问题:
ssl握手失败soap
秦楚
我通过受ssl v3保护的cxf使用soap服务。我从服务器下载.cer文件,并通过keytool使用以下指令创建JKS文件:
keytool -import -v -file iban.cer -keystore iban.jks
在java代码中,我将此代码用于客户端配置:
public void configureSSLOnTheClient(Object c) {
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(c);
HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
File truststore = new File("jks/iban.jks");
try {
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setDisableCNCheck(true);
KeyStore keyStore = KeyStore.getInstance("JKS");
String trustpass = "password";
keyStore.load(new FileInputStream(truststore), trustpass.toCharArray());
log.info("Trust Manager Type:"+TrustManagerFactory.getDefaultAlgorithm());
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
TrustManager[] tm = trustFactory.getTrustManagers();
tlsParams.setTrustManagers(tm);
keyStore.load(new FileInputStream(truststore), trustpass.toCharArray());
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, trustpass.toCharArray());
KeyManager[] km = keyFactory.getKeyManagers();
tlsParams.setKeyManagers(km);
FiltersType filter = new FiltersType();
filter.getInclude().add(".*_EXPORT_.*");
filter.getInclude().add(".*_EXPORT1024_.*");
filter.getInclude().add(".*_WITH_DES_.*");
filter.getInclude().add(".*_WITH_NULL_.*");
filter.getExclude().add(".*_DH_anon_.*");
tlsParams.setCipherSuitesFilter(filter);
httpConduit.setTlsClientParameters(tlsParams);
} catch (KeyStoreException kse) {
log.info("Security configuration failed with the following: KeyStoreException " + kse.getCause());
kse.printStackTrace();
} catch (NoSuchAlgorithmException nsa) {
log.info("Security configuration failed with the following: NoSuchAlgorithmException" + nsa.getCause());
nsa.printStackTrace();
} catch (FileNotFoundException fnfe) {
log.info("Security configuration failed with the following: FileNotFoundException" + fnfe.getCause());
} catch (UnrecoverableKeyException uke) {
log.info("Security configuration failed with the following: UnrecoverableKeyException" + uke.getCause());
} catch (CertificateException ce) {
log.info("Security configuration failed with the following: CertificateException" + ce.getCause());
} catch (GeneralSecurityException gse) {
log.info("Security configuration failed with the following: GeneralSecurityException" + gse.getCause());
} catch (IOException ioe) {
log.info("Security configuration failed with the following: IOException" + ioe.getCause());
}
}
对于调用此代码的服务:
String address = "https://xxxxxxxxxx/IBANSpecEnquiry/IBANSpec?wsdl";
JaxWsProxyFactoryBean proxyFactory = new JaxWsProxyFactoryBean();
proxyFactory.setServiceClass(IBANEnquirySpec.class);
proxyFactory.setAddress(address);
IBANEnquirySpec client = (IBANEnquirySpec) proxyFactory.create();
configureSSLOnTheClient(client);
Message04 message04 = client.getIBANSpec(message01);
当我运行代码时,会发生此错误:
Interceptor for {http://WebServices/}IBANEnquirySpecService#{http://WebServices/}getIBANSpec has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingIntercept or.handleMessage(MessageSenderInterceptor.java:64)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:136)
at com.sun.proxy.$Proxy143.getIBANSpec(Unknown Source)
at ir.tejaratBank.service.impl.IBANClientManagerImpl.getIBANSpec(IBANClientManagerImpl.java:259)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
.
.
.
.
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://192.168.65.118:443/IBANSpecEnquiry/IBANSpec?wsdl: Received fatal alert: handshake_failure
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1347)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1331)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:632)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 128 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1290)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1246)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1303)
... 131 more
我搜索此错误,我意识到该错误是针对不良信任存储的。但我不知道如何生成正确的信任库。
共有2个答案
惠志
该错误并不总是表示信任库问题。如果您使用的是Java 8,SSLv3可能会因为试图避免POODLE攻击而被禁用。
参见这篇相关的文章:如何在Java中启用SSL 3
高吉星
要生成信任存储,请尝试使用以下方法:
keytool -import -alias youralias -file [path to certificate]/iban.cer -keystore [path to truststore.jks]/truststore.jks -storetype JKS
但更好的方法是不使用所有这些ssl配置,而是使用以下方法将证书导入java cacerts信任存储:
keytool -import -v -file iban.cer -keystore %JAVA_HOME%/jre/lib/security/cacerts -alias youralias
类似资料:
-
我正在学习SSL通信,我遇到了这个问题。我正在编写一个简单的客户端,它试图与本地apache服务器握手。服务器启用https。我将服务器证书添加到所有可能的信任存储(jdk中的一个 注意:我从以下教程中获取了代码: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KRB 停留
-
问题内容: 我正在尝试将Jenkins CI配置为对我们的项目执行持续集成,并且无法使其通过https连接到我们的SVN存储库。每当我尝试配置存储库URL并尝试连接时,都会遇到以下异常: 我在tomcat实例上启用了SSL调试(使用),并得到了以下信息: 我尝试按照这篇文章中的说明在tomcat中添加属性,但仍然出现相同的错误。 在这一点上,我对发生的事情完全感到困惑。不幸的是,我不是完全了解SS
-
问题内容: 我已经将证书导入到信任库中,但是仍然无法成功连接到该URL。我已经尝试了所有方法,任何人都可以看到输出并提供帮助吗? 无法弄清楚这是什么,应用程序正在使用java1.6,但是SSLPoke无法通过两种情况 问题答案: 我发现客户也进行了验证。因此它是2路身份验证。客户还必须将我的公共证书导入其密钥库。
-
iOS 9 beta 1版有人遇到过这个问题吗? 我使用标准的NSURLConnection连接到一个Web服务,一旦调用该Web服务,我就会得到以下错误。这项功能目前在iOS 8.3中运行 可能是beta bug?任何想法都会很棒!我知道这是iOS 9开发的早期阶段 以下是完整的错误: CFNetwork SSL握手失败(-9824)NSURL会话/NSURLConnection HTTP加载失
-
问题内容: 每次我尝试做: 我收到此消息: 我尝试了一切: 更新我的要求 更新我的SSL 但没有任何变化。 我正在使用Python 2.7.6,无法更改此设置。 问题答案: 我最终解决了问题,将Ubuntu版本从14.04更新为14.10,问题已解决。 但是在旧版本的ubuntu和python中,我安装了这些lib,它似乎解决了所有问题 如果您没有安装pip2.7,则可以改用pip
-
我正在尝试在我的Kafka服务器上启用SSL身份验证。我在Kafka文档中遵循7.2节。 遵循了所有步骤,但是当调用Producer.bat文件将数据发送到主题时,我得到了下面的错误。