Java server self-signed certificate + client certificate and SSL handshake_failure(Java 服务器自签名证书 + 客户端证书和 SSL handshake_failure)
问题描述
我正在连接之前成功使用的网络服务,但是现在他们更改了主机名并向我发送了两个 .pem 文件;一个是 CA,另一个是我的新客户端证书.
I'm connecting to a web service which was used before successfully, however now they've changed hostname and sent me two .pem files; one is CA, and other is my new client certificate.
(我正在使用 Java 1.5、Spring + Spring Web Services 和 Apache httpclient,但我怀疑我的问题出在证书、密钥和 SSL 本身.)
(I'm using Java 1.5, Spring + Spring Web Services with Apache httpclient, but I suspect my problem is with certificates, keys and SSL itself.)
我已经导入了两个 .pem 文件,以及我从 Firefox 导出到我的 cacerts 的主机的 .crt.但是,自从我得到这个异常以来,我显然做错了:
I've imported both .pem files, as well as host's .crt which I exported from Firefox into my cacerts. However, I'm obviously doing something wrong since I get this exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1542)
...
当我使用 System.setProperty("javax.net.debug", "all") 打开 SSL 日志记录时,我看到服务器证书被接受,然后在客户端密钥交换之后或期间发生这种情况:
When I turn on SSL logging with System.setProperty("javax.net.debug", "all"), I see that server certificate is accepted and then this happens after or somewhere during client key exchange:
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: D:Central.metadata.pluginsorg.eclipse.wst.server.core mp0wtpwebappsCentraServerWEB-INFclassescacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Sat Jun 26 02:19:54 CEST 1999 until Wed Jun 26 02:19:54 CEST 2019
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000bf
Valid from Wed May 17 16:01:00 CEST 2000 until Sun May 18 01:59:00 CEST 2025
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x374ad243
Valid from Tue May 25 18:09:40 CEST 1999 until Sat May 25 18:39:40 CEST 2019
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 20:46:00 CEST 2000 until Tue May 13 01:59:00 CEST 2025
adding as trusted cert:
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Algorithm: RSA; Serial number: 0x2
Valid from Fri Mar 26 11:37:00 CET 2010 until Mon Mar 23 11:37:00 CET 2020
adding as trusted cert:
Subject: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 3 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
Issuer: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 3 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
Algorithm: RSA; Serial number: 0x3eb
Valid from Mon Mar 09 12:59:59 CET 1998 until Sat Jan 01 12:59:59 CET 2011
adding as trusted cert:
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Algorithm: RSA; Serial number: 0x94778886f4ca92c2
Valid from Fri Mar 26 13:14:36 CET 2010 until Mon Mar 23 13:14:36 CET 2020
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
Valid from Fri Oct 01 02:00:00 CEST 1999 until Thu Jul 17 01:59:59 CEST 2036
adding as trusted cert:
Subject: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-basic@thawte.com, CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jun 29 19:39:16 CEST 2004 until Thu Jun 29 19:39:16 CEST 2034
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x70bae41d10d92934b638ca7b03ccbabf
Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Aug 02 01:59:59 CEST 2028
adding as trusted cert:
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Algorithm: RSA; Serial number: 0x35def4cf
Valid from Sat Aug 22 18:41:51 CEST 1998 until Wed Aug 22 18:41:51 CEST 2018
adding as trusted cert:
Subject: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Issuer: OU=Equifax Secure eBusiness CA-2, O=Equifax Secure, C=US
Algorithm: RSA; Serial number: 0x3770cfb5
Valid from Wed Jun 23 14:14:45 CEST 1999 until Sun Jun 23 14:14:45 CEST 2019
adding as trusted cert:
Subject: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Issuer: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Algorithm: RSA; Serial number: 0x4
Valid from Mon Jun 21 06:00:00 CEST 1999 until Sun Jun 21 06:00:00 CEST 2020
adding as trusted cert:
Subject: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=personal-premium@thawte.com, CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x0
Valid from Mon Jan 01 01:00:00 CET 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1b6
Valid from Fri Aug 14 16:50:00 CEST 1998 until Thu Aug 15 01:59:00 CEST 2013
adding as trusted cert:
Subject: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0xcdba7f56f0dfe4bc54fe22acb372aa55
Valid from Mon Jan 29 01:00:00 CET 1996 until Wed Aug 02 01:59:59 CEST 2028
adding as trusted cert:
Subject: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
Issuer: EMAILADDRESS=certificate@trustcenter.de, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter for Security in Data Networks GmbH, L=Hamburg, ST=Hamburg, C=DE
Algorithm: RSA; Serial number: 0x3ea
Valid from Mon Mar 09 12:59:59 CET 1998 until Sat Jan 01 12:59:59 CET 2011
adding as trusted cert:
Subject: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Algorithm: RSA; Serial number: 0x1a3
Valid from Sat Feb 24 00:01:00 CET 1996 until Fri Feb 24 00:59:00 CET 2006
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389b113c
Valid from Fri Feb 04 18:20:00 CET 2000 until Tue Feb 04 18:50:00 CET 2020
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x7dd9fe07cfa81eb7107967fba78934c6
Valid from Mon May 18 02:00:00 CEST 1998 until Wed Aug 02 01:59:59 CEST 2028
adding as trusted cert:
Subject: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Issuer: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
Algorithm: RSA; Serial number: 0x1
Valid from Thu Aug 01 02:00:00 CEST 1996 until Fri Jan 01 00:59:59 CET 2021
adding as trusted cert:
Subject: CN=Emporion CA, DC=emporion, DC=hr
Issuer: CN=Emporion CA, DC=emporion, DC=hr
Algorithm: RSA; Serial number: 0x52fbeae95112b2aa48647da355f35330
Valid from Thu Dec 14 08:53:07 CET 2006 until Wed Dec 14 08:55:04 CET 2011
adding as trusted cert:
Subject: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Issuer: OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US
Algorithm: RSA; Serial number: 0x2ad667e4e45fe5e576f3c98195eddc0
Valid from Wed Nov 09 01:00:00 CET 1994 until Fri Jan 08 00:59:59 CET 2010
adding as trusted cert:
Subject: EMAILADDRESS=aw@ypsilon.net, CN=adriatic, O=ypsilon.net ag, L=Frankfurt, C=DE
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Algorithm: RSA; Serial number: 0x3c
Valid from Thu Jan 13 16:07:12 CET 2011 until Sun Jan 12 16:07:12 CET 2014
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US
Algorithm: RSA; Serial number: 0x380391ee
Valid from Tue Oct 12 21:24:30 CEST 1999 until Sat Oct 12 21:54:30 CEST 2019
adding as trusted cert:
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net
Algorithm: RSA; Serial number: 0x389ef6e4
Valid from Mon Feb 07 17:16:40 CET 2000 until Fri Feb 07 17:46:40 CET 2020
[snip more irrelevant cerificates]
adding as trusted cert:
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x4cc7eaaa983e71d39310f83d3a899192
Valid from Mon May 18 02:00:00 CEST 1998 until Wed Aug 02 01:59:59 CEST 2028
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
http-8080-Processor25, setSoTimeout(90000) called
http-8080-Processor25, setSoTimeout(90000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1295536786 bytes = { 74, 39, 25, 138, 201, 29, 231, 172, 208, 86, 159, 87, 97, 159, 118, 69, 60, 76, 126, 1, 3, 113, 32, 74, 124, 197, 227, 100 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 4D 38 53 92 4A 27 19 8A C9 1D ...E..M8S.J'....
...
0040: 03 00 08 00 14 00 11 01 00 .........
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
...
0060: E3 64 .d
http-8080-Processor25, WRITE: SSLv2 client hello message, length = 98
[Raw write]: length = 100
0000: 80 62 01 03 01 00 39 00 00 00 20 00 00 04 01 00 .b....9... .....
...
0060: 7C C5 E3 64 ...d
[Raw read]: length = 5
0000: 16 03 01 00 4A ....J
[Raw read]: length = 74
0000: 02 00 00 46 03 01 4D 38 53 92 91 2B 9B 04 40 75 ...F..M8S..+..@u
...
0040: CF 80 63 11 83 EF 78 00 04 00 ..c...x...
http-8080-Processor25, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1295536786 bytes = { 145, 43, 155, 4, 64, 117, 29, 20, 155, 104, 148, 67, 38, 191, 176, 32, 226, 210, 15, 208, 38, 62, 186, 93, 161, 102, 98, 43 }
Session ID: {170, 186, 169, 17, 103, 4, 99, 63, 183, 238, 23, 232, 183, 145, 193, 146, 7, 27, 157, 237, 100, 139, 163, 244, 30, 207, 128, 99, 17, 131, 239, 120}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 01 4D 38 53 92 91 2B 9B 04 40 75 ...F..M8S..+..@u
...
0040: CF 80 63 11 83 EF 78 00 04 00 ..c...x...
[Raw read]: length = 5
0000: 16 03 01 05 62 ....b
[Raw read]: length = 1378
0000: 0B 00 05 5E 00 05 5B 00 02 A4 30 82 02 A0 30 82 ...^..[...0...0.
...
0550: 62 FB DE A4 74 87 D9 2A 2B 2F AF 31 22 97 4A F6 b...t..*+/.1".J.
0560: B8 9F ..
http-8080-Processor25, READ: TLSv1 Handshake, length = 1378
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 105158323961649143261675059370957210288137897982882368398075567460896421730512351351129218695072925445303830065152794594929017968110838209795249871435238567060656353603426816451022832577131638028495007888967083020723809918589055189033188525472465535607293377867184162059586888049098196531889988723950292830313
public exponent: 65537
Validity: [From: Fri Mar 26 11:37:00 CET 2010,
To: Mon Mar 23 11:37:00 CET 2020]
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
SerialNumber: [ 02]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 3A F3 91 84 EA B1 CF 28 7B 52 EC 50 34 56 CB A5 :......(.R.P4V..
...
]
chain [1] = [
[
Version: V1
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 103786554737956184369138386227517475430156404603922533481712260490997247291004352385079204978431207687092828117962473600295977103686791448953158848873575487907656378655168840104433047747570602454550203304683174555325033654946526304210710782190667961616217273402229863778090825217190222869236148684215668636483
public exponent: 65537
Validity: [From: Fri Mar 26 13:14:36 CET 2010,
To: Mon Mar 23 13:14:36 CET 2020]
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
SerialNumber: [ 94778886 f4ca92c2]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 86 EE 6C 03 20 76 E5 0C C7 1D E5 44 60 C0 D0 40 ..l. v.....D`..@
...
]
***
Found trusted certificate:
[
[
Version: V1
Subject: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net, OU=enxi.norrisdata.net, O=ypsilon.net ag, L=Frankfurt, C=DE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 105158323961649143261675059370957210288137897982882368398075567460896421730512351351129218695072925445303830065152794594929017968110838209795249871435238567060656353603426816451022832577131638028495007888967083020723809918589055189033188525472465535607293377867184162059586888049098196531889988723950292830313
public exponent: 65537
Validity: [From: Fri Mar 26 11:37:00 CET 2010,
To: Mon Mar 23 11:37:00 CET 2020]
Issuer: EMAILADDRESS=aw@ypsilon.net, CN=enxi.norrisdata.net-ca, OU=Certificate Authority, O=ypsilon.net ag, L=Frankfurt, C=DE
SerialNumber: [ 02]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 3A F3 91 84 EA B1 CF 28 7B 52 EC 50 34 56 CB A5 :......(.R.P4V..
...
]
[read] MD5 and SHA1 hashes: len = 1378
0000: 0B 00 05 5E 00 05 5B 00 02 A4 30 82 02 A0 30 82 ...^..[...0...0.
...
[Raw read]: length = 5
0000: 16 03 01 00 0E .....
[Raw read]: length = 14
0000: 0D 00 00 06 03 01 02 40 00 00 0E 00 00 00 .......@......
http-8080-Processor25, READ: TLSv1 Handshake, length = 14
*** CertificateRequest
Cert Types: RSA, DSS, Type-64,
Cert Authorities:
[read] MD5 and SHA1 hashes: len = 10
0000: 0D 00 00 06 03 01 02 40 00 00 .......@..
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 171, 173, 40, 115, 135, 189, 1, 133, 123, 112, 14, 101, 81, 12, 110, 67, 184, 222, 191, 39, 146, 61, 195, 70, 149, 67, 178, 129, 141, 29, 160, 92, 198, 213, 71, 6, 35, 92, 141, 155, 111, 161, 88, 150, 14, 217 }
[write] MD5 and SHA1 hashes: len = 141
0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 2F 50 23 ............./P#
...
0080: 32 A0 09 CB 0E AE 42 4F 25 7A AE 41 DF 2.....BO%z.A.
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 141
[Raw write]: length = 146
0000: 16 03 01 00 8D 0B 00 00 03 00 00 00 10 00 00 82 ................
...
0090: 41 DF A.
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 AB AD 28 73 87 BD 01 85 7B 70 0E 65 51 0C ....(s.....p.eQ.
0010: 6E 43 B8 DE BF 27 92 3D C3 46 95 43 B2 81 8D 1D nC...'.=.F.C....
0020: A0 5C C6 D5 47 06 23 5C 8D 9B 6F A1 58 96 0E D9 ...G.#..o.X...
CONNECTION KEYGEN:
Client Nonce:
0000: 4D 38 53 92 4A 27 19 8A C9 1D E7 AC D0 56 9F 57 M8S.J'.......V.W
0010: 61 9F 76 45 3C 4C 7E 01 03 71 20 4A 7C C5 E3 64 a.vE<L...q J...d
Server Nonce:
0000: 4D 38 53 92 91 2B 9B 04 40 75 1D 14 9B 68 94 43 M8S..+..@u...h.C
0010: 26 BF B0 20 E2 D2 0F D0 26 3E BA 5D A1 66 62 2B &.. ....&>.].fb+
Master Secret:
0000: 13 9A 7A E6 A0 60 FA 39 20 54 B1 5B 11 C0 1C 8E ..z..`.9 T.[....
0010: 0C 1E DD 6D 81 F3 87 BB 55 C5 04 5E EF 92 9D 56 ...m....U..^...V
0020: F8 A5 BE 3C 63 41 49 5D 28 C6 CB 39 2B AC 2B 01 ...<cAI](..9+.+.
Client MAC write Secret:
0000: C6 9B B2 39 8A B2 0D 8E D2 4F ED 8B 41 2A 5E 24 ...9.....O..A*^$
Server MAC write Secret:
0000: 0F EC E3 F0 A0 23 B0 06 3A E1 27 17 51 D5 63 D4 .....#..:.'.Q.c.
Client write key:
0000: 84 00 3C F3 A6 64 8B FC EC 24 34 E5 98 37 2D 4B ..<..d...$4..7-K
Server write key:
0000: 15 71 17 98 7F BF 96 CF B5 84 0D 27 53 92 FA D6 .q.........'S...
... no IV for cipher
http-8080-Processor25, WRITE: TLSv1 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 01 00 01 01 ......
*** Finished
verify_data: { 242, 229, 163, 78, 24, 68, 97, 187, 238, 159, 79, 121 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C F2 E5 A3 4E 18 44 61 BB EE 9F 4F 79 .......N.Da...Oy
Padded plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C F2 E5 A3 4E 18 44 61 BB EE 9F 4F 79 .......N.Da...Oy
0010: 7D 95 FF FE 93 4D C5 18 4B C0 DD 31 EB 12 39 DF .....M..K..1..9.
http-8080-Processor25, WRITE: TLSv1 Handshake, length = 32
[Raw write]: length = 37
0000: 16 03 01 00 20 43 6D 0D E1 CD D5 D7 7A 9C 25 61 .... Cm.....z.%a
0010: 1A 58 2C E4 3E 18 EB B1 C9 80 9C C5 E7 30 E5 23 .X,.>........0.#
0020: 6E 10 C9 2A AE n..*.
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
http-8080-Processor25, READ: TLSv1 Alert, length = 2
http-8080-Processor25, RECV TLSv1 ALERT: fatal, handshake_failure
http-8080-Processor25, called closeSocket()
http-8080-Processor25, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)
http-8080-Processor25, called close()
http-8080-Processor25, called closeInternal(true)
这是什么意思?消息no IV for cipher"是什么意思?
What does this mean? What is the meaning of the message "no IV for cipher"?
经过一番调查,我发现了一个愚蠢的错误 - 因为 javax.net.ssl.keyStore 属性设置不正确,所以根本没有加载密钥库.但是,现在我得到连接重置异常,我仍然得到没有密码的 IV"......所以我再次问基本相同的问题 这里.
After a bit of investigating, I found a stupid error - keystore wasn't getting loaded at all since javax.net.ssl.keyStore property wasn't set correctly. However, now I get connection reset exception and I still get "no IV for cipher"... so I'm asking basically the same question again here.
推荐答案
no IV for cipher 表示正在使用的密码不需要 IV(RC4 就是这样一种密码,而且很可能是在这里选择).
no IV for cipher indicates that the cipher in use does not require an IV (RC4 is one such cipher, and likely the one chosen here).
编辑根据 GregS 的评论,这个 handshake_failure
可能是由于服务器请求客户端身份验证,而客户端未能提供证书.
Edit Per GregS's comment, this a handshake_failure
could be caused by the server requesting client authentication, and the client failing to provide a certificate.
这篇关于Java 服务器自签名证书 + 客户端证书和 SSL handshake_failure的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:Java 服务器自签名证书 + 客户端证书和 SSL handshake_failure
基础教程推荐
- 由于对所需库 rt.jar 的限制,对类的访问限制? 2022-01-01
- 如何使用 Eclipse 检查调试符号状态? 2022-01-01
- 在螺旋中写一个字符串 2022-01-01
- 如何使用 Stream 在集合中拆分奇数和偶数以及两者的总和 2022-01-01
- Java 中保存最后 N 个元素的大小受限队列 2022-01-01
- 如何在不安装整个 WTP 包的情况下将 Tomcat 8 添加到 Eclipse Kepler 2022-01-01
- 首次使用 Hadoop,MapReduce Job 不运行 Reduce Phase 2022-01-01
- 如何对 HashSet 进行排序? 2022-01-01
- Spring Boot Freemarker从2.2.0升级失败 2022-01-01
- 如何强制对超级方法进行多态调用? 2022-01-01