通过 HTTPS 连接到 MobileFirst Server 时出现问题

Posted 2023-02-26

【中文标题】通过 HTTPS 连接到 MobileFirst Server 时出现问题

【英文标题】：Issue connecting to MobileFirst Server via HTTPS

【发布时间】：2015-03-17 22:58:51

【问题描述】：

我们有一个连接到 MobileFirst Server 的应用程序。我们的应用程序通过 HTTP 连接良好，但无法通过 HTTPS 连接。该应用程序本身是使用 Xcode 构建的原生 ios 应用程序。

我们在服务器上有一个自签名证书。服务器设置为按顺序将整个证书钥匙串传递回客户端（根证书、中间证书，最后是服务器证书）。

根据these specifications，所有这些证书也已安装在客户端 iOS 设备上

通过 HTTPS 连接会导致客户端和服务器上出现以下错误/日志。这是在 Liberty Websphere Application Server 上使用 Mobile First 6.3。

客户：

2015-03-13 09:52:30.133 WFM[80268:291046] [DEBUG] [WL_CONFIG] -[WLConfig init] in WLConfig.m:68 :: 
"application id" = WFM;
"application version" = "1.0";
environment = iOSnative;
host = "xxxxxxxx";
platformVersion = "6.3.0.00.20141127-1357";
port = 9443;
protocol = https;
wlServerContext = "/worklight/";
wlUid = "wY/mbnwKTDDYQUvuQCdSgg==";

2015-03-13 09:52:30.421 WFM[80268:291046] [TRACE] [WL_AUTH] -[WLDeviceAuthManager getWLUniqueDeviceId] in WLDeviceAuthManager.m:71 :: returning UUID from the keychain
2015-03-13 09:52:30.435 WFM[80268:291046] [DEBUG] [WL_AFHTTPCLIENTWRAPPER_PACKAGE] +[WLAFHTTPClientWrapper requestWithURL:] in WLAFHTTPClientWrapper.m:37 :: Request url is https://xxxx.com:9443/worklight/apps/services/api/WFM/iOSnative/init
2015-03-13 09:52:30.452 WFM[80268:291046] [DEBUG] [WL_REQUEST] -[WLRequest sendRequest:path:withOptions:] in WLRequest.m:119 :: Request timeout is 60.000000
2015-03-13 09:52:30.465 WFM[80268:291046] [DEBUG] [WL_REQUEST] -[WLRequest sendRequest:path:withOptions:] in WLRequest.m:195 :: Sending request (https://xxxxx:9443/worklight/apps/services/api/WFM/iOSnative/init) with headers: 

"Accept-Language" = en;
"User-Agent" = "WFM/1 (iPhone Simulator; iOS 8.1; Scale/2.00)/WLNativeAPI/6.3.0.00.20141127-1357";
"X-Requested-With" = XMLHttpRequest;
"x-wl-app-version" = "1.0";
"x-wl-clientlog-appname" = WFM;
"x-wl-clientlog-appversion" = "1.0";
"x-wl-clientlog-deviceId" = "F986FBE9-C91C-459A-BCCE-591B6822D267";
"x-wl-clientlog-env" = iOSnative;
"x-wl-clientlog-model" = "x86_64";
"x-wl-clientlog-osversion" = "8.1";
"x-wl-platform-version" = "6.3.0.00.20141127-1357";

Post Data: action=test&isAjaxRequest=true
2015-03-13 09:52:30.500 WFM[80268:291046] [DEBUG] [WL_AFHTTPCLIENTWRAPPER_PACKAGE] -[WLAFHTTPClientWrapper start] in WLAFHTTPClientWrapper.m:182 :: Starting the request with URL 
2015-03-13 09:52:30.513 WFM[80268:291046] [DEBUG] [WL_REQUEST] -[WLRequest sendRequest:path:withOptions:] in WLRequest.m:200 :: waiting for response... (Thread=<NSThread: 0x7fhttps://xxxxx.com:9443/worklight/apps/services/api/WFM/iOSnative/initc1ce110ba0>number = 1, name = main)
Loading
2015-03-13 09:52:30.769 WFM[80268:291046] [DEBUG] [WL_AFHTTPCLIENTWRAPPER_PACKAGE] -[WLAFHTTPClientWrapper requestFailed:error:] in WLAFHTTPClientWrapper.m:209 :: Request Failed
2015-03-13 09:52:30.781 WFM[80268:291046] [DEBUG] [WL_AFHTTPCLIENTWRAPPER_PACKAGE] -[WLAFHTTPClientWrapper requestFailed:error:] in WLAFHTTPClientWrapper.m:210 :: Response Status Code : 0
2015-03-13 09:52:30.794 WFM[80268:291046] [DEBUG] [WL_AFHTTPCLIENTWRAPPER_PACKAGE] -[WLAFHTTPClientWrapper requestFailed:error:] in WLAFHTTPClientWrapper.m:211 :: Response Error : The operation couldn’t be completed. (NSURLErrorDomain error -1012.)
2015-03-13 09:52:30.838 WFM[80268:291046] [ERROR] [WL_REQUEST] -[WLRequest requestFailed:error:] in WLRequest.m:354 :: Status code='0' error='The operation couldn’t be completed. (NSURLErrorDomain error -1012.)' response='(null)'
2015-03-13 09:52:30.850 WFM[80268:291046] [DEBUG] [WL_REQUEST] -[WLRequest requestFailed:error:] in WLRequest.m:357 :: Response Header: (null)
Response Data: (null)
2015-03-13 09:52:30.860 WFM[80268:291046] [ERROR] [WL_CLIENT] -[WLClient onInitRequestFailure:userInfo:] in WLClient.m:1030 :: onInitRequestFailure
AD WL failed
The operation couldn’t be completed. (NSURLErrorDomain error -1012.)
C.WLErrorCode
0

服务器：

messages.log 或 console.log 文件中没有任何内容。我启用了跟踪：<logging traceSpecification="SSL=all:SSLChannel=all"/> 并在 trace.log 文件中看到以下内容

[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink > init, vc=1088683271 Entry 
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink < init Exit 
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink > ready, vc=1088683271 Entry 
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel > getSSLContextForInboundLink Entry 
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 host=* port=9443 endPoint=defaultHttpEndpoint-ssl
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 Querying security service for alias=[defaultSSLConfig]
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.websphere.ssl.JSSEHelper > getProperties Entry 
defaultSSLConfig
com.ibm.ssl.remotePort=9443, com.ibm.ssl.direction=inbound, com.ibm.ssl.remoteHost=*, com.ibm.ssl.endPointName=defaultHttpEndpoint-ssl
null
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.websphere.ssl.JSSEHelper > getSSLPropertiesOnThread Entry 
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.ssl.config.ThreadContext 3 getProperties
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.websphere.ssl.JSSEHelper < getSSLPropertiesOnThread Exit 
Thread properties are NULL.
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.ssl.config.SSLConfigManager > getSSLConfig: defaultSSLConfig Entry 
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.ssl.config.SSLConfigManager < getSSLConfig Exit 
SSLConfig.toString() 
com.ibm.ssl.keyStorePassword=********
com.ibm.ssl.daysBeforeExpireWarning=60
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.keyStoreName=defaultKeyStore
config.displayId=keyStore[defaultKeyStore]
com.ibm.ssl.trustStoreReadOnly=false
com.ibm.ssl.contextProvider=SunJSSE
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.alias=defaultSSLConfig
com.ibm.ssl.keyManager=SunX509
com.ibm.ssl.keyStore=C:/Program Files/IBM/WebSphere/Liberty/usr/servers/WorklightServer/resources/security/key.jks
com.ibm.ssl.trustStoreInitializeAtStartup=true
com.ibm.ssl.keyStoreType=jks
com.ibm.ssl.clientAuthentication=false
com.ibm.ssl.keyStoreInitializeAtStartup=true
config.source=file
alias=defaultSSLConfig
id=defaultKeyStore
service.factoryPid=com.ibm.ws.ssl.keystore
config.id=com.ibm.ws.ssl.keystore[defaultKeyStore]
com.ibm.ssl.trustStore=C:/Program Files/IBM/WebSphere/Liberty/usr/servers/WorklightServer/resources/security/key.jks
service.pid=com.ibm.ws.ssl.keystore_133
com.ibm.ssl.tokenEnabled=false
com.ibm.ssl.trustManager=PKIX
com.ibm.ssl.protocol=SSL
com.ibm.ssl.trustStorePassword=********
com.ibm.ssl.trustStoreName=defaultKeyStore
com.ibm.ssl.keyStoreCreateCMSStash=false
config.overrides=true
com.ibm.ssl.trustStoreCreateCMSStash=false
sslRef=defaultSSLConfig
com.ibm.ssl.keyStoreReadOnly=false
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustStoreType=jks
com.ibm.ssl.validationEnabled=false

[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.ssl.config.SSLConfigManager > determineIfCSIv2SettingsApply Entry 
com.ibm.ssl.remotePort=9443, com.ibm.ssl.direction=inbound, com.ibm.ssl.remoteHost=*, com.ibm.ssl.endPointName=defaultHttpEndpoint-ssl
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.ssl.config.SSLConfigManager < determineIfCSIv2SettingsApply (original settings) Exit 
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.websphere.ssl.JSSEHelper < getProperties -> direct Exit 
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 SSL configuration <null value means non-string>:
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyStorePassword = ********
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.daysBeforeExpireWarning = 60
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustStoreFileBased = true
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyStoreName = defaultKeyStore
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 config.displayId = keyStore[defaultKeyStore]
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustStoreReadOnly = false
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.contextProvider = SunJSSE
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyStoreFileBased = true
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.alias = defaultSSLConfig
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyManager = SunX509
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyStore = C:/Program Files/IBM/WebSphere/Liberty/usr/servers/WorklightServer/resources/security/key.jks
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustStoreInitializeAtStartup = true
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyStoreType = jks
[13/03/15 10:29:53:921 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.clientAuthentication = false
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyStoreInitializeAtStartup = true
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 config.source = file
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 alias = defaultSSLConfig
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 id = defaultKeyStore
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 service.factoryPid = com.ibm.ws.ssl.keystore
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 config.id = com.ibm.ws.ssl.keystore[defaultKeyStore]
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustStore = C:/Program Files/IBM/WebSphere/Liberty/usr/servers/WorklightServer/resources/security/key.jks
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 service.pid = com.ibm.ws.ssl.keystore_133
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.tokenEnabled = false
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustManager = PKIX
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.protocol = SSL
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustStorePassword = ********
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustStoreName = defaultKeyStore
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyStoreCreateCMSStash = false
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 config.overrides = true
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustStoreCreateCMSStash = false
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 sslRef = defaultSSLConfig
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.keyStoreReadOnly = false
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.securityLevel = HIGH
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.trustStoreType = jks
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel 3 com.ibm.ssl.validationEnabled = false
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.SSLConfig 3 keyStoreType: jks
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.SSLConfig 3 trustStoreType: jks
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.JSSEProviderFactory > getInstance: null Entry 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.JSSEProviderFactory < getInstance: com.ibm.ws.ssl.provider.SunJSSEProvider@8ae8a43 Exit 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.SSLConfig 3 keyStore: C:/Program Files/IBM/WebSphere/Liberty/usr/servers/WorklightServer/resources/security/key.jks
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.SSLConfig 3 keyStoreName: defaultKeyStore
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.SSLConfig 3 keyStorePassword: ********
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.SSLConfig 3 trustStore: C:/Program Files/IBM/WebSphere/Liberty/usr/servers/WorklightServer/resources/security/key.jks
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.SSLConfig 3 trustStoreName: defaultKeyStore
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.SSLConfig 3 trustStorePassword: ********
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider > getSSLContext Entry 
com.ibm.ssl.remotePort=9443, com.ibm.ssl.direction=inbound, com.ibm.ssl.remoteHost=*, com.ibm.ssl.endPointName=defaultHttpEndpoint-ssl
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.config.ThreadContext 3 setOutboundConnectionInfoInternal :null
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider 3 outboundConnectionInfo: null
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.provider.AbstractJSSEProvider < getSSLContext -> (from cache) Exit 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLChannel < getSSLContextForInboundLink Exit 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils > getSSLEngine Entry 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLLinkConfig > getEnabledCipherSuites Entry 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.Constants > adjustSupportedCiphersToSecurityLevel Entry 
(63) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_RC4_128_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_RSA_WITH_NULL_SHA TLS_ECDH_anon_WITH_NULL_SHA SSL_RSA_WITH_NULL_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_RC4_128_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5
HIGH
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.Constants < adjustSupportedCiphersToSecurityLevel -> (9) TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA Exit 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLLinkConfig < getEnabledCipherSuites Exit 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 Client auth needed is false
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 Client auth supported is false
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 Calling beginHandshake on engine
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils < getSSLEngine, hc=939063257 Exit 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink 3 SSL engine hc=939063257 associated with vc=1088683271
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink > readyInbound, vc=1088683271 Entry 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink 1 Initial read bytes: 193
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink 1 Before unwrap
netBuf: hc=978838596 pos=0 lim=193 cap=8192
decBuf: hc=1615546952 pos=0 lim=24576 cap=24576
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink 1 After unwrap
netBuf: hc=978838596 pos=193 lim=193 cap=8192
decBuf: hc=1615546952 pos=0 lim=24576 cap=24576
status=OK HSstatus=NEED_TASK consumed=193 produced=0
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils > handleHandshake, engine=939063257 Entry 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 status=OK HSstatus=NEED_TASK
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager > chooseEngineServerAlias Entry 
RSA
null
37f8f7d9[SSLEngine[hostname=null port=-1] SSL_NULL_WITH_NULL_NULL]
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager > chooseServerAlias Entry 
RSA
null
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.JSSEHelper > getInboundConnectionInfo Entry 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.config.ThreadContext 3 getInboundConnectionInfo
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.websphere.ssl.JSSEHelper < getInboundConnectionInfo Exit 
null
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager < chooseServerAlias (from JSSE) Exit 
wfm_app_server
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager < chooseEngineServerAlias: wfm_app_server Exit 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager > getPrivateKey Entry 
wfm_app_server
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager 3 getX509KeyManager -> sun.security.ssl.SunX509KeyManagerImpl
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager < getPrivateKey -> true Exit 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager > getCertificateChain: wfm_app_server Entry 
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager 3 getX509KeyManager -> sun.security.ssl.SunX509KeyManagerImpl
[13/03/15 10:29:53:937 AEDT] 00000073 id= com.ibm.ws.ssl.core.WSX509KeyManager < getCertificateChain Exit 
[
[
Version: V3
Subject: OID.0.9.2342.19200300.100.1.3=bradley.dcosta@au1.ibm.com, UID=376595616, CN=xxxxx.com, OU=GBS, O=ibm.com, L=St. Leonards, ST=St. Leonards, C=AU
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 1024 bits
modulus: 0000
public exponent: 0000
Validity: [From: Tue Mar 03 16:00:00 AEDT 2015,
To: Fri Mar 02 15:59:59 AEDT 2018]
Issuer: CN=IBM INTERNAL INTERMEDIATE CA, O=International Business Machines Corporation, C=US
SerialNumber: [ 4fb7]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
00000
]
]

[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[CN=CRL41, CN=IBM INTERNAL INTERMEDIATE CA, O=International Business Machines Corporation, C=US]
, DistributionPoint:
[URIName: http://xxxxxx.com:2001/PKIServ/cacerts/CRL41.crl]
]]

[3]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 6A 68 74 74 70 3A 2F 2F 77 33 2D 30 33 2E 69 .jhttp://w3-03.i
0010: 62 6D 2E 63 6F 6D 2F 74 72 61 6E 73 66 6F 72 6D bm.com/transform
0020: 2F 73 61 73 2F 61 73 2D 77 65 62 2E 6E 73 66 2F /sas/as-web.nsf/
0030: 43 6F 6E 74 65 6E 74 44 6F 63 73 42 79 54 69 74 ContentDocsByTit
0040: 6C 65 2F 49 6E 66 6F 72 6D 61 74 69 6F 6E 2B 54 le/Information+T
0050: 65 63 68 6E 6F 6C 6F 67 79 2B 53 65 63 75 72 69 echnology+Securi
0060: 74 79 2B 53 74 61 6E 64 61 72 64 73 ty+Standards

], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 00000

]] ]
]

[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]

[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 19 00 5A 9D FA 45 CF 0E E5 F6 6F 0E A2 7E 12 8E ..Z..E....o.....
0010: FC A5 F5 63 ...c
]
]

]
Algorithm: [SHA256withRSA]
Signature:
0000000

]
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 After task, hsstatus=NEED_WRAP
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 status=OK HSstatus=NEED_WRAP
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 1 before wrap: 
encBuf: hc=1861873243 pos=0 lim=24576 cap=24576
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 1 after wrap: 
encBuf: hc=1861873243 pos=0 lim=1906 cap=24576
status=OK HSstatus=NEED_UNWRAP consumed=0 produced=1906
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 1 Write bytes: 1906
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 Get ready to decrypt data, netBuf: hc=978838596 pos=0 lim=8192 cap=8192
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 Nothing was in the buffer
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 Do async read
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 Read is not done. Callback will be used.
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils 3 after handshake loop, status=OK HSstatus=NEED_UNWRAP, fromCallback=false, engine=939063257
netBuf: hc=978838596 pos=0 lim=8192 cap=8192
decBuf: hc=1615546952 pos=0 lim=24576 cap=24576
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLUtils < handleHandshake Exit 
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink < readyInbound Exit 
[13/03/15 10:29:53:984 AEDT] 00000073 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink < ready Exit 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLHandshakeIOCallback 3 Error occured during a read, exception:java.io.IOException: Connection closed: Read failed. Possible end of stream encountered. 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink > error (handshake), vc=1088683271 Entry 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink 3 Caught exception during unwrap, java.io.IOException: Connection closed: Read failed. Possible end of stream encountered. 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink > close, vc=1088683271 Entry 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext > close Entry 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext < close Exit 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLReadServiceContext > close, vc=1088683271 Entry 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLReadServiceContext < close Exit 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLUtils > shutDownSSLEngine: isServer: true isConnected: true com.ibm.ws.channel.ssl.internal.SSLConnectionLink@5a8fd148 Entry 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLUtils > flushCloseDown Entry 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLUtils 1 before wrap: 
buf: hc=1615546952 pos=0 lim=24576 cap=24576
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLUtils 1 after wrap: 
buf: hc=1615546952 pos=0 lim=7 cap=24576
status=CLOSED consumed=0 produced=7
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLUtils 1 write bytes: 7
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLUtils < flushCloseDown Exit 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLUtils < shutDownSSLEngine Exit 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink > destroy, vc=1088683271 Entry 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink < destroy Exit 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink < close Exit 
[13/03/15 10:29:53:999 AEDT] 00000029 id= com.ibm.ws.channel.ssl.internal.SSLConnectionLink < error (handshake), vc=1088683271 Exit 

【参考方案1】：

一些建议......

设备上只需要安装根 CA。没有其他的。通过电子邮件或安全下载链接（不要使用浏览器的证书导入）将此根 CA 安装到设备信任库中，这一点很重要。 确保服务器提供证书链的顺序是正确的。 iOS 在这里比 android 严格得多，如果顺序不正确，将不信任服务器。 确保服务器证书公用名与主机名而不是 IP 匹配。需要使用主机名。 尝试使用诊断工具来帮助调试 SSL 相关问题。例如，这将有助于验证 ssl 路径问题： openssl s_client -CApath $HOME/CAdir -connect hostname:port

【讨论】：

谢谢 - 它最终成为导致问题的 #2。原始服务器设置没有正确设置证书链。我按照以下链接使用 OpenSSL 重做它并且一切正常。 www-01.ibm.com/support/knowledgecenter/SSHS8R_6.3.0/…