我有一个通过SSL证书(来自GoDaddy)在端口443上受保护的Web应用程序。
现在我还需要保护套接字服务器应该监听的TCP端口。
我想使用我已经拥有的证书(应该吗?)
所以我以这种方式使用openssl将crt文件和私钥导入到密钥库中
openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out keystore.jks
如果我进行keytool -list -keystore keystore.jks
,我会在里面看到我的证书。
现在,在我的SocketServer类中,我执行以下操作
final KeyStore keyStore = KeyStore.getInstance(new File("/home/ubuntu/certificates/keystore.jks"), password);
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("NewSunX509");
keyManagerFactory.init(keyStore, password);
final SSLContext context = SSLContext.getInstance("TLS");//"SSL" "TLS"
context.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
SSLServerSocketFactory sslssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
serverSocket = (SSLServerSocket) sslssf.createServerSocket(port);
现在我想检查
如果我尝试在我的Web应用程序上使用标准443端口,则>
openssl s_client -connect host:443 -showcerts -servername www.host.com
我获得了有关证书的所有信息。如果我转到我的套接字端口
openssl s_client -connect host:9000 -showcerts -servername www.host.com
我得到
CONNECTED(00000005) 4542131820:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40 4542131820:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:585: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1589219540 Timeout : 7200 (sec) Verify return code: 0 (ok)
但是如果我尝试从主机本身进行连接,则也要>]
openssl s_client -connect localhost:9000 -showcerts -servername www.host.com
我得到
CONNECTED(00000003) 139667580962456:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 334 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1589219636 Timeout : 300 (sec) Verify return code: 0 (ok)
似乎没有考虑任何证书...
我有一个Web应用程序,该应用程序通过SSL证书(来自GoDaddy)在端口443上得到了保护。现在,我还需要保护套接字服务器应该监听的TCP端口。我想使用...