我在Jboss 5.1 GA中进行客户端身份验证时遇到问题。 我想做的是,使用自行生成和自行签名的证书进行客户端身份验证。 因此,我有一个密钥库my.keystore和一个信任库my.truststore。 我使用Java键盘工具。 要生成证书,请使用以下命令:
keytool -genkey -alias test -keyalg RSA -validity 365 -keystore /mirrored/certs/my.keystore
要导出此证书,我使用以下命令:
keytool -export -alias test -keystore /mirrored/certs/my.keystore -rfc -file /mirrored/certs/test.cert
将证书导出到文件中之后,我使用以下命令将其导入到信任库中:
keytool -import -alias test -file /mirrored/certs/test.cert -storetype JKS -keystore /mirrored/certs/my.truststore
作为证书的所有者,我使用localhost。
Jboss 5.1 GA在server.xml中的配置如下:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8765" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="true"
keystoreFile="/mirrored/certs/my.keystore"
keystorePass="mypasswd" sslProtocol="TLS"
truststoreFile="/mirrored/certs/my.truststore"
truststorePass="mypasswd"/>
要测试此配置和证书,我使用openssl。 首先,我从上面验证了证书。 openssl表示证书可以。 然后我通过openssl s_client调用我的应用程序服务器,我使用以下命令轻松地执行此操作:
openssl s_client -showcerts -CAfile test.cert -connect localhost:8765
完成此操作后,我得到以下输出:
openssl s_client -showcerts -CAfile test.cert -connect 10.180.10.74:8765
CONNECTED(00000003)
depth=0 C = DE, ST = Bremen, L = Bremen, O = Signalis, OU = localhost, CN = localhost
verify return:1
140477019141960:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1193:SSL alert number 42
140477019141960:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
Certificate chain
0 s:/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
i:/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
-----BEGIN CERTIFICATE-----
MIICazCCAdSgAwIBAgIEVCE7CTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJE
RTEPMA0GA1UECBMGQnJlbWVuMQ8wDQYDVQQHEwZCcmVtZW4xETAPBgNVBAoTCFNp
Z25hbGlzMRowGAYDVQQLExF1Z2QtYnJicmVmLXNlcnYtNzEaMBgGA1UEAxMRdWdk
LWJyYnJlZi1zZXJ2LTcwHhcNMTQwOTIzMDkxOTA1WhcNMTUwOTIzMDkxOTA1WjB6
MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQnJlbWVuMQ8wDQYDVQQHEwZCcmVtZW4x
ETAPBgNVBAoTCFNpZ25hbGlzMRowGAYDVQQLExF1Z2QtYnJicmVmLXNlcnYtNzEa
MBgGA1UEAxMRdWdkLWJyYnJlZi1zZXJ2LTcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAIxLY7onLN91UPIUesdwQxvbSSqFPnYXz5HnSaZx3dkqje+g6qOupqU7
4NP4dFgLbxMx6eqKkGAVVXQ7QEn/Ekp1w6Xncts2LM9FyFHUikBDZewwyvRGbIak
WW3vexpS8FMwmESPnJ+Bk1tHd2YJ0POWGt4FQfZ1u5FR4BQk72CJAgMBAAEwDQYJ
KoZIhvcNAQEFBQADgYEABk5Je4aoPuv1J06Vget40vHqs+rahSpoto39Flbp2JYz
y1UQPnp6o6alLtiOQcFI0iea0zXm8LMybkZTnvP7jj2//49KOmI0+RJx6cWj+cXi
qWJbK+C+8GcU+jJYwOwJrQgEl0Lr21ExebO5Is8kqQVdSiroT5KQsdPCCjKPqYc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
issuer=/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
---
Acceptable client certificate CA names
/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=localhost/CN=localhost
/C=DE/ST=Bremen/L=Bremen/O=Signalis/OU=ugd-brbref-serv-7/CN=ugd-brbref-serv-7
---
SSL handshake has read 1420 bytes and written 170 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 542421BD481B93286D41F5BCB96272B668500E2D35C74862189BFEAF1FC4EE4C
Session-ID-ctx:
Master-Key:
ED17146FE586DE1A7F9E7272E1771293E964F242BF2187DF5329FFF0E3090C9B14B298CAFD13558A8F763444E6A53B5A
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1411654077
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
因此,openssl中的错误消息是
SSL alert number 42
Jboss日志记录中的错误消息是:
2014-09-25 11:38:34,366 DEBUG [org.apache.tomcat.util.net.JIoEndpoint] (http-0.0.0.0-8765-1) Handshake failed
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:231)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1369)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:160)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:160)
at org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:633)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:662)
因此,Jboss中的错误消息是
null cert chain
我不知道我在做什么错。 我原则上做对吗? 首先在密钥库中生成证书,然后将其导出并将其导入到信任库中。 是否有人在Jboss 5.1 GA中具有客户端认证方面的经验? 也许我以错误的方式使用openssl来测试客户端身份验证?
问题出在openssl命令中,您需要导出私钥,然后按如下所示执行命令:
openssl s_client -connect localhost:8765 -CAfile test.cert -cert test.cert -key MYKEY.key
有关详细信息,请参见s_client(1)和s_server(1)上的文档。