我尝试使用pkcs 12格式的证书连接到Web服务,但收到此错误javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure。 我阅读了stackoverflow中存在的每个响应,但是我不知道问题出在哪里。
我用这个代码
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStore", "certificato.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "<pw>");
和调试日志:
.....
keyStore is : certificato.p12
keyStore type is : pkcs12
keyStore provider is :
init keystore
init keymanager of type SunX509
....
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(60000) called
main, the previous server name in SNI (type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it) was replaced with (type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1522402781 bytes = { 230, 149, 170, 160, 96, 3, 20, 194, 35, 95, 51, 144, 240, 242, 1, 185, 116, 210, 225, 214, 208, 170, 253, 30, 253, 205, 77, 198 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_KRB5_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it]
***
main, WRITE: TLSv1.2 Handshake, length = 217
main, READ: TLSv1.2 Handshake, length = 89
*** ServerHello, TLSv1.2
RandomCookie: GMT: 843419311 bytes = { 2, 154, 215, 104, 32, 197, 59, 136, 48, 242, 21, 86, 144, 250, 121, 115, 130, 97, 90, 238, 44, 73, 133, 103, 122, 36, 210, 246 }
Session ID: {3, 111, 126, 100, 51, 57, 110, 201, 135, 102, 65, 156, 56, 132, 148, 198, 229, 47, 220, 146, 214, 66, 71, 233, 251, 146, 231, 74, 20, 55, 43, 145}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, READ: TLSv1.2 Handshake, length = 3881
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=wstest.adm.gov.it, O=Sogei - Societa' Generale d'Informatica S.p.A., L=Rome, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 25419731442206390593645385783404702655267624607655886886586579033277263788093373992316533519614413768987220348067912658765779900645263321853746972064637161938435805567613643957429752362355933531417681870133823645315121191427143131377937830838050657155922764655579621555942502387731877471464619602709418992558060826542318275546503785686897936728729751825524180287855913433073881874132502422571860488498582431532471712013797553571057054314243072094292449266868965533309794853529204639866789866609617498173211239260574372830187459660967406616094045636157545783011722924489392938382648416564815561090724635178650796195467
public exponent: 65537
Validity: [From: Mon May 21 02:00:00 CEST 2018,
To: Thu May 28 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 08e09466 2094b01d 65a1b95f 3eb92c66]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B 01 69 00 76 00 A4 B9 09 ...o...k.i.v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 63 82 03 F4 00 00 00 04 03 00 47 30 45 02 21 00 c.........G0E.!.
0040: 9A A2 E4 E3 3B 1A F2 02 63 E6 9D A6 62 E7 C0 DC ....;...c...b...
0050: 8D 95 70 54 01 D5 07 1B 40 B9 11 FD 4A 2D 1C C4 [email protected]..
0060: 02 20 2C BC 8B 1A 55 0E 25 8C FC B8 29 55 F5 EE . ,...U.%...)U..
0070: 9C 2A B7 97 34 5C 95 FC A4 F5 9E 6C 38 90 F0 B7 .*..4\.....l8...
0080: DD F4 00 77 00 6F 53 76 AC 31 F0 31 19 D8 99 00 ...w.oSv.1.1....
0090: A4 51 15 FF 77 15 1C 11 D9 02 C1 00 29 06 8D B2 .Q..w.......)...
00A0: 08 9A 37 D9 13 00 00 01 63 82 03 F4 69 00 00 04 ..7.....c...i...
00B0: 03 00 48 30 46 02 21 00 B6 41 FD F7 CE 31 4D 75 ..H0F.!..A...1Mu
00C0: A4 BB D6 2E E7 66 0D 03 2B 6C 97 35 ED 86 DC 25 .....f..+l.5...%
00D0: EF 6C 00 B4 BC 1C B3 FE 02 21 00 D2 C5 BA 46 42 .l.......!....FB
00E0: 38 F2 68 8F 68 A8 14 1F A3 0C 52 CB 0A BE DD E0 8.h.h.....R.....
00F0: E9 F2 FA E7 E2 9F 22 8E 3B 2B 06 00 76 00 BB D9 ......".;+..v...
0100: DF BC 1F 8A 71 B5 93 94 23 97 AA 92 7B 47 38 57 ....q...#....G8W
0110: 95 0A AB 52 E8 1A 90 96 64 36 8E 1E D1 85 00 00 ...R....d6......
0120: 01 63 82 03 F3 5E 00 00 04 03 00 47 30 45 02 21 .c...^.....G0E.!
0130: 00 9A 67 22 9D CC B4 B6 F0 34 B8 FE 57 6D FA 2C ..g".....4..Wm.,
0140: 47 37 F0 93 D6 18 63 68 C6 C2 F0 99 83 F6 EE D1 G7....ch........
0150: CC 02 20 68 47 59 19 AE 02 D3 E6 30 27 EF 48 76 .. hGY.....0'.Hv
0160: 27 9A F8 5B 60 CD B4 4A 03 08 38 DC 72 AB ED 65 '..[`..J..8.r..e
0170: 94 A7 5E ..^
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: wstest.adm.gov.it
DNSName: wstest.agenziadoganemonopoli.gov.it
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 86 1A C9 BF 3A 50 51 77 C2 23 D7 A0 B9 9F 93 .....:PQw.#.....
0010: 15 A5 2E 98 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
.... deleted ....
]
chain [1] = [
[
Version: V3
Subject: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 27858400285679723188777933283712642951289579686400775596360785472462618845441045591174031407467141927949303967273640603370583027943461489694611514307846044788608302737755893035638149922272068624160730850926560034092625156444445564936562297688651849223419070532331233030323585681010618165796464257277453762819678070632408347042070801988771058882131228632546107451893714991242153395658429259537934263208634002792828772169217510656239241005311075681025394047894661420520700962300445533960645787118986590875906485125942483622981513806162241672544997253865343228332025582679476240480384023017494305830194847248717881628827
public exponent: 65537
Validity: [From: Fri Mar 08 13:00:00 CET 2013,
To: Wed Mar 08 13:00:00 CET 2023]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ 01fda3eb 6eca75c8 88438b72 4bcfbc91]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/DigiCertGlobalRootCA.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/DigiCertGlobalRootCA.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 23 3E DF 4B D2 31 42 A5 B6 7E 42 5C 1A 44 CC 69 #>.K.1B...B\.D.i
0010: D1 68 B4 5D 4B E0 04 21 6C 4B E2 6D CC B1 E0 97 .h.]K..!lK.m....
0020: 8F A6 53 09 CD AA 2A 65 E5 39 4F 1E 83 A5 6E 5C ..S...*e.9O...n\
0030: 98 A2 24 26 E6 FB A1 ED 93 C7 2E 02 C6 4D 4A BF ..$&.........MJ.
0040: B0 42 DF 78 DA B3 A8 F9 6D FF 21 85 53 36 60 4C .B.x....m.!.S6`L
0050: 76 CE EC 38 DC D6 51 80 F0 C5 D6 E5 D4 4D 27 64 v..8..Q......M'd
0060: AB 9B C7 3E 71 FB 48 97 B8 33 6D C9 13 07 EE 96 ...>q.H..3m.....
0070: A2 1B 18 15 F6 5C 4C 40 ED B3 C2 EC FF 71 C1 E3 .....\[email protected]..
0080: 47 FF D4 B9 00 B4 37 42 DA 20 C9 EA 6E 8A EE 14 G.....7B. ..n...
0090: 06 AE 7D A2 59 98 88 A8 1B 6F 2D F4 F2 C9 14 5F ....Y....o-...._
00A0: 26 CF 2C 8D 7E ED 37 C0 A9 D5 39 B9 82 BF 19 0C &.,...7...9.....
00B0: EA 34 AF 00 21 68 F8 AD 73 E2 C9 32 DA 38 25 0B .4..!h..s..2.8%.
00C0: 55 D3 9A 1D F0 68 86 ED 2E 41 34 EF 7C A5 50 1D U....h...A4...P.
00D0: BF 3A F9 D3 C1 08 0C E6 ED 1E 8A 58 25 E4 B8 77 .:.........X%..w
00E0: AD 2D 6E F5 52 DD B4 74 8F AB 49 2E 9D 3B 93 34 .-n.R..t..I..;.4
00F0: 28 1F 78 CE 94 EA C7 BD D3 C9 6D 1C DE 5C 32 F3 (.x.......m..\2.
]
chain [2] = [
[
Version: V3
Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 28559384442792876273280274398620578979733786817784174960112400169719065906301471912340204391164075730987771255281479191858503912379974443363319206013285922932969143082114108995903507302607372164107846395526169928849546930352778612946811335349917424469188917500996253619438384218721744278787164274625243781917237444202229339672234113350935948264576180342492691117960376023738627349150441152487120197333042448834154779966801277094070528166918968412433078879939664053044797116916260095055641583506170045241549105022323819314163625798834513544420165235412105694681616578431019525684868803389424296613694298865514217451303
public exponent: 65537
Validity: [From: Fri Nov 10 01:00:00 CET 2006,
To: Mon Nov 10 01:00:00 CET 2031]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [ 083be056 904246b1 a1756ac9 5991c74a]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: CB 9C 37 AA 48 13 12 0A FA DD 44 9C 4F 52 B0 F4 ..7.H.....D.OR..
0010: DF AE 04 F5 79 79 08 A3 24 18 FC 4B 2B 84 C0 2D ....yy..$..K+..-
0020: B9 D5 C7 FE F4 C1 1F 58 CB B8 6D 9C 7A 74 E7 98 .......X..m.zt..
0030: 29 AB 11 B5 E3 70 A0 A1 CD 4C 88 99 93 8C 91 70 )....p...L.....p
0040: E2 AB 0F 1C BE 93 A9 FF 63 D5 E4 07 60 D3 A3 BF ........c...`...
0050: 9D 5B 09 F1 D5 8E E3 53 F4 8E 63 FA 3F A7 DB B4 .[.....S..c.?...
0060: 66 DF 62 66 D6 D1 6E 41 8D F2 2D B5 EA 77 4A 9F f.bf..nA..-..wJ.
0070: 9D 58 E2 2B 59 C0 40 23 ED 2D 28 82 45 3E 79 54 .X.+Y.@#.-(.E>yT
0080: 92 26 98 E0 80 48 A8 37 EF F0 D6 79 60 16 DE AC .&...H.7...y`...
0090: E8 0E CD 6E AC 44 17 38 2F 49 DA E1 45 3E 2A B9 ...n.D.8/I..E>*.
00A0: 36 53 CF 3A 50 06 F7 2E E8 C4 57 49 6C 61 21 18 6S.:P.....WIla!.
00B0: D5 04 AD 78 3C 2C 3A 80 6B A7 EB AF 15 14 E9 D8 ...x<,:.k.......
00C0: 89 C1 B9 38 6C E2 91 6C 8A FF 64 B9 77 25 57 30 ...8l..l..d.w%W0
00D0: C0 1B 24 A3 E1 DC E9 DF 47 7C B5 B4 24 08 05 30 ..$.....G...$..0
00E0: EC 2D BD 0B BF 45 BF 50 B9 A9 F3 EB 98 01 12 AD .-...E.P........
00F0: C8 88 C6 98 34 5F 8D 0A 3C C6 E9 D5 95 95 6D DE ....4_..<.....m.
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=wstest.adm.gov.it, O=Sogei - Societa' Generale d'Informatica S.p.A., L=Rome, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 25419731442206390593645385783404702655267624607655886886586579033277263788093373992316533519614413768987220348067912658765779900645263321853746972064637161938435805567613643957429752362355933531417681870133823645315121191427143131377937830838050657155922764655579621555942502387731877471464619602709418992558060826542318275546503785686897936728729751825524180287855913433073881874132502422571860488498582431532471712013797553571057054314243072094292449266868965533309794853529204639866789866609617498173211239260574372830187459660967406616094045636157545783011722924489392938382648416564815561090724635178650796195467
public exponent: 65537
Validity: [From: Mon May 21 02:00:00 CEST 2018,
To: Thu May 28 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 08e09466 2094b01d 65a1b95f 3eb92c66]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B 01 69 00 76 00 A4 B9 09 ...o...k.i.v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 63 82 03 F4 00 00 00 04 03 00 47 30 45 02 21 00 c.........G0E.!.
0040: 9A A2 E4 E3 3B 1A F2 02 63 E6 9D A6 62 E7 C0 DC ....;...c...b...
0050: 8D 95 70 54 01 D5 07 1B 40 B9 11 FD 4A 2D 1C C4 [email protected]..
0060: 02 20 2C BC 8B 1A 55 0E 25 8C FC B8 29 55 F5 EE . ,...U.%...)U..
0070: 9C 2A B7 97 34 5C 95 FC A4 F5 9E 6C 38 90 F0 B7 .*..4\.....l8...
0080: DD F4 00 77 00 6F 53 76 AC 31 F0 31 19 D8 99 00 ...w.oSv.1.1....
0090: A4 51 15 FF 77 15 1C 11 D9 02 C1 00 29 06 8D B2 .Q..w.......)...
00A0: 08 9A 37 D9 13 00 00 01 63 82 03 F4 69 00 00 04 ..7.....c...i...
00B0: 03 00 48 30 46 02 21 00 B6 41 FD F7 CE 31 4D 75 ..H0F.!..A...1Mu
00C0: A4 BB D6 2E E7 66 0D 03 2B 6C 97 35 ED 86 DC 25 .....f..+l.5...%
00D0: EF 6C 00 B4 BC 1C B3 FE 02 21 00 D2 C5 BA 46 42 .l.......!....FB
00E0: 38 F2 68 8F 68 A8 14 1F A3 0C 52 CB 0A BE DD E0 8.h.h.....R.....
00F0: E9 F2 FA E7 E2 9F 22 8E 3B 2B 06 00 76 00 BB D9 ......".;+..v...
0100: DF BC 1F 8A 71 B5 93 94 23 97 AA 92 7B 47 38 57 ....q...#....G8W
0110: 95 0A AB 52 E8 1A 90 96 64 36 8E 1E D1 85 00 00 ...R....d6......
0120: 01 63 82 03 F3 5E 00 00 04 03 00 47 30 45 02 21 .c...^.....G0E.!
0130: 00 9A 67 22 9D CC B4 B6 F0 34 B8 FE 57 6D FA 2C ..g".....4..Wm.,
0140: 47 37 F0 93 D6 18 63 68 C6 C2 F0 99 83 F6 EE D1 G7....ch........
0150: CC 02 20 68 47 59 19 AE 02 D3 E6 30 27 EF 48 76 .. hGY.....0'.Hv
0160: 27 9A F8 5B 60 CD B4 4A 03 08 38 DC 72 AB ED 65 '..[`..J..8.r..e
0170: 94 A7 5E ..^
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: wstest.adm.gov.it
DNSName: wstest.agenziadoganemonopoli.gov.it
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 86 1A C9 BF 3A 50 51 77 C2 23 D7 A0 B9 9F 93 .....:PQw.#.....
0010: 15 A5 2E 98 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: AE 8B FD 52 1E 1C 80 F8 84 5C 81 D9 FE D2 CB 7E ...R.....\......
0010: F4 7F 53 56 AD 0E D8 DF DC A0 3F 64 BE 66 DF C1 ..SV......?d.f..
0020: 4C 7D 03 A1 E3 A6 D5 E7 2C 5C 69 02 83 6E D6 4F L.......,\i..n.O
0030: 81 6B 05 6F 98 04 20 94 B1 A3 EF 5A BB 2D A9 78 .k.o.. ....Z.-.x
0040: 8F 8F E0 78 AD 22 B8 5F F4 30 4B BD 63 94 E3 FA ...x."._.0K.c...
0050: C0 3A 7C 76 B7 8D 11 FC 7E 55 F4 A9 CF 7A DA 67 .:.v.....U...z.g
0060: 2B B7 2D A9 F0 93 57 B8 DD E2 91 03 9D 90 03 B6 +.-...W.........
0070: 75 94 3F DA 75 16 3D 2A 54 92 02 1D 10 7F C6 A9 u.?.u.=*T.......
0080: EB C8 67 B4 E9 05 84 1F FF B8 C6 AB 8B A8 F2 E4 ..g.............
0090: EA F2 D2 E8 03 80 FF 1D 4E 2A EA 10 54 34 38 C4 ........N*..T48.
00A0: 79 89 06 10 73 04 6C CF 1B 8A DF E8 BE BF 67 96 y...s.l.......g.
00B0: B6 92 77 A9 AD 73 2B D8 A8 FC BD 50 39 83 4D 75 ..w..s+....P9.Mu
00C0: 59 78 00 48 AC EF AA 1C 92 A6 34 34 C5 9E 5D 1C Yx.H......44..].
00D0: B1 25 A5 0E BF 90 D0 8F 87 7F 10 5D C0 F4 5D 03 .%.........]..].
00E0: 18 42 C8 62 32 94 D0 2F 34 43 93 28 F3 60 91 CF .B.b2../4C.(.`..
00F0: 5D 27 D1 E5 00 3B 09 B4 EB 9F 63 AE E2 AA 9B F0 ]'...;....c.....
]
main, READ: TLSv1.2 Handshake, length = 401
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 521 bits
public x coord: 6045100197973385201207771559448860684258102659082760208907503122802851644235164834387633913906709736246059687127225117512119492050557728511283217428042196683
public y coord: 2360883751657537086387545659332980524396108773124766916635460732420511834927919909730280023858128820419409002491789355667533178954193764726472471819590561957
parameters: secp521r1 [NIST P-521] (1.3.132.0.35)
main, READ: TLSv1.2 Handshake, length = 392
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=CA Agenzia delle Dogane Test, OU=Servizio Telematico, O=Agenzia delle Dogane, C=it>
<CN=CA Agenzia delle Dogane, OU=Servizio Telematico, O=Agenzia delle Dogane, C=IT>
<CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value: { 4, 1, 127, 118, 238, 87, 20, 170, 152, 173, 222, 199, 191, 190, 60, 225, 192, 50, 182, 3, 172, 253, 250, 146, 185, 9, 185, 210, 101, 70, 124, 133, 100, 77, 38, 192, 17, 178, 136, 108, 118, 233, 121, 52, 237, 63, 87, 98, 224, 194, 163, 186, 33, 98, 72, 227, 168, 9, 124, 44, 179, 136, 216, 32, 182, 21, 230, 1, 206, 141, 86, 19, 84, 36, 3, 141, 180, 185, 45, 5, 110, 24, 249, 220, 164, 87, 222, 48, 115, 134, 145, 66, 151, 62, 93, 18, 97, 109, 20, 239, 168, 45, 208, 19, 253, 122, 6, 128, 58, 49, 80, 16, 205, 203, 68, 200, 221, 203, 91, 73, 99, 76, 195, 83, 157, 197, 209, 91, 98, 173, 80, 123, 120 }
main, WRITE: TLSv1.2 Handshake, length = 145
SESSION KEYGEN:
PreMaster Secret:
0000: 00 76 B0 FC E9 4A 80 89 B2 88 A4 21 CE A3 FF 3C .v...J.....!...<
0010: D0 1F 48 3B B2 D8 84 24 14 EB 77 9E 3C 20 64 CE ..H;...$..w.< d.
0020: EF 2F 7A 90 50 6F 2D 75 4C 9B 9F 48 0B 04 01 A6 ./z.Po-uL..H....
0030: 2D C3 8B 2D 10 B6 FD AC AE 66 85 F8 1E 5E 8A 62 -..-.....f...^.b
0040: 46 CE F.
CONNECTION KEYGEN:
Client Nonce:
0000: 5B BE 06 DD E6 95 AA A0 60 03 14 C2 23 5F 33 90 [.......`...#_3.
0010: F0 F2 01 B9 74 D2 E1 D6 D0 AA FD 1E FD CD 4D C6 ....t.........M.
Server Nonce:
0000: 32 46 8F AF 02 9A D7 68 20 C5 3B 88 30 F2 15 56 2F.....h .;.0..V
0010: 90 FA 79 73 82 61 5A EE 2C 49 85 67 7A 24 D2 F6 ..ys.aZ.,I.gz$..
Master Secret:
0000: 4D 96 F1 24 13 EA 84 96 D3 D6 6D DD 64 92 05 F9 M..$......m.d...
0010: D2 BA BF 04 80 79 71 66 9C A6 EA 9B AC 3A 4D 37 .....yqf.....:M7
0020: 90 BE A6 C4 37 B8 70 63 1D B2 74 5A DA 8C 98 34 ....7.pc..tZ...4
... no MAC keys used for this cipher
Client write key:
0000: C3 1C 66 54 84 5A F7 B6 D9 9B 04 80 11 E4 9F E4 ..fT.Z..........
0010: 83 67 52 95 B5 E9 36 CE 0C A2 BF AA AE A2 E1 7C .gR...6.........
Server write key:
0000: B9 44 4A 92 B6 95 DE CA 89 D0 8E A0 88 50 11 6B .DJ..........P.k
0010: EC 34 65 52 FD BB 45 C3 57 26 BF A0 A4 B2 90 2F .4eR..E.W&...../
Client write IV:
0000: F8 A3 11 9A ....
Server write IV:
0000: 47 B6 75 08 G.u.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 21, 80, 48, 53, 249, 154, 28, 96, 252, 49, 18, 72 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
看来证书已正确加载,所以我无法弄清楚问题出在哪里。 任何人都可以帮助您了解吗?
如果我将证书与chrome或firefox一起使用,则可以访问Web服务,因此证书正确无误。
该错误似乎与客户端和服务器之间的信任有关:
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
如果找不到合适的证书,并且证书链为空,则程序可能不信任您正在连接的对等方的根CA证书。
检查信任存储,以查看是否至少导入了对等方的根CA证书。
这是日志的重要部分:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=CA Agenzia delle Dogane Test, OU=Servizio Telematico, O=Agenzia delle Dogane, C=it>
<CN=CA Agenzia delle Dogane, OU=Servizio Telematico, O=Agenzia delle Dogane, C=IT>
<CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
这意味着密钥管理器在您的密钥库中找不到由服务器指定的任何证书颁发机构(CA)颁发的证书和密钥条目。 您删除了(带点)日志中密钥管理器初始化应该已经记录了在密钥库中找到的证书链的部分-这样做了吗? 如果不是,请使用例如keytool -list -v -keystore certifcado.p12 -storetype pkcs12 [-alias your_alias_name] 。 实际上,该链中的证书之一是由服务器指定的CA之一颁发的吗? (请注意,名称必须完全匹配:每个RDN的类型和值均应按顺序相同。即使在当今很少见,证书中的颁发者名称和CA要求的名称看起来也可能相同,但实际上是不同的(因为ASN.1编码不同。如果它们看起来相同,我将在这个更神秘的地方进行详细介绍。)
编辑:好的, 完整的日志确认密钥管理器正在使用Issuer: CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT加载密钥和证书Issuer: CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT肯定与服务器请求的第三个CA。 Chrome和Firefox可以正常工作(很抱歉,我之前错过了),这很好地证实了它的确匹配。 那么,Java(JSSE + keymanager)为什么不匹配它呢? 我不知道,这可能不容易调试。 我认为在maven下运行或使用cxf不会产生任何效果,但它们可能会起作用。 我建议从最简单的情况开始:编译并运行这样的程序(使用javax.net.ssl.keyStore *和javax.net.debug sysprops),并查看此连接会得到什么结果:
public class sometest {
public static void main (String[] args) throws Exception {
Socket s = SSLSocketFactory.getDefault().createSocket("wstest.agenziadoganemonopoli.gov.it",443);
// per comment, type fixed (for anyone else who might have a similar issue)
((SSLSocket)s).startHandshake(); // actually completes not just starts
}
}
如果那表明失败了,我们要调查一个简单得多的案例。 如果可行,请尝试:
public class sometest {
public static void main (String[] args) throws Exception {
URLConnection c = new URL("https://wstest.agenziadoganemonopoli.gov.it/").openConnection();
((HttpsURLConnection)c).connect();
}
}
// for TLS-level test it doesn't matter what 'resource' (path and/or query) we request