at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) ~[?:1.8.0_172]
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:347) ~[?:1.8.0_172]

【问题讨论】：

您是否尝试过使用生成的信任库和客户端证书使用工具进行测试。推荐之一是 SmartBear 的 SOAPUI。问题存在于 TLS（您使用的是 v1.2）版本、无效的客户端证书或无效的信任库证书。

***.com/questions/51348108/… 看看我的回答

@Han：感谢您的回复。在进行一些编码之前，我已经使用 SoapUI 对其进行了测试。密钥库按预期在那里工作。但在 SoapUI 中，我不需要定义信任库来从 Web 服务获得有效响应。如果我确实设置了信任库，我也会得到一个有效的响应。但我不知道为什么我不需要设置信任库。如果我在自己的应用程序中不使用 trusstore，则会收到找不到有效证书路径的错误。

“警告：未找到合适的证书 - 继续没有客户端身份验证” - 您的证书与目标主机不匹配，请检查证书。

Adrian Osterwalder - 这是与@Wow 相关的一些响应。在 java 中，cacert 文件存储了 Truststore。在soapui 中，它基本上是在使用你的java/home。我之前的经验是，我在 Web 服务器和 Webster 中运行，有时它们有自己的 Truststore/或指向不同的 java home。实际上，您可以使用 keytools 打印 cacert 上列出的所有 Truststore 来验证它。

【参考方案1】：

“警告：未找到合适的证书 - 继续没有客户端身份验证” - 您的证书与目标主机不匹配，请检查证书。

【讨论】：

但因果报应；）