问题:
javax。网ssl。SSLProtocolException:握手消息序列冲突,2
贺劲
我正在尝试通过XMPP协议建立一个TLS安全(带有客户端身份验证)连接。我使用的是标准端口,而不是专用SSL端口,这显然是不推荐的。startTLS过程永远不会完成握手。
我收到:javax。网ssl。SSLProtocolException:握手消息序列冲突,2
调试摘录显示我的客户端收到来自服务器的意外消息。证书请求是从服务器发送的,但CA列表为空。
是否有很多事情会导致这种握手违规(2)?什么可能导致服务器不发送在其信任库中配置的可接受权限?
谢谢你的洞察力。
更新:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@ PROTOTYPE: TLS client authentication XMPP connection. @@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
USER: 111111
OS: Windows 7
Java: C:\Program Files (x86)\Java\jdk1.8.0_45\jre
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Loading trusted authorities from trust store...
adding as trusted cert:
...(trimmed)
Loading credentials from key store...
***
found key for : Signing Certificate - John K. Doe
chain [0] = [
...(trimmed)
***
Initializing SSL context for TLS...
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@ PROTOTYPE: Built XMPP connection configuration. @@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Connection instantiated.
10:17:24 AM SENT (0): <stream:stream xmlns='jabber:client' to='steerage.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>
10:17:24 AM RECV (0): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="steerage.org" id="e7e393bd" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>EXTERNAL</mechanism></mechanisms></stream:features>
10:17:24 AM SENT (0): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
10:17:24 AM RECV (0): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1433793908 bytes = { 4, 180, 17, 97, 147, 6, 68, 124, 234, 40, 155, 145, 132, 27, 164, 29, 175, 239, 139, 23, 14, 133, 162, 215, 44, 220, 241, 2 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=steerage.org]
***
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 239
Smack Packet Reader (0), READ: TLSv1.2 Handshake, length = 3708
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1433793908 bytes = { 238, 60, 108, 5, 104, 190, 219, 147, 215, 187, 195, 89, 114, 224, 165, 213, 141, 48, 112, 176, 129, 42, 78, 190, 196, 119, 143, 101 }
Session ID: {85, 118, 245, 116, 90, 98, 141, 24, 47, 246, 162, 187, 92, 255, 11, 153, 45, 237, 178, 52, 9, 196, 116, 50, 61, 190, 48, 63, 26, 70, 155, 58}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=steerage....(trimmed)
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=TKT Root CA 2, ...(trimmed)
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 16285061615265061295479758192758299168932729034919494399422438099012833644130
public y coord: 91712186275093768179410924600166089746856150468196826634149937267800342978949
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<Empty>
*** ServerHelloDone
matching alias: john.k.doe.1258700011
matching alias: Card Authentication Certificate
matching alias: Authentication Certificate - John K. Doe
matching alias: Encryption Certificate - John K. Doe (Archived) - 12/4/2013
matching alias: doe_john_k@some.com
matching alias: Signing Certificate - John K. Doe
matching alias: Encryption Certificate - John K. Doe
org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'.
at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:106)
at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:85)
at org.jivesoftware.smack.SynchronizationPoint.checkForResponse(SynchronizationPoint.java:192)
at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWait(SynchronizationPoint.java:114)
at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWaitOrThrow(SynchronizationPoint.java:97)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectInternal(XMPPTCPConnection.java:837)
at org.jivesoftware.smack.AbstractXMPPConnection.connect(AbstractXMPPConnection.java:360)
at pke4chat.TestProtoType.main(TestProtoType.java:87)
10:17:29 AM SENT (0): <presence id='c06He-3' type='unavailable'><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.igniterealtime.org/projects/smack' ver='NfJ3flI83zSdUDzCEICtbypursw='/></presence>
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=John K. Doe, ...(trimmed)
***
*** ECDHClientKeyExchange
ECDH Public value: { 4, 183, 254, 13, 26, 104, 205, 105, 32, 193, 10, 62, 33, 82, 142, 4, 183, 231, 178, 204, 126, 170, 178, 111, 33, 155, 241, 187, 146, 182, 254, 138, 117, 145, 170, 80, 32, 176, 179, 113, 157, 193, 210, 75, 2, 195, 132, 111, 210, 183, 73, 98, 15, 201, 170, 127, 36, 15, 233, 126, 38, 225, 193, 6, 71 }
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 5387
SESSION KEYGEN:
PreMaster Secret:
0000: D3 5B D2 C9 4A AD 9A E6 F4 DE 3C 3C 0B D5 A2 C2 .[..J.....<<....
0010: CA A3 BA BE 2A 50 BA 27 3F 1E D1 34 94 CD 84 A4 ....*P.'?..4....
CONNECTION KEYGEN:
Client Nonce:
0000: 55 76 F5 74 04 B4 11 61 93 06 44 7C EA 28 9B 91 Uv.t...a..D..(..
0010: 84 1B A4 1D AF EF 8B 17 0E 85 A2 D7 2C DC F1 02 ............,...
Server Nonce:
0000: 55 76 F5 74 EE 3C 6C 05 68 BE DB 93 D7 BB C3 59 Uv.t.<l.h......Y
0010: 72 E0 A5 D5 8D 30 70 B0 81 2A 4E BE C4 77 8F 65 r....0p..*N..w.e
Master Secret:
0000: 61 9B 54 1F AB B0 F6 B1 D4 3C F9 79 0E D8 E1 AD a.T......<.y....
0010: 29 3C E1 55 8D EF 2E 8D 13 3B 94 BB 32 5F C8 7F )<.U.....;..2_..
0020: 13 A8 48 B6 C5 0F 50 A4 B5 41 82 C6 A3 F0 41 95 ..H...P..A....A.
Client MAC write Secret:
0000: 42 1B F0 67 9E 1D 81 44 3A 76 8D D1 AD 4D 48 A4 B..g...D:v...MH.
0010: B6 27 70 12 08 FB CF 5D 39 7F 51 05 6D 08 61 F7 .'p....]9.Q.m.a.
Server MAC write Secret:
0000: DD 40 97 24 B0 96 00 A6 CD 49 02 7A 60 75 32 A2 .@.$.....I.z`u2.
0010: 80 41 FD 38 48 06 67 A7 51 E4 44 8E 72 AB 75 C4 .A.8H.g.Q.D.r.u.
Client write key:
0000: DE 5A B7 2D 9D 0F 2F C3 C9 82 D9 EA 88 0D 14 A3 .Z.-../.........
Server write key:
0000: A1 66 08 7C AB 23 56 B9 8F 09 2B 78 67 19 1F BF .f...#V...+xg...
... no IV derived for this protocol
Jun 09, 2015 10:17:34 AM org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketWriter shutdown
WARNING: shutdownDone was not marked as successful by the writer thread
org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'.
at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:106)
at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:85)
at org.jivesoftware.smack.SynchronizationPoint.checkForResponse(SynchronizationPoint.java:192)
at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWait(SynchronizationPoint.java:114)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketWriter.shutdown(XMPPTCPConnection.java:1265)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.shutdown(XMPPTCPConnection.java:494)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.shutdown(XMPPTCPConnection.java:476)
at org.jivesoftware.smack.AbstractXMPPConnection.disconnect(AbstractXMPPConnection.java:666)
at org.jivesoftware.smack.AbstractXMPPConnection.disconnect(AbstractXMPPConnection.java:646)
at pke4chat.TestProtoType.main(TestProtoType.java:105)
main, called close()
main, called closeInternal(true)
*** CertificateVerify
Signature Algorithm SHA512withRSA
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 264
Smack Packet Reader (0), WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 49, 187, 92, 176, 21, 132, 60, 183, 10, 47, 235, 93 }
***
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 80
main, SEND TLSv1.2 ALERT: warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 64
main, called closeSocket(true)
Smack Packet Writer (0), handling exception: java.net.SocketException: Socket closed
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
Smack Packet Writer (0), called closeSocket()
Smack Packet Reader (0), handling exception: java.net.SocketException: Socket closed
共有3个答案
杨飞语
当客户端证书在扩展密钥使用中没有clientAuth时,就会发生此问题。
看见https://security.stackexchange.com/a/84822对于Java,如何在与之交谈的服务器上实现它:https://docs.oracle.com/javase/10/docs/api/javax/net/ssl/X509ExtendedTrustManager.html
贺跃
我认为,这个错误没有通用的解决方案。最好的方法是从头开始,严格按照中提到的步骤进行操作https://kafka.apache.org/documentation/#security_ssl_ca.
我也犯了同样的错误。这是由我的错误造成的——在注册签名CA请求文件的最后一步中,我错过了alias。下面的步骤对我有用。
- name: Generate keystore certificate
command: "keytool -genkey -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -validity 365 -storepass clientpass -keypass clientpass -dname 'CN=broker{{kafka_broker_id}}' -alias client-broker{{kafka_broker_id}} -storetype pkcs12"
# getting signed version of certicate - first step
- name: Certification request certificate
command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -certreq -file /home/vagrant/auth/client-cert-file-broker{{kafka_broker_id}} -alias client-broker{{kafka_broker_id}} -storepass clientpass -keypass clientpass"
# output will be signed certificate of kafka broker
- name: Generate keystore certificate
command: "openssl x509 -req -CA /home/vagrant/ssl/ca-cert -CAkey /home/vagrant/ssl/ca-key -in /home/vagrant/auth/client-cert-file-broker{{kafka_broker_id}} -out /home/vagrant/auth/client-cert-signed-{{kafka_broker_id}} -days 365 -CAcreateserial -passin pass:serversecret"
- name: Import public CA to client keystore
command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -alias CARoot -import -file /home/vagrant/ssl/ca-cert -storepass clientpass -keypass clientpass -noprompt"
- name: Import signed host certificate by CA to keystore.jks
command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -import -file /home/vagrant/auth/client-cert-signed-{{kafka_broker_id}} -alias client-broker{{kafka_broker_id}} -storepass clientpass -keypass clientpass -noprompt"
要使身份验证正确工作,您需要添加信任库-可以使用来自Kafka代理的信任库。
裴俊豪
根据我的经验,当客户端证书过期时会发生此异常。您可以通过以下方式验证您的JKS客户端证书
keytool -list -keystore client.keystore.jks -v
并检查来自。。。到
类似资料:
-
我正在编写一个JMeter测试计划,以连接到SSL端口(Tomcat Connector)。在JDK8(1.8.0_51)上使用三个JMeter SSL客户端实现(HttpClient4、HttpClient3.1、Java)中的任何一个连接到SSL端口时,我会收到一个SSLHandshakeExc0019(handshake_failure)。如果我使用JDK7(1.7。0_75)-一切都像预期
-
我正在运行本地服务器(android应用程序中的嵌入式https服务器),它使用。bks(自签名证书类型)。当android应用程序尝试使用ssl连接时,会出现以下错误。在这里,您还可以看到服务器日志,其中打印了启用的密码套件以及启用的协议。当我尝试使用java执行相同的测试用例时,一切都很好。只是,android出现了问题。任何帮助都将不胜感激。Android 7.0版Min SDK:22
-
我正在尝试使用Spring RestTemplate调用POST Rest调用: 这个https://server.com有证书:webapi。tartu-x86。p12我将证书导入C:\Java_8\jre\lib\security\cacerts usinf keytool 运行代码后,我出现以下错误: 我使用的是Java1.8.091 有人能帮忙吗?
-
我得到一个"异常在线程"主"javax.net.ssl.SSLHandshake异常:收到致命警报:handshake_failure"下面的代码。有人知道如何修复它吗?
-
我正在尝试获得一个在android上工作的相互认证请求。我正在测试我自己的服务器,所以我有一个自签名的CA和客户端证书。 因此,我将不得不考虑不受信任的服务器证书。 以下是我正在做的: 然后使用AsyncWork来执行请求: 我已经在浏览器和iOS客户端上测试了这个请求,但我无法在Android上运行它。 我认为这是允许不受信任的服务器证书的正确方法: 不知道为什么我得到: javax.net.s
-
我正在学习SSL通信,我遇到了这个问题。我正在编写一个简单的客户端,它试图与本地apache服务器握手。服务器启用https。我将服务器证书添加到所有可能的信任存储(jdk中的一个 注意:我从以下教程中获取了代码: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KRB 停留