目标是让两个不同的Eclipse项目同时运行以进行调试。 (在eclipse上,右键单击项目,然后选择Debug As-> Java Application)。这两个项目具有安全的RMI通信。我在两个项目中都使用了self-signed certificate的相同密钥库;位于/home/keystore/app.jks
的密钥库。我还将此密钥库导入了位于cacerts
的默认Java /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts
文件中。
尽管如此,当第一个程序尝试打开与第二个程序的RMI连接时出现SSL错误。显然,该过程一直很顺利,直到客户端应该发送证书链但找不到合适的证书并发送<Empty>
的步骤为止(我不明白为什么,因为两个程序都使用相同的密钥库)。
*** ServerHelloDone Warning: no suitable certificate found - continuing without client authentication *** Certificate chain <Empty> ***
这里是SSL握手的过程:(从here复制)
<Empty>
这是SSL日志(通过JVM选项-Djavax.net.debug = ssl:handshake
System property jdk.tls.client.cipherSuites is set to 'null' System property jdk.tls.server.cipherSuites is set to 'null' Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256 Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA Ignoring disabled cipher suite: SSL_RSA_WITH_DES_CBC_SHA Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_MD5 Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 Ignoring disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_SHA Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_DES_CBC_SHA Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5 Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5 Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_RSA_WITH_NULL_SHA256 Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_DES_CBC_SHA Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5 Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5 Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5 Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_SHA Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5 Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256 Ignoring disabled cipher suite: SSL_RSA_WITH_NULL_MD5 Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256 Ignoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384 Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA trustStore is: /home/keystore/app.jks trustStore type is: jks trustStore provider is: the last modified time is: Mon Dec 02 16:38:01 GMT 2019 Reload the trust store Reload trust certs Reloaded 1 trust certs adding as trusted cert: Subject: CN=my.app.test Issuer: CN=appCA Algorithm: RSA; Serial number: [...] Valid from Mon Sep 30 08:41:44 GMT 2019 until Thu Sep 27 08:41:44 GMT 2029 keyStore is : /home/keystore/app.jks keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 *** found key for : my.app.test chain [0] = [...] *** trigger seeding of SecureRandom done seeding SecureRandom Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 %% No cached client session update handshake state: client_hello[1] upcoming handshake states: server_hello[2] *** ClientHello, TLSv1.2 RandomCookie: GMT: 1558599263 bytes = { 135, 11, 247, 14, 133, 248, 158, 202, 41, 209, 89, 113, 206, 119, 223, 17, 30, 221, 128, 28, 149, 6, 75, 230, 156, 178, 94, 77 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA Extension extended_master_secret *** appManager, WRITE: TLSv1.2 Handshake, length = 199 appManager, READ: TLSv1.2 Handshake, length = 1254 check handshake state: server_hello[2] *** ServerHello, TLSv1.2 RandomCookie: GMT: 1558599263 bytes = { 159, 56, 1, 88, 45, 19, 29, 230, 125, 18, 76, 116, 193, 42, 181, 157, 53, 94, 111, 171, 107, 5, 170, 218, 219, 178, 18, 210 } Session ID: {93, 230, 86, 95, 159, 71, 64, 135, 131, 120, 204, 235, 35, 54, 195, 62, 202, 242, 209, 174, 1, 149, 229, 230, 38, 42, 77, 42, 242, 100, 229, 209} Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Compression Method: 0 Extension renegotiation_info, renegotiated_connection: <empty> Extension extended_master_secret *** %% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] ** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 update handshake state: server_hello[2] upcoming handshake states: server certificate[11] upcoming handshake states: server_key_exchange[12](optional) upcoming handshake states: certificate_request[13](optional) upcoming handshake states: server_hello_done[14] upcoming handshake states: client certificate[11](optional) upcoming handshake states: client_key_exchange[16] upcoming handshake states: certificate_verify[15](optional) upcoming handshake states: client change_cipher_spec[-1] upcoming handshake states: client finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] check handshake state: certificate[11] update handshake state: certificate[11] upcoming handshake states: server_key_exchange[12](optional) upcoming handshake states: certificate_request[13](optional) upcoming handshake states: server_hello_done[14] upcoming handshake states: client certificate[11](optional) upcoming handshake states: client_key_exchange[16] upcoming handshake states: certificate_verify[15](optional) upcoming handshake states: client change_cipher_spec[-1] upcoming handshake states: client finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] *** Certificate chain chain [0] = [...] *** Found trusted certificate: [...] check handshake state: server_key_exchange[12] update handshake state: server_key_exchange[12] upcoming handshake states: certificate_request[13](optional) upcoming handshake states: server_hello_done[14] upcoming handshake states: client certificate[11](optional) upcoming handshake states: client_key_exchange[16] upcoming handshake states: certificate_verify[15](optional) upcoming handshake states: client change_cipher_spec[-1] upcoming handshake states: client finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] *** ECDH ServerKeyExchange Signature Algorithm SHA512withRSA Server key: Sun EC public key, 256 bits public x coord: [...] public y coord: [...] parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) check handshake state: unknown[13] *** CertificateRequest Cert Types: RSA, DSS, ECDSA Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA Cert Authorities: <CN=my.app.test> update handshake state: unknown[13] upcoming handshake states: server_hello_done[14] upcoming handshake states: client certificate[11](optional) upcoming handshake states: client_key_exchange[16] upcoming handshake states: certificate_verify[15](optional) upcoming handshake states: client change_cipher_spec[-1] upcoming handshake states: client finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] check handshake state: server_hello_done[14] update handshake state: server_hello_done[14] upcoming handshake states: client certificate[11](optional) upcoming handshake states: client_key_exchange[16] upcoming handshake states: certificate_verify[15](optional) upcoming handshake states: client change_cipher_spec[-1] upcoming handshake states: client finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] *** ServerHelloDone Warning: no suitable certificate found - continuing without client authentication *** Certificate chain <Empty> *** update handshake state: certificate[11] upcoming handshake states: client_key_exchange[16] upcoming handshake states: certificate_verify[15](optional) upcoming handshake states: client change_cipher_spec[-1] upcoming handshake states: client finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] *** ECDHClientKeyExchange ECDH Public value: { [...] } update handshake state: client_key_exchange[16] upcoming handshake states: certificate_verify[15](optional) upcoming handshake states: client change_cipher_spec[-1] upcoming handshake states: client finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] appManager, WRITE: TLSv1.2 Handshake, length = 77 SESSION KEYGEN: PreMaster Secret: [...] CONNECTION KEYGEN: Client Nonce: [...] Server Nonce: [...] Master Secret: [...] Client MAC write Secret: [...] Server MAC write Secret: [...] Client write key: [...] Server write key: [...] ... no IV derived for this protocol update handshake state: change_cipher_spec upcoming handshake states: client finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] appManager, WRITE: TLSv1.2 Change Cipher Spec, length = 1 *** Finished verify_data: { 27, 133, 125, 59, 68, 57, 144, 47, 161, 199, 165, 13 } *** update handshake state: finished[20] upcoming handshake states: server change_cipher_spec[-1] upcoming handshake states: server finished[20] appManager, WRITE: TLSv1.2 Handshake, length = 96 appManager, waiting for close_notify or alert: state 1 appManager, READ: TLSv1.2 Alert, length = 2 appManager, RECV TLSv1.2 ALERT: fatal, bad_certificate %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] appManager, called closeSocket() appManager, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate appManager, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate appManager, called close() appManager, called closeInternal(true) Finalizer, called close() Finalizer, called closeInternal(true)
而且这是SslRMI的例外:
java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:307) at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202) at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:338) at sun.rmi.registry.RegistryImpl_Stub.lookup(RegistryImpl_Stub.java:112) at appManager.appManager.initappInstances(appManager.java:1522) at appManager.appManager.<init>(appManager.java:117) at ProcessManager.ProcessThread$1.run(ProcessThread.java:129) at java.lang.Thread.run(Thread.java:748) Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127) at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1761) at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124) at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1152) at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1280) at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1190) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:369) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at java.io.DataOutputStream.flush(DataOutputStream.java:123) at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229) ... 7 more
向Eclipse中调试的两个正在运行的程序中引入与密钥库相同的文件是否有问题?整个事情有可能吗?
目标是让两个不同的Eclipse项目同时运行以进行调试。 (在eclipse上,右键单击项目,然后选择Debug As-> Java Application)。这两个项目有...
尝试在“运行配置”>“参数”下添加VM参数)>
-Djavax.net.ssl.trustStore = cacert文件的路径。-Djavax.net.ssl.trustStorePassword =密码