徹底弄懂“PKIX path building failed”問題

2018-06-18 03:33:32來源:未知 閱讀 ()

容器云強勢上線!快速搭建集群,上萬Linux鏡像隨意使用

SSL的基礎知識

SSL的全稱是Secure Socket Layer。它的通信流程如下圖所示,客戶端與服務端會通過幾次通信,通過非對稱加密創建出一個加密密鑰,用于以后的對稱信息加密。

1,客戶端明文向服務器打招呼,告訴服務器自己支持的加密算法、隨機數A;

2,服務器明文返回給客戶端自己的證書和另外一個隨機數B;

3,客戶端驗證收到的證書。驗證通過則使用這個證書的公鑰加密一個密碼發送給服務器;

4,服務器通過自己的私鑰解密客戶端發送過來的密碼;

5,服務器使用這個密碼進行對稱加密通信。

 

重點:用-Djavax.net.debug=all跟蹤調試,確定對的證書

任何一個環節出錯,都可能出現下面的錯誤:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

用-Djavax.net.debug=all來開啟調試信息的輸出,SSL的握手過程一目了然:

2018-02-01 17:05:24 --INFO-- ***Helper : https://xxx.xxx.com:8443/***/ws/***Service
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% Client cached [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA]
%% Try resuming [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA] from port 12371
##客戶端跟服務器第一次打招呼##
*** ClientHello, TLSv1 
RandomCookie:  GMT: 1517410388 bytes = { 95, 120, 132, 216, 69, 34, 205, 73, 133, 30, 240, 178, 37, 187, 228, 127, 73, 149, 1, 216, 19, 3, 35, 236, 29, 111, 125, 132 }
Session ID:  {248, 40, 73, 62, 46, 20, 43, 249, 49, 73, 148, 196, 222, 200, 202, 68, 221, 241, 33, 57, 128, 93, 149, 1, 7, 112, 248, 66, 173, 203, 187, 1}
##支持的加密算法##
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: idmtest.dcpc.com]
***
[write] MD5 and SHA1 hashes:  len = 220
0000: 01 00 00 D8 03 01 5A 72   D8 54 5F 78 84 D8 45 22  ......Zr.T_x..E"
0010: CD 49 85 1E F0 B2 25 BB   E4 7F 49 95 01 D8 13 03  .I....%...I.....
...

DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Handshake, length = 220
[Raw write]: length = 225
0000: 16 03 01 00 DC 01 00 00   D8 03 01 5A 72 D8 54 5F  ...........Zr.T_
0010: 78 84 D8 45 22 CD 49 85   1E F0 B2 25 BB E4 7F 49  x..E".I....%...I
...

[Raw read]: length = 5
0000: 16 03 01 06 22                                     ...."
[Raw read]: length = 1570
0000: 02 00 00 46 03 01 5A 72   63 4E F2 CF 4B 0F CE 58  ...F..ZrcN..K..X
0010: 0E EF 36 D4 F3 3E C0 85   AD 6D 4B 8D DB CA FB 77  ..6..>...mK....w
0020: 80 B3 A1 D2 A7 90 20 D5   A6 FD 6E A7 FF 5A D4 DF  ...... ...n..Z..
...

DefaultQuartzScheduler_Worker-3, READ: TLSv1 Handshake, length = 1570

##服務器響應
*** ServerHello, TLSv1
RandomCookie:  GMT: 1517445966 bytes = { 242, 207, 75, 15, 206, 88, 14, 239, 54, 212, 243, 62, 192, 133, 173, 109, 75, 141, 219, 202, 251, 119, 128, 179, 161, 210, 167, 144 }
Session ID:  {213, 166, 253, 110, 167, 255, 90, 212, 223, 9, 221, 44, 82, 61, 249, 50, 79, 110, 177, 174, 106, 198, 101, 47, 213, 191, 119, 128, 106, 200, 188, 1}
##服務器選定的加密算法
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized:  [Session-8, TLS_RSA_WITH_AES_256_CBC_SHA]
** TLS_RSA_WITH_AES_256_CBC_SHA
[read] MD5 and SHA1 hashes:  len = 74
0000: 02 00 00 46 03 01 5A 72   63 4E F2 CF 4B 0F CE 58  ...F..ZrcN..K..X
0010: 0E EF 36 D4 F3 3E C0 85   AD 6D 4B 8D DB CA FB 77  ..6..>...mK....w
...

##服務器返回給客戶端的證書鏈,證明“我是我”
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.****.com, ST=北京市, L=北京市, O=***公司, C=CN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 256891288892062675553247103925...
  public exponent: 65537
  Validity: [From: Wed May 17 16:15:30 CST 2017,
               To: Fri May 15 16:15:30 CST 2020]
  Issuer: CN=WoSign OV SSL CA, O=WoSign CA Limited, C=CN
  SerialNumber: [    363fa17d 5c46082c dc707c24 6a8d81b2]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [[
   accessMethod: ocsp
   accessLocation: URIName: http://wosign-ovca.ocsp-certum.com, 
   accessMethod: caIssuers
   accessLocation: URIName: http://repository.certum.pl/wosign-ovca.cer]]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A1 13 54 DC 56 73 2C 27   82 CA C8 84 EF EE BF 00  ..T.Vs,'........
0010: FD 5F AB 56                                        ._.V
]]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://wosign.crl.certum.pl/wosign-ovca.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
  [CertificatePolicyId: [1.2.616.1.113527.2.5.1.12.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 
0000: 30 81 E4 30 1F 16 18 41   73 73 65 63 6F 20 44 61  0..0...Asseco Da
0010: 74 61 20 53 79 73 74 65   6D 73 20 53 2E 41 2E 30  ta Systems S.A.0
...

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.dcpc.com
  DNSName: dcpc.com
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 A6 53 AD 96 D8 B7 51   09 D5 E1 07 E5 B2 BC E6  ..S....Q........
0010: B5 F2 82 2B                                        ...+
]]]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 9A 38 A4 8F B2 A8 CE 9A   B6 98 2F 8F 18 AA 45 79  .8......../...Ey
0010: DE D6 31 22 99 6E D7 14   45 5E C1 1F 06 EC 7F C9  ..1".n..E^......
...

]
***
==客戶端從本地找到的信賴證書(如果找不到會直接報certificate_unknow)==
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=*.****.com, ST=北京市, L=北京市, O=****公司, C=CN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 2568912888920626755532471039254124....
  public exponent: 65537
  Validity: [From: Wed May 17 16:15:30 CST 2017,
               To: Fri May 15 16:15:30 CST 2020]
  Issuer: CN=WoSign OV SSL CA, O=WoSign CA Limited, C=CN
  SerialNumber: [    363fa17d 5c46082c dc707c24 6a8d81b2]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://wosign-ovca.ocsp-certum.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://repository.certum.pl/wosign-ovca.cer
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A1 13 54 DC 56 73 2C 27   82 CA C8 84 EF EE BF 00  ..T.Vs,'........
0010: FD 5F AB 56                                        ._.V
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://wosign.crl.certum.pl/wosign-ovca.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
  [CertificatePolicyId: [1.2.616.1.113527.2.5.1.12.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 
0000: 30 81 E4 30 1F 16 18 41   73 73 65 63 6F 20 44 61  0..0...Asseco Da
0010: 74 61 20 53 79 73 74 65   6D 73 20 53 2E 41 2E 30  ta Systems S.A.0
...

]]  ]
]

[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.dcpc.com
  DNSName: dcpc.com
]

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 A6 53 AD 96 D8 B7 51   09 D5 E1 07 E5 B2 BC E6  ..S....Q........
0010: B5 F2 82 2B                                        ...+
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 9A 38 A4 8F B2 A8 CE 9A   B6 98 2F 8F 18 AA 45 79  .8......../...Ey
0010: DE D6 31 22 99 6E D7 14   45 5E C1 1F 06 EC 7F C9  ..1".n..E^......
...

]
[read] MD5 and SHA1 hashes:  len = 1492
0000: 0B 00 05 D0 00 05 CD 00   05 CA 30 82 05 C6 30 82  ..........0...0.
0010: 04 AE A0 03 02 01 02 02   10 36 3F A1 7D 5C 46 08  .........6?..\F.
...

*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
[write] MD5 and SHA1 hashes:  len = 262
0000: 10 00 01 02 01 00 85 BD   72 17 92 EA 05 0F 0A BD  ........r.......
0010: 90 92 72 51 08 0F 6E 29   C4 A2 F0 D2 BA 78 0B A0  ..rQ..n).....x..
...

DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Handshake, length = 262
[Raw write]: length = 267
0000: 16 03 01 01 06 10 00 01   02 01 00 85 BD 72 17 92  .............r..
0010: EA 05 0F 0A BD 90 92 72   51 08 0F 6E 29 C4 A2 F0  .......rQ..n)...
...
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 80 92 4B 03 FA 1D   39 CE F4 82 3D 4A 96 A7  ....K...9...=J..
...
CONNECTION KEYGEN:
Client Nonce:
0000: 5A 72 D8 54 5F 78 84 D8   45 22 CD 49 85 1E F0 B2  Zr.T_x..E".I....
...
Server Nonce:
0000: 5A 72 63 4E F2 CF 4B 0F   CE 58 0E EF 36 D4 F3 3E  ZrcN..K..X..6..>
...
Master Secret:
0000: 93 05 C4 97 B7 FB 23 5F   11 15 8A 8E 2C C1 C7 72  ......#_....,..r
...
Client MAC write Secret:
0000: 22 84 BA CD 61 27 D9 62   5F 84 FA 7A DF 05 DE 0A  "...a'.b_..z....
...
Server MAC write Secret:
0000: D2 AC 73 AC CE F2 D2 00   31 E6 4F 8A DE E3 97 8D  ..s.....1.O.....
0010: 73 52 BA D2                                        sR..
Client write key:
0000: CA FB B2 02 E7 3F 79 93   55 61 CB AB FF EF 1E 76  .....?y.Ua.....v
0010: 10 4C DD DE 83 55 99 6F   28 8E 19 5D 18 25 33 A2  .L...U.o(..].%3.
Server write key:
0000: 1A 25 31 69 D2 3B 45 D7   70 09 5F 9A FF D5 B3 71  .%1i.;E.p._....q
0010: 73 9D D6 52 F0 10 21 8B   8E 13 97 BE B1 02 75 46  s..R..!.......uF
Client write IV:
0000: 68 49 14 C3 A2 97 75 A0   F3 AC 89 DA 31 84 C3 EF  hI....u.....1...
Server write IV:
0000: 2C 03 9D 28 6F C2 7D BD   37 B1 AA E5 30 6E 09 EA  ,..(o...7...0n..
DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 01 00 01 01                                  ......
*** Finished
verify_data:  { 56, 169, 160, 43, 198, 100, 229, 140, 160, 251, 76, 146 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 38 A9 A0 2B   C6 64 E5 8C A0 FB 4C 92  ....8..+.d....L.
Padded plaintext before ENCRYPTION:  len = 48
0000: 14 00 00 0C 38 A9 A0 2B   C6 64 E5 8C A0 FB 4C 92  ....8..+.d....L.
0010: F5 B1 BB DE F4 25 ED A2   3A 18 9D C8 8E EE 2B A6  .....%..:.....+.
0020: 4A 1E 3A C7 0B 0B 0B 0B   0B 0B 0B 0B 0B 0B 0B 0B  J.:.............
DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Handshake, length = 48
[Raw write]: length = 53
0000: 16 03 01 00 30 4E 92 1F   3A 1F 91 C8 1B 9F 6B 3A  ....0N..:.....k:
0010: CC 2C 67 2C 9D CA 58 DA   4F 91 21 01 8E D8 5A 37  .,g,..X.O.!...Z7
0020: 67 B8 BD A9 E4 F3 79 E9   9C E6 E1 52 BB 8D 39 0E  g.....y....R..9.
0030: 45 5F F5 7E 7A                                     E_..z
[Raw read]: length = 5
0000: 14 03 01 00 01                                     .....
[Raw read]: length = 1
0000: 01                                                 .
DefaultQuartzScheduler_Worker-3, READ: TLSv1 Change Cipher Spec, length = 1
[Raw read]: length = 5
0000: 16 03 01 00 30                                     ....0
[Raw read]: length = 48
0000: A9 B4 AB 6C 68 BA 47 DB   CF 6E EF 8A F2 6F BD 73  ...lh.G..n...o.s
0010: E4 44 55 C8 93 1B 4B C6   D9 A3 DB 4D 03 3B E0 8D  .DU...K....M.;..
0020: 67 ED E8 35 CA 63 D8 F8   C8 11 40 1B 54 DD 6F F2  g..5.c....@.T.o.
DefaultQuartzScheduler_Worker-3, READ: TLSv1 Handshake, length = 48
Padded plaintext after DECRYPTION:  len = 48
0000: 14 00 00 0C 58 5A F4 F0   FA C9 BE 1D 27 6A A5 3A  ....XZ......'j.:
0010: DC 90 D1 52 C8 53 16 DD   CB 04 E9 F0 F7 46 E2 9F  ...R.S.......F..
0020: 9E A6 EF 63 0B 0B 0B 0B   0B 0B 0B 0B 0B 0B 0B 0B  ...c............
*** Finished
verify_data:  { 88, 90, 244, 240, 250, 201, 190, 29, 39, 106, 165, 58 }
***
%% Cached client session: [Session-8, TLS_RSA_WITH_AES_256_CBC_SHA]
[read] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 58 5A F4 F0   FA C9 BE 1D 27 6A A5 3A  ....XZ......'j.:
DefaultQuartzScheduler_Worker-3, setSoTimeout(9000000) called
Padded plaintext before ENCRYPTION:  len = 960
##發送數據
0000: 50 4F 53 54 20 2F 69 64   6D 2F 77 73 2F 55 6E 69  POST /idm/ws/Uni
0010: 74 53 65 72 76 69 63 65   20 48 54 54 50 2F 31 2E  tService HTTP/1.
0020: 30 0D 0A 43 6F 6E 74 65   6E 74 2D 54 79 70 65 3A  0..Content-Type:
0030: 20 74 65 78 74 2F 78 6D   6C 3B 20 63 68 61 72 73   text/xml; chars
0040: 65 74 3D 75 74 66 2D 38   0D 0A 41 63 63 65 70 74  et=utf-8..Accept
0050: 3A 20 61 70 70 6C 69 63   61 74 69 6F 6E 2F 73 6F  : application/so
0060: 61 70 2B 78 6D 6C 2C 20   61 70 70 6C 69 63 61 74  ap+xml, applicat
0070: 69 6F 6E 2F 64 69 6D 65   2C 20 6D 75 6C 74 69 70  ion/dime, multip
0080: 61 72 74 2F 72 65 6C 61   74 65 64 2C 20 74 65 78  art/related, tex
0090: 74 2F 2A 0D 0A 55 73 65   72 2D 41 67 65 6E 74 3A  t/*..User-Agent:
00A0: 20 41 78 69 73 2F 31 2E   34 0D 0A 48 6F 73 74 3A   Axis/1.4..Host:
00B0: 20 69 64 6D 74 65 73 74   2E 64 63 70 63 2E 63 6F   ***.***.co
00C0: 6D 3A 38 34 34 33 0D 0A   43 61 63 68 65 2D 43 6F  m:8443..Cache-Co
...

DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Application Data, length = 960
[Raw write]: length = 965
0000: 17 03 01 03 C0 76 73 C9   5C 37 18 B3 8D 85 B6 4A  .....vs.\7.....J
0010: A5 FF 06 E0 81 74 E2 46   22 C7 32 12 51 A6 C4 10  .....t.F".2.Q...
0020: 7E 1D 14 C6 1E 1B 44 95   57 6E AC 83 AA 8D A7 92  ......D.Wn......
0030: 4C 34 01 5D E9 A1 1E 8C   BB 03 55 D9 7A 09 0F 1E  L4.]......U.z...
0040: 5D C4 71 46 CA 29 72 0D   C1 CC F8 CE 6E F9 51 3A  ].qF.)r.....n.Q:
...

[Raw read]: length = 5
0000: 17 03 01 01 60                                     ....`
[Raw read]: length = 352
0000: CD C2 06 A2 9F EA 9F 00   C7 27 5E F0 B3 C4 3D 78  .........'^...=x
0010: 2E 9B F4 52 08 FF D7 05   2E A8 1B 42 3F 9A 3D 73  ...R.......B?.=s
...
DefaultQuartzScheduler_Worker-3, READ: TLSv1 Application Data, length = 352
##接收數據
Padded plaintext after DECRYPTION:  len = 352
0000: 48 54 54 50 2F 31 2E 31   20 32 30 30 20 0D 0A 43  HTTP/1.1 200 ..C
0010: 6F 6E 74 65 6E 74 2D 54   79 70 65 3A 20 74 65 78  ontent-Type: tex
0020: 74 2F 78 6D 6C 3B 63 68   61 72 73 65 74 3D 55 54  t/xml;charset=UT
0030: 46 2D 38 0D 0A 44 61 74   65 3A 20 54 68 75 2C 20  F-8..Date: Thu, 
0040: 30 31 20 46 65 62 20 32   30 31 38 20 30 39 3A 30  01 Feb 2018 09:0
0050: 35 3A 32 35 20 47 4D 54   0D 0A 43 6F 6E 6E 65 63  5:25 GMT..Connec
0060: 74 69 6F 6E 3A 20 63 6C   6F 73 65 0D 0A 0D 0A 3C  tion: close....<
0070: 73 6F 61 70 3A 45 6E 76   65 6C 6F 70 65 20 78 6D  soap:Envelope xm
0080: 6C 6E 73 3A 73 6F 61 70   3D 22 68 74 74 70 3A 2F  lns:soap="http:/
0090: 2F 73 63 68 65 6D 61 73   2E 78 6D 6C 73 6F 61 70  /schemas.xmlsoap
00A0: 2E 6F 72 67 2F 73 6F 61   70 2F 65 6E 76 65 6C 6F  .org/soap/envelo
...
[Raw read]: length = 5
0000: 15 03 01 00 20                                     .... 
[Raw read]: length = 32
0000: 10 E4 3E EF D9 D6 A2 0F   F3 11 85 6F 8F 68 48 C8  ..>........o.hH.
0010: 26 73 2E C8 FA 9D 00 03   AB 3B 79 46 DE ED CC 40  &s.......;yF...@
DefaultQuartzScheduler_Worker-3, READ: TLSv1 Alert, length = 32
Padded plaintext after DECRYPTION:  len = 32
0000: 01 00 C2 40 0A 51 E1 F1   28 06 65 73 E4 84 81 01  ...@.Q..(.es....
0010: 8F A9 A1 FD A9 6E 09 09   09 09 09 09 09 09 09 09  .....n..........
DefaultQuartzScheduler_Worker-3, RECV TLSv1 ALERT:  warning, close_notify
DefaultQuartzScheduler_Worker-3, called closeInternal(false)
DefaultQuartzScheduler_Worker-3, SEND TLSv1 ALERT:  warning, description = close_notify
Padded plaintext before ENCRYPTION:  len = 32
0000: 01 00 4F BB 75 8C 9C 8A   12 64 D7 62 F6 AF 81 90  ..O.u....d.b....
0010: 92 0E 91 25 6F 9B 09 09   09 09 09 09 09 09 09 09  ...%o...........
DefaultQuartzScheduler_Worker-3, WRITE: TLSv1 Alert, length = 32
[Raw write]: length = 37
0000: 15 03 01 00 20 C1 60 66   8A 2A 1D A5 6C 82 C3 59  .... .`f.*..l..Y
0010: A8 D5 E9 28 70 1D 93 F1   DD 34 00 14 1F 56 12 46  ...(p....4...V.F
0020: 33 0C 4C 3F 51                                     3.L?Q
DefaultQuartzScheduler_Worker-3, called closeSocket(selfInitiated)
DefaultQuartzScheduler_Worker-3, called close()
DefaultQuartzScheduler_Worker-3, called closeInternal(true)
DefaultQuartzScheduler_Worker-3, called close()
DefaultQuartzScheduler_Worker-3, called closeInternal(true)

 如果遇到了前面的報錯信息,首先應該做的就是到這里來看看服務器給客戶端發送的到底是個什么證書!知道是什么證書之后,嘗試獲取到這個證書,導入到本地就行了。

正確地導入證書

服務器頒發給我們的cer證書文件需要導入到keystore文件中,Java才能識別。

keytool工具實現了對keystore文件中的證書進行曾刪查功能。

證書管理

增加(導入證書)

keytool -import -noprompt -trustcacerts -alias test -file  D:\certs\some.cer -keystore cacerts -storepass changeit

 -keystore:指定證書導入到的文件位置,文件不存在時會自動創建,存在時會追加

-file:指定導入的cer文件

-storepass:指定keystore文件的訪問密碼

-alias:指定別名,其實可以理解為ID,別名不能重復,刪除的時候也依靠它

查詢

keytool -list -keystore cacerts |findstr /s test

 因為結果可能很多,這里用windows的findstr來過濾。

刪除

keytool -delete -alias test -keystore cacerts

 

證書識別

Java程序對受信證書的查找順序是:

1,javax.net.ssl.trustStore  

就是System.setProperty("javax.net.ssl.trustStore","D:\\cacert.keystore");或者通過JVM參數指定:-Djavax.net.ssl.trustStore=D:\cacert.keystore。

2,JAVA_HOME\jre\lib\security\jssecacerts 【推薦】

默認沒有jssecacerts,一般把cacerts復制成jssecacerts,然后再使用keytool來修改它。jsse的全稱是Java Secure Socket Extension。

3,JAVA_HOME\jre\lib\security\cacerts

 通常情況下不就建議通過-Djavax.net.ssl.trustStore=D:\cacert.keystore來直接修改keystore文件的位置,因為這樣會造成系統中其他模塊可能找不到自己對應的證書了。推薦使用jssecacerts。我們需要什么證書直接往這個位置導就行了。程序不需要做調整。

 

其他注意事項

System.setProperty("javax.net.ssl.trustStore",..)可能不會生效

寫一個JUnit單元測試可以這么改:

但是在Spring的Service中動態修改就不見得會生效了。你雖然動態調整了System的屬性,但是別人用不用就不確定了。具體可以參考這里:https://stackoverflow.com/questions/271506/why-cant-system-setproperty-change-the-classpath-at-runtime

使用JVM參數強制指定keystore

 用JVM參數的形式就比上面這種方式更有效,并且意圖更加明確,程序肯定會使用這個參數指定位置的keystore。

-Djavax.net.ssl.trustStore=C:\Java\jre\lib\security\jssecacerts
-Djavax.net.ssl.trustStorePassword=changeit

 

后話

密碼和安全相關的主體確實太有意思了,應該專題研究一下,什么是PKI、什么是X.509,要掃清盲點,知其所以然,這樣才能在遇到異常時知道那個環節出了問題。 

 

個人學習總結,有不對之處還望賜教。 


 

參考:

阮一峰:圖解SSL/TLS協議,http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html

What is SSL:https://www.youtube.com/watch?v=dsuVPxuU_hc

Java Secure Socket Extension:https://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

標簽:

版權申明:本站文章部分自網絡,如有侵權,請聯系:west999com@outlook.com
特別注意:本站所有轉載文章言論不代表本站觀點,本站所提供的攝影照片,插畫,設計作品,如需使用,請與原作者聯系,版權歸原作者所有

上一篇:JAVA 鎖之 Synchronied

下一篇:oracle 行列轉換

宅男午夜福利美女来袭