Java根CA证书存在-获取SSL握手异常
我编写了一个java JAX-WS web服务客户端。当我试图使用公共CA签名证书访问服务器时,我会收到SSL握手异常:
以下是SSL日志记录跟踪的一部分:
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files\Java\jdk1.7.0_79\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
[ omitted]
adding as trusted cert:
Subject: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign
, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign
, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x401ac46421b31321030ebbe4121ac51d
Valid from Tue Apr 01 17:00:00 PDT 2008 until Tue Dec 01 15:59:59 PST 2037
[ omitted]
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1468680588 bytes =
Session ID: {}
Cipher Suites: [ ... ]
Compression Methods: { 0 }
Extension elliptic_curves, curve names:
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: redacted]
***
[write] MD5 and SHA1 hashes: len = 181
[omitted]
*** ServerHello, TLSv1
RandomCookie: GMT: 1524806833
Session ID:
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
***
%% Initialized: [Session-1, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
** TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[read] MD5 and SHA1 hashes: len = 85
[omitted]
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=redacted, OU=redacted, O=redacted, L=redacted, ST=redacted, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus:
public exponent: 65537
Validity: [From: Sun Oct 16 17:00:00 PDT 2016,
To: Thu Nov 02 16:59:59 PDT 2017]
Issuer: CN=Symantec Class 3 Secure Server SHA256 SSL CA,
OU=Symantec Trust Network, O=Symantec Corporation, C=US
SerialNumber: [ ... ]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
[omitted]
***
%% Invalidated: [Session-1, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 2E .......
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException:
有没有人对是什么导致了这个问题有什么建议?
共有1个答案
无法找到到请求的目标的有效证书路径表示客户端不信任服务器证书,原因是
- 从叶证书到根证书的链不完整或
- 信任存储区中不存在根证书
我已经检查了Symantec Class 3 Secure Server SHA256 SSL CA是由VeriSign Universal Root Certification Authority颁发的(请参阅Symantec页面)
验证中间CA是否确实为Symantec Class 3 Secure Server SHA256 SSL CA序列号69 87 94 19 d9 e3 62 70 74 9D bb e5 9D c6 68 5E
如果在步骤1中出现错误,请下载Symantec cert(从上面的链接)并导入到您的信任库中
如果中间证书不是预期的Symantec证书,则获取根CA并将其导入trustore
SSL服务器必须提供证书和链(不包括根)。信任管理器检查从叶到根的认证链。如果在信任库中找到任何证书,则该证书是“受信任的”(即使它已过期...)
您应该在信任存储库中包含根CA,而不是叶CA
-
假设我有一个JAVA客户端应用程序,它试图通过https连接到服务器(example.com)。客户端应用程序有一个信任存储JKS,它有服务器的证书和其他一些证书。在服务器将其证书发送到此客户端应用程序的握手过程中,如何从信任存储jks中提取正确的证书。i、 基于什么参数,java将服务器发送的证书与存储在JKS中的证书相匹配。
-
我使用Open Liberty创建了一个Docker映像,并使用我的自定义应用程序作为Web应用程序服务托管在Azure中。一切正常,除非我尝试访问Azure上托管的另一个控制器(https://mycontrollerurl.azurewebsites.net/....)我确实从日志中看到一个错误:- [错误]CWPKI0022E:SSL握手失败:SubjectDN CN=*.azurewebs
-
我试图用Java来做这件事,但我认为这是一个一般的证书问题。我有根CA、根CA颁发的中间CA1、中间CA1颁发的中间CA2和中间CA2颁发的证书。 RootCA- 在不知道interCA2的情况下,是否可以通过interCA1验证证书?
-
1.1. 通过Let’s Encrypt获取免费的SSL证书 1.1. 通过Let’s Encrypt获取免费的SSL证书 Skill开发过程中,其中第三步是填写https的服务地址。目前,我们支持大多数的主流根证书颁发机构(CA)的证书(当然也许会有些遗漏,您可以在论坛上提醒我们),暂时还没有开放私有的证书,这个会在未来开放。当然,能理解的是,大多数的CA,因为认证和盈利需要,都需要网站所有者支
-
问题内容: 我正在连接到以前成功使用过的Web服务,但是现在他们已经更改了主机名并向我发送了两个.pem文件。一个是CA,另一个是我的新客户证书。 (我将Java 1.5,Spring + Spring Web Services与Apache httpclient一起使用,但是我怀疑我的问题是证书,密钥和SSL本身。) 我已经导入了.pem文件以及从Firefox导出到cacerts中的主机的.c
-
我正在学习SSL通信,我遇到了这个问题。我正在编写一个简单的客户端,它试图与本地apache服务器握手。服务器启用https。我将服务器证书添加到所有可能的信任存储(jdk中的一个 注意:我从以下教程中获取了代码: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KRB 停留