问题描述
我正在构建一个Spring Boot应用程序,该应用程序对提供程序进行2路SSL调用。 我创建了一个jks密钥库,其中放置了我的密钥,以及一个带有服务器证书的信任库。
我使用restTemplate进行调用,并且在运行时使用-Djavax.net.ssl.trustStore = path_to_truststore -Djavax.net.ssl.trustStorePassword = password -Djavax.net.ssl.keyStore传递商店详细信息= path_to_keystore -Djavax.net.ssl.keyStorePassword =密码
我必须在pom中添加apache httpclient依赖项,以防止出现java.net.HttpRetryException异常:在流模式下,由于服务器身份验证而无法重试。
当应用实际向提供者发出https调用时,它会收到401未经授权的响应。 SSL日志显示
javax.net.ssl|INFO|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.822 EDT|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.827 EDT|PreSharedKeyExtension.java:606|No session to resume.
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.831 EDT|ClientHello.java:633|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2","random" : "5A 4B E8 7D 18 CC DA 1F F5 29 E7 1C 4D AF 91 80 AE 6A 86 26 BF 94 E4 48 F9 C0 AF 1A 7C AC 8C 44","session id" : "61 D7 74 F4 4D 79 4F 8F 27 EA CA B9 79 C2 9C B6 01 00 B6 28 EB C3 62 4F 69 25 E6 D9 E9 50 1B E6","cipher suites" : "[...]","compression methods" : "00","extensions" : [
"server_name (0)": {
type=host_name (0),value=...
},...
]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.875 EDT|ServerHello.java:866|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2","random" : "06 9F 42 F7 B2 36 3F 06 11 38 CE 42 14 8D B7 35 48 2C 5D 81 94 50 23 C6 14 45 63 E7 5E C9 FC 5C","cipher suite" : "TLS_AES_256_GCM_SHA384(0x1302)",...
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.876 EDT|SSLExtensions.java:167|Consumed extension: supported_versions
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.876 EDT|ServerHello.java:962|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.878 EDT|SSLExtensions.java:167|Consumed extension: supported_versions
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|SSLExtensions.java:167|Consumed extension: key_share
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|SSLExtensions.java:138|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.879 EDT|PreSharedKeyExtension.java:832|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.887 EDT|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/nopADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.889 EDT|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/nopADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.889 EDT|ChangeCipherSpec.java:232|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.897 EDT|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
"supported_groups (10)": {
"versions": [x25519,secp256r1,secp384r1,secp224r1,secp521r1]
}
]
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.897 EDT|SSLExtensions.java:167|Consumed extension: supported_groups
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.909 EDT|CertificateMessage.java:1148|Consuming server Certificate handshake message (
"Certificate": {
"certificate_request_context": "","certificate_list": [
{
"certificate" : {
"version" : "v3","signature algorithm": "SHA256withRSA",...}
"extensions": {
<no extension>
}
},{
"certificate" : {
"version" : "v3",]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.910 EDT|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.939 EDT|CertificateVerify.java:1128|Consuming CertificateVerify handshake message (
"CertificateVerify": {
"signature algorithm": rsa_pss_rSAE_sha256
"signature": {
...
}
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.941 EDT|Finished.java:860|Consuming server Finished handshake message (
"Finished": {
"verify data": {
...
}'}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.942 EDT|SSLCipher.java:1824|KeyLimit read side: algorithm = AES/GCM/nopADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.943 EDT|Finished.java:658|Produced client Finished handshake message (
"Finished": {
"verify data": {
...
}'}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.943 EDT|SSLCipher.java:1978|KeyLimit write side: algorithm = AES/GCM/nopADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.994 EDT|NewSessionTicket.java:330|Consuming NewSessionTicket message (
"NewSessionTicket": {
"ticket_lifetime" : "7,200","ticket_age_add" : "<omitted>","ticket_nonce" : "00 00 00 00 00 00 00 00","ticket" : ...,"extensions" : [
<no extension>
]
}
)
javax.net.ssl|DEBUG|01 B2|http-nio-8080-exec-1|2020-08-19 07:44:16.995 EDT|NewSessionTicket.java:330|Consuming NewSessionTicket message (
"NewSessionTicket": {
"ticket_lifetime" : "7,"ticket_nonce" : "00 00 00 00 00 00 00 01","extensions" : [
<no extension>
]
}
)
响应是
HttpMethod: POST,ResponseBody: <html>
<head><title>401 Authorization required</title></head>
<body>
...
</body>
</html>
我很惊讶地没有看到服务器请求证书的SSL手共享步骤(步骤正在使用CertificateVerify握手消息之后紧接着是正在使用服务器完成的握手消息) ,因此我的应用似乎没有发送。我想这就是为什么我收到401错误的原因。
我尝试了不同的解决方案,手动构建KeyStore,KeyManagerFactory,SSLContext,HttpComponentsClientHttpRequestFactory,以便将所有内容注入restTemplate中,并且我总是得到相同的结果。在这种情况下,我可以在调试中看到restTemplate包含我的私钥和证书。
有什么想法吗?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)