SSL连接失败,没有来自服务器的证书请求,从AWS上运行的本地Websphere AS连接到AWS上的Nginx

我很难通过客户端身份验证连接到服务.该服务(“SecureService”)在AWS上.客户端位于Mac上的Linux VM上. SecureService上的Nginx对我在端口443上访问的资源强制执行客户端身份验证.我可以使用概念验证Java独立应用程序(openjdk 1.8.0_60)或其他客户端,从同一个VM连接到同一个SecureService,获得成功的响应(wget,openssl),但不是来自Websphere AS上托管的相同Java代码(无可否认地依赖于旧库和IBM J9 VM,构建2.6,JRE 1.6.0).但是,在/ etc / hosts中将SecureService主机名重新映射到127.0.0.1时,Websphere AS上的相同Java代码会成功连接到需要来自同一证书颁发机构的客户端身份验证的本地openSSL服务器. SecureServer在失败连接中的响应报告“400没有发送所需的SSL证书”…“400 Bad Request”,但tcpdump数据包捕获显示它不发送证书请求,而在所有其他情况下.这令人费解并且让我认为ClientHello消息中有一些服务器不喜欢的东西,尽管成功和失败连接中的ClientHello消息非常相似.

一个非常奇怪的细节也是tcpdump从未在失败的通信中捕获从我的客户端到服务器的第一个TCP SYN数据包,而它捕获其余的(来自服务器的SYN ACK,然后来自客户端的ACK)和所有数据包(SYN)所有其他通信上的,SYN ACK,ACK).

所有通信都在其所有部分中使用TLSv1.2.

连接失败:


    (client <--> server)
    <-- SYN,ACK
    --> ACK
    --> Client Hello
    <-- ACK
    <-- Server Hello,Certificate,Server Hello Done
    --> ACK
    --> Client Key Exchange
    <-- ACK
    --> Change Cypher Spec
    <-- ACK
    --> Encrypted Handshake Message
    <-- ACK
    <-- Change Cypher Spec,Encrypted Handshake Message
    --> Application Data
    ...

从概念证明Java app成功连接:
(客户端< - >服务器)


    --> SYN
    <-- SYN,ACK
    --> ACK
    --> Client Hello
    <-- ACK
    <-- Server Hello
    <-- Certificate
    <-- Certificate Request,Server Hello Done
    --> ACK
    --> ACK
    --> [TCP segment of a reassembled PDU]
    --> Certificate,Client Key Exchange
    <-- ACK
    --> Certificate Verify
    --> Change Cypher Spec
    --> Hello Request,Hello Request
    <-- ACK
    <-- Change Cypher Spec,Encrypted Handshake Message
    --> Application Data
    ...

从Websphere AS到本地openSSL的成功连接:
(客户端< - >服务器)


    --> SYN
    <-- SYN,Certificate Request,Server Hello Done
    --> ACK
    --> Certificate,Client Key Exchange
    <-- ACK
    --> Certificate Verify
    --> Change Cypher Spec
    --> Encrypted Handshake Message
    <-- ACK
    <-- Change Cypher Spec,Encrypted Handshake Message
    --> Application Data
    ...

失败的客户你好:

Frame 3: 332 bytes on wire (2656 bits),332 bytes captured (2656 bits)
    Encapsulation type: Linux cooked-mode capture (25)
    Arrival Time: Feb 25,2016 13:29:15.353437000 GMT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1456406955.353437000 seconds
    [Time delta from previous captured frame: 0.004839000 seconds]
    [Time delta from previous displayed frame: 0.004839000 seconds]
    [Time since reference or first frame: 0.004868000 seconds]
    Frame Number: 3
    Frame Length: 332 bytes (2656 bits)
    Capture Length: 332 bytes (2656 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: sll:ethertype:ip:tcp:ssl]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Linux cooked capture
    Packet type: Sent by us (4)
    Link-layer address type: 1
    Link-layer address length: 6
    Source: CadmusCo_67:0a:c1 (08:00:27:67:0a:c1)
    Protocol: IPv4 (0x0800)
Internet Protocol Version 4,Src: (OMITTED FOR SECURITY REASONS),Dst: (OMITTED FOR SECURITY REASONS)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP: CS0,ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 316
    Identification: 0xf29d (62109)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0xc7f8 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: (OMITTED FOR SECURITY REASONS)
    Destination: (OMITTED FOR SECURITY REASONS)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol,Src Port: 51512 (51512),Dst Port: 443 (443),Seq: 1,Ack: 1,Len: 276
    Source Port: 51512
    Destination Port: 443
    [Stream index: 0]
    [TCP Segment Len: 276]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 277    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header Length: 20 bytes
    Flags: 0x018 (PSH,ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: *******AP***]
    Window size value: 14600
    [Calculated window size: 14600]
    [Window size scaling factor: -2 (no window scaling used)]
    Checksum: 0x8054 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [Bytes in flight: 276]
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 271
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 267
            Version: TLS 1.2 (0x0303)
            Random
                GMT Unix Time: Feb 25,2016 13:29:15.000000000 GMT
                Random Bytes: 2ca99e72b66289fcd3f11bf2dc3ef464709b197e6dd6cdd5...
            Session ID Length: 32
            Session ID: 28eef056a41440e760eaa9e3358a9cd56d8823fa130e9100...
            Cipher Suites Length: 128
            Cipher Suites (64 suites)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
                Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
                Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
                Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
                Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
                Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
                Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
                Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
                Cipher Suite: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
                Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001)
                Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)
                Cipher Suite: TLS_RSA_WITH_NULL_SHA256 (0x003b)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 66
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 24
                Elliptic Curves Length: 22
                Elliptic curves (11 curves)
                    Elliptic curve: secp256r1 (0x0017)
                    Elliptic curve: secp192r1 (0x0013)
                    Elliptic curve: secp224r1 (0x0015)
                    Elliptic curve: secp384r1 (0x0018)
                    Elliptic curve: secp521r1 (0x0019)
                    Elliptic curve: secp160k1 (0x000f)
                    Elliptic curve: secp160r1 (0x0010)
                    Elliptic curve: secp160r2 (0x0011)
                    Elliptic curve: secp192k1 (0x0012)
                    Elliptic curve: secp224k1 (0x0014)
                    Elliptic curve: secp256k1 (0x0016)
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms
                Type: signature_algorithms (0x000d)
                Length: 28
                Signature Hash Algorithms Length: 26
                Signature Hash Algorithms (13 algorithms)
                    Signature Hash Algorithm: 0x0603
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0601
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0503
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0501
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0403
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0401
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0303
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0301
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0203
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0201
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0402
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Hash Algorithm: 0x0202
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Hash Algorithm: 0x0101
                        Signature Hash Algorithm Hash: MD5 (1)
                        Signature Hash Algorithm Signature: RSA (1)

从SecureServer的概念证明成功的客户Hello:

Frame 62: 306 bytes on wire (2448 bits),306 bytes captured (2448 bits) on interface 0
    Interface id: 0 (en0)
    Encapsulation type: Ethernet (1)
    Arrival Time: Feb 24,2016 17:20:21.803009000 GMT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1456334421.803009000 seconds
    [Time delta from previous captured frame: 0.119948000 seconds]
    [Time delta from previous displayed frame: 0.119948000 seconds]
    [Time since reference or first frame: 17.897514000 seconds]
    Frame Number: 62
    Frame Length: 306 bytes (2448 bits)
    Capture Length: 306 bytes (2448 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:ssl]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II,Src: Apple_bc:c7:11 (a4:5e:60:bc:c7:11),Dst: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
    Destination: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
        Address: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Apple_bc:c7:11 (a4:5e:60:bc:c7:11)
        Address: Apple_bc:c7:11 (a4:5e:60:bc:c7:11)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4,ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 292
    Identification: 0xa8b7 (43191)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x279c [validation disabled]
        [Good: False]
        [Bad: False]
    Source: (OMITTED FOR SECURITY REASONS)
    Destination: (OMITTED FOR SECURITY REASONS)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol,Src Port: 62197 (62197),Len: 240
    Source Port: 62197
    Destination Port: 443
    [Stream index: 9]
    [TCP Segment Len: 240]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 241    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    Header Length: 32 bytes
    Flags: 0x018 (PSH,ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: *******AP***]
    Window size value: 4122
    [Calculated window size: 131904]
    [Window size scaling factor: 32]
    Checksum: 0xc3c5 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    Options: (12 bytes),No-Operation (NOP),Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 928661973,TSecr 546145009
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 928661973
            Timestamp echo reply: 546145009
    [SEQ/ACK analysis]
        [iRTT: 0.016102000 seconds]
        [Bytes in flight: 240]
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 235
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 231
            Version: TLS 1.2 (0x0303)
            Random
                GMT Unix Time: Feb 24,2016 17:20:21.000000000 GMT
                Random Bytes: fbb67137e8cde6609cb570685f6c9b5a62eefbc12973b545...
            Session ID Length: 0
            Cipher Suites Length: 58
            Cipher Suites (29 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 132
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 52
                Elliptic Curves Length: 50
                Elliptic curves (25 curves)
                    Elliptic curve: secp256r1 (0x0017)
                    Elliptic curve: sect163k1 (0x0001)
                    Elliptic curve: sect163r2 (0x0003)
                    Elliptic curve: secp192r1 (0x0013)
                    Elliptic curve: secp224r1 (0x0015)
                    Elliptic curve: sect233k1 (0x0006)
                    Elliptic curve: sect233r1 (0x0007)
                    Elliptic curve: sect283k1 (0x0009)
                    Elliptic curve: sect283r1 (0x000a)
                    Elliptic curve: secp384r1 (0x0018)
                    Elliptic curve: sect409k1 (0x000b)
                    Elliptic curve: sect409r1 (0x000c)
                    Elliptic curve: secp521r1 (0x0019)
                    Elliptic curve: sect571k1 (0x000d)
                    Elliptic curve: sect571r1 (0x000e)
                    Elliptic curve: secp160k1 (0x000f)
                    Elliptic curve: secp160r1 (0x0010)
                    Elliptic curve: secp160r2 (0x0011)
                    Elliptic curve: sect163r1 (0x0002)
                    Elliptic curve: secp192k1 (0x0012)
                    Elliptic curve: sect193r1 (0x0004)
                    Elliptic curve: sect193r2 (0x0005)
                    Elliptic curve: secp224k1 (0x0014)
                    Elliptic curve: sect239k1 (0x0008)
                    Elliptic curve: secp256k1 (0x0016)
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms
                Type: signature_algorithms (0x000d)
                Length: 26
                Signature Hash Algorithms Length: 24
                Signature Hash Algorithms (12 algorithms)
                    Signature Hash Algorithm: 0x0603
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0601
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0503
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0501
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0403
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0401
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0303
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0301
                        Signature Hash Algorithm Hash: SHA224 (3)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0203
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0201
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0202
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: DSA (2)
                    Signature Hash Algorithm: 0x0101
                        Signature Hash Algorithm Hash: MD5 (1)
                        Signature Hash Algorithm Signature: RSA (1)
            Extension: server_name
                Type: server_name (0x0000)
                Length: 36
                Server Name Indication extension
                    Server Name list length: 34
                    Server Name Type: host_name (0)
                    Server Name length: 31
                    Server Name: (OMITTED FOR SECURITY REASONS - IT CORRESPONDS TO THE DESTINATION HOSTNAME)

Tcpdump命令行:


    sudo tcpdump -s 0 -n "port 443" -w /Repo/security/capture.cap -i any

有谁知道会出现什么问题?目前,我没有管理权限甚至帐户登录服务器.

最佳答案
求助 – 我发现Nginx服务器需要在Client Hello中指定“server_name”扩展名.实际上,以下openssl命令会提示服务器发出证书申请…

/usr/local/Cellar/openssl/1.0.2e/bin/openssl s_client -cert client_identity.crt -key client_identity.key -connect SecureServerHostName:443 -debug 

…而省略“-servername”选项却没有.

我将如何强制WebsphereAS添加该扩展是另一双鞋.通过更新TLS协议的实现,升级Java版本可能会有所帮助.

更新:是的,将IBM JDK从1.6升级到1.7.1工作,生成具有服务器名称指示的客户端Hello消息,如here所述(默认情况下,Java SE 7启用服务器名称指示(SNI).).

相关文章

文章浏览阅读3.7k次,点赞2次,收藏5次。Nginx学习笔记一、N...
文章浏览阅读1.7w次,点赞14次,收藏61次。我们在使用容器的...
文章浏览阅读1.4k次。当用户在访问网站的过程中遇到404错误时...
文章浏览阅读2.7k次。docker 和 docker-compose 部署 nginx+...
文章浏览阅读1.3k次。5:再次启动nginx,可以正常启动,可以...
文章浏览阅读3.1w次,点赞105次,收藏182次。高性能:Nginx ...