当前位置: 首页 > 知识库问答 >
问题:

证书验证步骤后,双向SSL握手失败(javax.net.ssl.SSLHandshakeExctive),同时更改为新建立的密码套件

闻人宏盛
2023-03-14

我面临一个关于双向SSL连接的问题。启用并查看SSL调试日志后,我发现证书交换正常进行。但是在证书验证步骤后,当更改到新建立的密码套件时,它在SSLHandshakeExctive中失败。

还有一件事,我正在使用org。阿帕奇。http。康涅狄格州。SSLConnectionSocketFactory类进行连接,并使用javax。网ssl。SSLContext提供密钥库路径、密钥库密码、密钥库类型以及Java信任库路径和信任库密码。

我还在jre/lib/security文件夹中安装了Unlimited_JCE_Policy jar。但这个问题仍未解决。

下面是SSL调试日志(针对敏感信息进行编辑),我在添加-Djavax后得到。网调试=我的Tomcat服务器中的所有选项。

我用尽了所有的选择,请帮我调试一下。

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1587274296 bytes = { 228, 35, 120, 21, 209, 132, 132, 30, 149, 198, 112, 126, 30, 140, 242, 220, 243, 241, 56, 217, 176, 72, 122, 189, 186, 84, 138, 107 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=dummy.com]
***

*** ServerHello, TLSv1.2
RandomCookie:  GMT: -2114684890 bytes = { 90, 119, 248, 248, 216, 146, 249, 153, 116, 215, 63, 118, 5, 51, 75, 21, 65, 51, 234, 73, 65, 80, 89, 71, 5, 187, 85, 226 }
Session ID:  {112, 15, 35, 25, 164, 178, 118, 92, 24, 151, 252, 227, 204, 187, 222, 165, 37, 25, 166, 93, 48, 20, 154, 31, 32, 87, 70, 46, 28, 203, 174, 53}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=dummy.com, O=DUMMY Limited, L=Mumbai, ST=Maharashtra, C=IN
  Signature Algorithm: SHA256withRSA, OID = 1.2.111.110.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: 7052631620228616775547420082798548950919340244279073769913613702342981771967237727631055951453640239431872969513669580187218236284810019094046772967383964532691044447883775955540400053241556727447454890970235292057633871512623754154522008251593390574617993609393573311038571044673755004608177602839240960109581315205585347515078577522273536482843663843811938218601566841063681809030993800845128902732754491954172896897202969405469795346575603858447770830369150744853454485036414564857862466788398095271768313704507089183067041424424717802090540269511201316204005685738584558793704003073277045577506581083711618971410286995431647668371083015395607216137051566569465878831815839796621268795715613323716340707965068111045737962122919999999999999933600342589999999999999845225257671111111111111111111137441
  public exponent: 64437
  Validity: [From: Mon Jul 06 12:53:18 IST 2020,
               To: Tue Oct 04 12:53:17 IST 2022]
  Issuer: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
  SerialNumber: [    05899999 86999999 41999999 a9999999]
Certificate Extensions: 10
[1]: ObjectId: 1.2.7.1.3.1.11111.1.5.1 Criticality=false

------------------------------------------------------------
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
------------------------------------------------------------
]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=dummy.com, O=DUMMY Limited, L=Mumbai, ST=Maharashtra, C=IN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: 7429401386363194735786622861677554742008279854895091934024427907376991361370234298177196736239611005309266079510841102241838644451686007112674335445896622723772763105595145364023943187296951366958018721823027277873629629885038121643592346301790624375915886284810019094046772967383964532691044447883775955540400053241556727447454890970235292057633871512623754154522008251593390574617993609393573311038571044673755004608177602839240960109581315205585347515078577522273536482843663843811938218601566841063681809030993800845128902732754491954172896897202969405469795346575603858447770830369150744853454485036414564857862466788398095271768313704507089183067041424444444444444444424717802090540277777777777777777777777777714102869954316476683711111111111111111110830153956072161370511111111111111111111566569465878831815839999999999999999999997966213677137441
  public exponent: 65887
  Validity: [From: Mon Jul 06 12:53:18 IST 2020,
               To: Tue Oct 04 12:53:17 IST 2022]
  Issuer: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
  SerialNumber: [    05888888 8688888 41QAAAA a2DDDDDD]

Certificate Extensions: 10
[1]: ObjectId: 8.3.2.1.4.1.11129.2.9.2 Criticality=false
]

*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 384 bits
  public x coord: 11111111111111111111117999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
  public y coord: 22222222222222222222228888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
------------------------------------------------------------
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
------------------------------------------------------------

TP-Processor3, READ: TLSv1.2 Handshake, length = 36
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<Empty>

TP-Processor3, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=CLIENT.com, O=CLIENT PRIVATE LIMITED, L=Bengaluru, ST=Karnataka, C=IN
  Signature Algorithm: SHA256withRSA, OID = 1.2.888.111111.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 290917627347077908622611910632100000000000000000000000000000046087609704050900299815422531856488310792015976698480303255190950151018144486664719368897666666666666666666666666666667145802981061762927385555555555555555555555555555555555555555503641034961875452964581873004195272822222222222222222222222222222222222241568761927572710269917900733536516748436670893218496130253762999469395666158787885478532805483186099417219102169363707338972728090057330429792574728036578324737889348700154291814348847920005022222222222222222222222222222222222222222222222222222222102150393074157132754725779611111111111111111111111111111111113565461
  public exponent: 65537
  Validity: [From: Thu Dec 12 05:30:00 IST 2019,
               To: Tue Dec 15 17:30:00 IST 2020]
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  SerialNumber: [    0666666a 2077777d 2888888 4199999]

Certificate Extensions: 10
[1]: ObjectId: 1.2.5.1.3.1.11155.6.7.8 Criticality=false

------------------------------------------------------------
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
------------------------------------------------------------
]
***
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 111, 666, 74, 104, 24, 333, , 11, 121, 158, 78, 48, 248, 141, 125, 22, 85, 97, 33, 123, 231, 100 237, 255, 172, 229, 113, 51, 40, 444, 54, 66, 89, 93, 13, 999, 183, 170, 778, 889, 453, 231, 098, 123, 975 }

[write] MD5 and SHA1 hashes:  len = 1725
------------------------------------------------------------
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
------------------------------------------------------------
TP-Processor3, WRITE: TLSv1.2 Handshake, length = 1725
[Raw write]: length = 1730
SESSION KEYGEN:
PreMaster Secret:
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
CONNECTION KEYGEN:
Client Nonce:
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
Server Nonce:
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
Master Secret:
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
... no MAC keys used for this cipher
Client write key:
0000: 11 22 33 44 55 66 77 88   99 aa BB CC BB EE FF aa   2.TY.5....N....1
Server write key:
0000: BB 79 CB 48 88 2C 99 AE   ff 14 AA DD CC 77 70 EF  .y.JU,....v.,RT.
Client write IV:
0000: B7 44 D4 EC                                        .#$.
Server write IV:
0000: EE ED BD AA                                        .22.

*** CertificateVerify
Signature Algorithm SHA256withRSA
[write] MD5 and SHA1 hashes:  len = 264
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------                            
TP-Processor3, WRITE: TLSv1.2 Handshake, length = 264
[Raw write]: length = 269
------------------------------------------------------------
Romoved some log because it is sensitive
------------------------------------------------------------
TP-Processor3, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 03 00 01 01                                  ......
*** Finished
verify_data:  { 105, 155, 113, 74, 128, 211, 166, 9, 72, 46, 206, 171 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 22 33 44 66 88 9B BB 4A   80 DD BB 09 AA 2E NN AB  ....p.yK....M...
Padded plaintext before ENCRYPTION:  len = 16
0000: 22 33 44 66 88 9B BB 4A   80 DD BB 09 AA 2E NN AB  ....p.yK....M...
TP-Processor3, WRITE: TLSv1.2 Handshake, length = 40
[Raw write]: length = 45
0000: 16 03 03 00 38 00 00 00   00 00 00 00 00 67 BD 19  ....(........M..
0010: 10 3B A3 99 4A 93 0F DD   53 02 12 EE 66 AA 1F 9F  .;..K...B...f...
0020: 25 43 BB 81 1B 97 BC BA   64 DD 51 53 FF           %C......d.RS.
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 28                                              .(
TP-Processor3, READ: TLSv1.2 Alert, length = 2
TP-Processor3, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
TP-Processor3, called closeSocket()
TP-Processor3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

共有1个答案

锺离鸿
2023-03-14

我不明白为什么会失败,但在这种情况下有两个典型的原因:

>

  • 您的客户端不提供服务器信任存储中找到的证书的证书链。客户端可以并且应该为客户端身份验证提供中间证书。

    客户端证书的扩展密钥用法不包括客户端身份验证。

  •  类似资料:
    • 我已经安装了WAMP3.0.4,并试图编写一个连接到外部HTTPS web服务的PHP脚本。但这将返回错误: 从上面可以清楚地看出,我是Apache/WAMP的新手。也许有人能解释一下我错过了什么吗?

    • 我使用Open Liberty创建了一个Docker映像,并使用我的自定义应用程序作为Web应用程序服务托管在Azure中。一切正常,除非我尝试访问Azure上托管的另一个控制器(https://mycontrollerurl.azurewebsites.net/....)我确实从日志中看到一个错误:- [错误]CWPKI0022E:SSL握手失败:SubjectDN CN=*.azurewebs

    • 我在Windows上设置了Rails项目和数据库,一些宝石丢失了。当试图安装他们我得到以下错误: 我试过了 https://gist.github.com/luislavena/f064211759ee0f806c88 和 SSL错误安装rubygem时,无法从https://rubygems.org/ 但这些都没有奏效。有什么想法吗?

    • 我有一个客户端-服务器应用程序(Android客户端、Apache Http服务器),通过相互身份验证(TLS 1.2)进行通信。问题是:有时连接(登录)会因SSL错误而失败。 这是有效的: 注册客户端证书 登录 这是行不通的: 注册客户证书 注意:在步骤4之后杀死应用程序,然后启动它并执行步骤5工作。 我能想到的可能解释是: 正在重用一些旧资源(如旧客户端证书)。看起来所有相关的东西(OkHtt

    • 我在唱Java和tring在广告中修改密码。我已将证书导入服务器,但证书中出现错误。 导入有效: 列表有效: 我的代码: 错误消息:

    • 误差 PHP警告:stream_socket_client():SSL操作失败,代码为1。OpenSSL错误消息:错误:14090086:SSL例程:SSL3_GET_Server_Certifice:证书验证失败