我有一个openssl自签名证书,ec prime256v1配置为tomcat 8.5.63,使用java 1.8.275。我正在尝试将java客户端连接到服务器。我已经在客户端信任库中下载了服务器证书,但它正在进行握手失败。下面是我为配置ssl服务器和客户端所做工作的详细信息。
我使用以下命令创建了一个openssl服务器证书。
openssl ecparam-name prime256v1-genkey-noout-out tomcatkey.pem
openssl请求-新建-x509-密钥tomcatkey.pem-输出tomcatcert.pem-第360天
openssl pkcs8-topk8-nocrypt-in-tomcatkey.pem-通知pem-out-tomcatkey.key.der-导出
openssl x509-输入tomcatcert.pem-通知pem-输出tomcatcert.crt.der-输出der
之后,我将使用agentbob中的importkey.java(http://www.agentbob.info/agentbob/80/version/default/part/attachmentdata/data/importkey.java)创建java密钥库。
这是我在server.xml中使用的tomcat连接器
connector port=“443”protocol=“org.apache.coyote.http11.http11nioprotocol”sslimplementationname=“org.apache.tomcat.util.net.openssl.opensslimplementation”sslenabled=“true”enablelookups=“false”acceptcount=“1000”scheme=“https”secure=“true”sslprotocol=“tls1.2”uriencoding=“utf-8”keystrepass=“changeit”keystrefile=“conf/keystore”keyalias=“importkey”
在java客户机配置之后,我已经将证书正确下载到客户机信任库,并使用keytool-list命令对其进行了验证。证书签名算法为“签名算法”:“sha256withecdsa”。
现在,当我启用ssl调试日志时,下面是我从客户端获得的日志。
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "0C 55 D2 07 C4 58 74 F9 B6 98 C8 41 06 36 87 C1 E8 2F 3E 5E B7 BA AC E5 A5 C9 89 37 FE 48 33 29",
"session id" : "",
"cipher suites" : "[TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=xpvm-135.ros.net
},
"supported_groups (10)": {
"versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"signature_algorithms (13)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, rsa_sha224, dsa_sha224, rsa_pkcs1_sha1, dsa_sha1]
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.2, TLSv1.1, TLSv1]
}
]
}
)
javax.net.ssl|FINE|0E|HostAgentThread|2021-06-22 11:09:54.162 IST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 223
javax.net.ssl|FINE|0E|HostAgentThread|2021-06-22 11:09:54.162 IST|SSLSocketOutputRecord.java:255|Raw write (
0000: 16 03 03 00 DF 01 00 00 DB 03 03 0C 55 D2 07 C4 ............U...
0010: 58 74 F9 B6 98 C8 41 06 36 87 C1 E8 2F 3E 5E B7 Xt....A.6.../>^.
0020: BA AC E5 A5 C9 89 37 FE 48 33 29 00 00 26 00 9D ......7.H3)..&..
0030: 00 9F 00 A3 00 9C 00 9E 00 A2 00 3D 00 6B 00 6A ...........=.k.j
0040: 00 35 00 39 00 38 00 3C 00 67 00 40 00 2F 00 33 .5.9.8.<.g.@./.3
0050: 00 32 00 FF 01 00 00 8C 00 00 00 25 00 23 00 00 .2.........%.#..
0060: 20 78 70 76 6D 2D 31 33 35 2E 72 6F 73 2E 73 74 xpvm-135.ros.ne
0070: 6F 72 61 67 65 2E 68 70 65 63 6F 72 70 2E 6E 65 t...............
0080: 74 00 0A 00 0C 00 0A 01 00 01 01 01 02 01 03 01 ................
0090: 04 00 0D 00 1E 00 1C 08 04 08 05 08 06 08 09 08 ................
00A0: 0A 08 0B 04 01 05 01 06 01 04 02 03 01 03 02 02 ................
00B0: 01 02 02 00 32 00 1E 00 1C 08 04 08 05 08 06 08 ....2...........
00C0: 09 08 0A 08 0B 04 01 05 01 06 01 04 02 03 01 03 ................
00D0: 02 02 01 02 02 00 17 00 00 00 2B 00 07 06 03 03 ..........+.....
00E0: 03 02 03 01 ....
)
javax.net.ssl|FINE|0E|HostAgentThread|2021-06-22 11:09:54.162 IST|SSLSocketInputRecord.java:486|Raw read (
0000: 15 03 03 00 02 .....
)
javax.net.ssl|FINE|0E|HostAgentThread|2021-06-22 11:09:54.162 IST|SSLSocketInputRecord.java:214|READ: TLSv1.2 alert, length = 2
javax.net.ssl|FINE|0E|HostAgentThread|2021-06-22 11:09:54.162 IST|SSLSocketInputRecord.java:486|Raw read (
0000: 02 28 .(
)
javax.net.ssl|FINE|0E|HostAgentThread|2021-06-22 11:09:54.162 IST|SSLSocketInputRecord.java:247|READ: TLSv1.2 alert, length = 2
javax.net.ssl|FINE|0E|HostAgentThread|2021-06-22 11:09:54.162 IST|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}所以在这里,我看到服务器密码ecdsa不在clienthello消息中客户端支持的密码列表中。这就是客户端握手失败的原因。如果这就是原因,那么有什么方法可以将密码添加到客户端支持的列表或任何解决方法中,以使握手成功。我已经在为客户端和服务器使用jce无限权限策略。
暂无答案!
目前还没有任何答案,快来回答吧!