我正在构建一个spring-boot应用程序,它可以对提供者进行双向ssl调用。我已经创建了一个jks密钥库,我把我的密钥放在其中,还有一个带有服务器证书的信任库。
我使用resttemplate进行调用,并在运行时使用-djavax.net.ssl.truststore=path到\u truststore-djavax.net.ssl.truststorepassword=password-djavax.net.ssl.keystore=path到\u keystore-djavax.net.ssl.keystorepassword=password传递存储详细信息
我不得不在pom中添加apache httpclient依赖项来防止异常java.net.httpretryexception:在流模式下由于服务器身份验证而无法重试。
当应用程序实际向提供商发出https调用时,它会收到401个未经授权的响应。ssl日志显示
javax.net.ssl|INFO|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.822 EDT|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.827 EDT|PreSharedKeyExtension.java:606|No session to resume.
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.831 EDT|ClientHello.java:633|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "5A 4B E8 7D 18 CC DA 1F F5 29 E7 1C 4D AF 91 80 AE 6A 86 26 BF 94 E4 48 F9 C0 AF 1A 7C AC 8C 44",
"session id" : "61 D7 74 F4 4D 79 4F 8F 27 EA CA B9 79 C2 9C B6 01 00 B6 28 EB C3 62 4F 69 25 E6 D9 E9 50 1B E6",
"cipher suites" : "[...]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=...
},
...
]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.875 EDT|ServerHello.java:866|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "06 9F 42 F7 B2 36 3F 06 11 38 CE 42 14 8D B7 35 48 2C 5D 81 94 50 23 C6 14 45 63 E7 5E C9 FC 5C",
"session id" : "61 D7 74 F4 4D 79 4F 8F 27 EA CA B9 79 C2 9C B6 01 00 B6 28 EB C3 62 4F 69 25 E6 D9 E9 50 1B E6",
"cipher suite" : "TLS_AES_256_GCM_SHA384(0x1302)",
"compression methods" : "00",
...
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.876 EDT|SSLExtensions.java:167|Consumed extension: supported_versions
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.876 EDT|ServerHello.java:962|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.878 EDT|SSLExtensions.java:167|Consumed extension: supported_versions
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|SSLExtensions.java:167|Consumed extension: key_share
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|SSLExtensions.java:138|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|PreSharedKeyExtension.java:832|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.887 EDT|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.889 EDT|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.889 EDT|ChangeCipherSpec.java:232|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.897 EDT|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp224r1, secp521r1]
}
]
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.897 EDT|SSLExtensions.java:167|Consumed extension: supported_groups
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.909 EDT|CertificateMessage.java:1148|Consuming server Certificate handshake message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate" : {
"version" : "v3",
"signature algorithm": "SHA256withRSA",
...}
"extensions": {
<no extension>
}
},
{
"certificate" : {
"version" : "v3",
"signature algorithm": "SHA256withRSA",
...}
"extensions": {
<no extension>
}
},
{
"certificate" : {
"version" : "v3",
"signature algorithm": "SHA256withRSA",
...}
"extensions": {
<no extension>
}
},
]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.939 EDT|CertificateVerify.java:1128|Consuming CertificateVerify handshake message (
"CertificateVerify": {
"signature algorithm": rsa_pss_rsae_sha256
"signature": {
...
}
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.941 EDT|Finished.java:860|Consuming server Finished handshake message (
"Finished": {
"verify data": {
...
}'}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.942 EDT|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.943 EDT|Finished.java:658|Produced client Finished handshake message (
"Finished": {
"verify data": {
...
}'}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.943 EDT|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.994 EDT|NewSessionTicket.java:330|Consuming NewSessionTicket message (
"NewSessionTicket": {
"ticket_lifetime" : "7,200",
"ticket_age_add" : "<omitted>",
"ticket_nonce" : "00 00 00 00 00 00 00 00",
"ticket" : ...,
"extensions" : [
<no extension>
]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.995 EDT|NewSessionTicket.java:330|Consuming NewSessionTicket message (
"NewSessionTicket": {
"ticket_lifetime" : "7,200",
"ticket_age_add" : "<omitted>",
"ticket_nonce" : "00 00 00 00 00 00 00 01",
"ticket" : ...,
"extensions" : [
<no extension>
]
}
)答案是
HttpMethod: POST, ResponseBody: <html>
<head><title>401 Authorization Required</title></head>
<body>
...
</body>
</html>我很惊讶没有看到服务器请求证书的ssl handshare步骤(步骤消费certificateverify握手消息之后紧接着消费服务器完成的握手消息),因此我的应用程序似乎没有发送它。我想这就是我收到401错误的原因。
我尝试了不同的解决方案,手动构建keystore、keymanagerfactory、sslcontext、httpcomponentsclienthttprequestfactory,以便将所有内容注入restemplate,我总是得到相同的结果。在这种情况下,我可以在debug中看到restemplate包含我的私钥和证书。
你知道怎么了吗?
暂无答案!
目前还没有任何答案,快来回答吧!