Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

SpringBootMutualTLS适用于Postman或SoapUI,但不适用于Java/Springboot

1 年,7 月 Questions & Answers

我尝试通过HTTP Post方法调用端点,该方法通过相互TLS进行保护,这意味着我正在使用密钥库/信任库进行身份验证。当我尝试通过SoapUI/Postman时,它工作得很好,当然我必须在我的设置中为这两个工具提供密钥库

但是,通过Springboot应用程序,它不起作用(SpringBootV2.4.4,SpringV5.3.5使用Java14.0.2)。 下面是相应代码的片段(因为类非常大):

@PostConstruct
    private void init() {

        spKeyStore = FilenameUtils.normalize(spKeyStore, true);

        requestFactory = new HttpComponentsClientHttpRequestFactory();
        requestFactory.setHttpClient(createHttpClient());

        insuranceCertificationOutputTemplate = new RestTemplate(requestFactory);
        insuranceCertificationOutputTemplate.getMessageConverters().add(0, getMapping());

        authTemplate = new RestTemplate(requestFactory);

    }

@PreDestroy
private void destroy() {
    if (requestFactory != null && requestFactory.getHttpClient() != null) {
        try {
            CloseableHttpClient httpClient = (CloseableHttpClient) requestFactory.getHttpClient();
            httpClient.close();
        }
        catch (Exception e) {
            LogUtil.log(LOGGER, LogLevel.ERROR, "Error closing http client");
            throw new NestedException(e);
        }
    }
}

private HttpClient createHttpClient() {

        HttpHost proxy = new HttpHost(proxyHost, proxyPort);
        DefaultProxyRoutePlanner routePlanner = new DefaultProxyRoutePlanner(proxy);

        CredentialsProvider credentialsProvider = null;
        if (adapterTools.isLocalEnvironment()) {
            LogUtil.log(LOGGER, LogLevel.INFO,
            credentialsProvider = new SystemDefaultCredentialsProvider();
        }
        else { //not relevant

        }

        PoolingHttpClientConnectionManager poolingConnManager = new PoolingHttpClientConnectionManager();
        poolingConnManager.setDefaultMaxPerRoute(CONNECTION_MANAGER_MAX_PER_ROUTE); //10
        poolingConnManager.setMaxTotal(CONNECTION_MANAGER_MAX_TOTAL); //20

        CloseableHttpClient httpClient = null;
        InputStream fileInputStream = null;

        try {
            System.setProperty(SYS_PROP_KEY_STORE, spKeyStore);
            System.setProperty(SYS_PROP_KEY_STORE_PASSWORD, spKeyStorePassword);
            System.setProperty(SYS_PROP_KEY_STORE_TYPE, spKeyStoreType);

            KeyStore keystore = KeyStore.getInstance(spKeyStoreType);
            fileInputStream = new FileInputStream(spKeyStore);
            keystore.load(fileInputStream, spKeyStorePassword.toCharArray());

            SSLContext sslContext =
                    SSLContexts.custom().loadKeyMaterial(keystore, spKeyStorePassword.toCharArray())
                            //                  .loadTrustMaterial(new TrustAllStrategy()) //tried this, didnt help
                            .build();

            SSLConnectionSocketFactory sslSocketFactory =
                    new SSLConnectionSocketFactory(sslContext, SUPPORTED_PROTOCOLS, null,
                            SSLConnectionSocketFactory.getDefaultHostnameVerifier());
            //tried TLSv1.2 and TLSv1.3
    
            httpClient =
                    HttpClients.custom().setSSLSocketFactory(sslSocketFactory)
                            .setDefaultCredentialsProvider(credentialsProvider).disableCookieManagement()
                            .setConnectionManager(poolingConnManager).setRoutePlanner(routePlanner).build();

        }

        catch (Exception e) {

            LogUtil.log(LOGGER, LogLevel.ERROR, "Error initializing http client ");
            throw new NestedException(e);
        }
        return httpClient;
}

private boolean endpointHttpPostCall() {

        HttpHeaders headers = new HttpHeaders();
        headers.setContentType(MediaType.APPLICATION_JSON);

        String KeyJson = String.format("{ \"key\": \"%s\" }", Token);

        HttpEntity<String> entity = new HttpEntity<>(KeyJson, headers);

        String uriString = UriComponentsBuilder.fromHttpUrl(Endpoint).toUriString();

        ResponseEntity<String> reply = authTemplate.exchange(uriString, HttpMethod.POST, entity, String.class);

        ...
    }

如你所见,我最终使用了组织。springframework。网状物客户RestTemplate。交换方法。然而,我试图通过一个小型Java应用程序来复制这种行为,以确保它与Springboot无关,并且也失败了(通过ApacheHttpPost方法)。我收到了403,我也调试了TLS。在比较Soap与Springboot/Java TLS调试时,我发现如下内容:

关键部分似乎是***CertificateRequest部分,因为在这里,当它失败时,我可以看到:警告:找不到合适的证书-在没有客户端身份验证的情况下继续

我读到这意味着服务器信任库是空的,但是为什么它不通过SoapUI失败呢

在比较TLS调试时,另一件突出的事情是,对于Springboot,Cert权限以一种干净的方式列出,如:

Cert Authorities:
<CN=localhost, OU=Dummy, O=OtherComp, L=Frankfurt, ST=Hessen, C=DE>
<CN=myapp.domain.company, O=MyComp, C=DE>
...

而对于SoapUI,它看起来像:

Cert Authorities:
0000: 64 61 74<CN=localhost, OU=Dummy, O=OtherComp, L=Cologne, ST=Hessen, C=DE>
 61 3D 57 33 73   69 5A 58 5A 6C 62 6E 51  data=W3siZXZlbnQ
0010: 69 4F 69 4A 54 5A 57 35   6B 55 6D 56 78 64 57 56  iOiJTZW5kUmVxdWV
0020: 7A 64 ...

<;CN=myapp。领域公司,O=mycop,C=DE>; 57 39 vZHVjdF92ZXJzaW9 0090:75 49 6A 6F 69 4E 53 34 4C 6A 41 69 4C 43 4A UIJOINS 41LJAILCJ 00A0:51 63 6D 39 6B 64 57 4E 30 51 58 4A 6C 59 53 49 Qcm9kdWN0QXJlYSI ...

坦率地说,我不知道这两者为什么不同,我希望两者看起来是平等的。当然,SoapUI使用的是另一个Java版本(我也曾尝试在Springboot/Java中使用该版本,但没有帮助,我也没有比较前面提到的部分)

我还读到,这可能意味着我的密钥库没有正确创建,但这里的问题是,为什么它没有通过SoapUI或Postman失败?还是我做了其他不恰当的事情

下面是为了可读性而修改的SSL调试,也是为了删除所有私有信息:

javax。网ssl | DEBUG | 01 | main | 2021-06-10 14:10:15.471 CEST | X509TrustManagerImpl。java:79 |添加为可信证书( “证书”:。。。很多证书

然后:

javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.212 CEST|SignatureScheme.java:294|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.212 CEST|SignatureScheme.java:294|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|INFO|7A|myFunction-step-db|2021-06-10 14:10:52.217 CEST|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.218 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.218 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.241 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.241 CEST|PreSharedKeyExtension.java:633|No session to resume.
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.241 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.242 CEST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "0....",
  "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302),....]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=api.marketplace.syncier.com
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256...]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256...]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "key_share (51)": {
      "client_shares": [  
        {
          "named group": secp256r1
          "key_exchange": {
            0000: 04 ..
          }
        },
      ]
    }
  ]
}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.354 CEST|ServerHello.java:871|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "9B ...,
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
  "compression methods" : "00",
  "extensions"          : [
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    },
    "server_name (0)": {
      <empty extension_data field>
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
    },
    "extended_master_secret (23)": {
      <empty>
    }
  ]
}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.354 CEST|SSLExtensions.java:170|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.355 CEST|ServerHello.java:967|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.355 CEST|SSLExtensions.java:189|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:189|Consumed extension: server_name
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:170|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:170|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:189|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:170|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:189|Consumed extension: extended_master_secret
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:160|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:160|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:189|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.356 CEST|SSLExtensions.java:160|Ignore unsupported extension: pre_shared_key
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.357 CEST|SSLExtensions.java:204|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.358 CEST|SSLExtensions.java:204|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.358 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.358 CEST|SSLExtensions.java:204|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.363 CEST|CertificateMessage.java:357|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "04 EF A8 05 97 22 6F 87 E2 5A FC 22 7E 89 BB 1F CC 81",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=R3, O=Let's Encrypt, C=US",
    "not before"         : "2021-03-12 15:31:23.000 CET",
    "not  after"         : "2021-06-10 16:31:23.000 CEST",
    "subject"            : "CN=api.marketplace.syncier.com",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
      },
      {
        ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
        AuthorityInfoAccess [
          [
           accessMethod: ocsp
           accessLocation: URIName: http://r3.o.lencr.org
        , 
           accessMethod: caIssuers
           accessLocation: URIName: http://r3.i.lencr.org/
        ]
        ]
      },
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: 14 ...
        0010: 8B 14 C2 C6                                        ....
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]
      },
      {
        ObjectId: 2.5.29.32 Criticality=false
        CertificatePolicies [
          [CertificatePolicyId: [2.23.140.1.2.1]
        []  ]
          [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
        [PolicyQualifierInfo: [
          qualifierID: 1.3.6.1.5.5.7.2.1
          qualifier: 0000: 16 1A 66C 65 74  ..http://cps.let
        0010: 73 ...            sencrypt.org
        
        ]]  ]
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          DigitalSignature
          Key_Encipherment
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: api.marketplace.syncier.com
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 1C 2F 4C 87 8A BE 65 82   48 92 B9 44 EE CE 14 FE  ./L...e.H..D....
        0010: D9 5F 85 7E                                        ._..
        ]
        ]
      }
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "40 01 75 04 83 14 A4 C8 21 8C 84 A9 0C 16 CD DF",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=DST Root CA X3, O=Digital Signature Trust Co.",
    "not before"         : "2020-10-07 21:21:40.000 CEST",
    "not  after"         : "2021-09-29 21:21:40.000 CEST",
    "subject"            : "CN=R3, O=Let's Encrypt, C=US",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
        AuthorityInfoAccess [
          [
           accessMethod: caIssuers
           accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
        ]
        ]
      },
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: C4 A7 B1                                      `...
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:0
        ]
      },
      {
        ObjectId: 2.5.29.31 Criticality=false
        CRLDistributionPoints [
          [DistributionPoint:
             [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
        ]]
      },
      {
        ObjectId: 2.5.29.32 Criticality=false
        CertificatePolicies [
          [CertificatePolicyId: [2.23.140.1.2.1]
        []  ]
          [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
        [PolicyQualifierInfo: [
          qualifierID: 1.3.6.1.5.5.7.2.1
          qualifier: 0000: 16 22 ...                                     .org
        
        ]]  ]
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          DigitalSignature
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 14 2E B3 1                                   ....
        ]
        ]
      }
    ]}
]
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.429 CEST|X509TrustManagerImpl.java:238|Found trusted certificate (
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "44 AF B0 80 D6 A3 27 BA 89 30 39 86 2E F8 40 6B",
    "signature algorithm": "SHA1withRSA",
    "issuer"             : "CN=DST Root CA X3, O=Digital Signature Trust Co.",
    "not before"         : "2000-09-30 23:12:19.000 CEST",
    "not  after"         : "2021-09-30 16:01:15.000 CEST",
    "subject"            : "CN=DST Root CA X3, O=Digital Signature Trust Co.",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
        0010: 60 85 89 10                                        `...
        ]
        ]
      }
    ]}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.436 CEST|ECDHServerKeyExchange.java:534|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
  "parameters": {
    "named group": "secp256r1"
    "ecdh public": {
      0000: 04 28 25 ...                                             .
    },
  },
  "digital signature":  {
    "signature algorithm": "rsa_pss_rsae_sha256"
    "signature": {
      0000: 7E 37 D2 8...
      0070: ...
    },
  }
}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.438 CEST|CertificateRequest.java:671|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [rsa_sign, dss_sign, ecdsa_sign]
  "supported signature algorithms": [...]
  "certificate authorities": [CN=localhost, OU=Marketplace, O=Syncier, L=Munich, ST=Bayern, C=DE, CN=myurl.mycomp, O=mycomp, C=DE, CN=myurl.mycomp1, O=mycomp, C=DE, CN=mycomp, O=mycomp, C=DE, CN=myurl.mycomp1, O=mycomp, C=DE, CN=mycomp CA II, O=mycomp, C=DE, CN=mycomp Root CA, O=mycomp, C=DE]
}
)
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.439 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:743|Unable to produce CertificateVerify for signature scheme: ed25519
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|CertificateRequest.java:743|Unable to produce CertificateVerify for signature scheme: ed448
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.440 CEST|X509Authentication.java:213|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_pss_sha256
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|X509Authentication.java:213|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_pss_sha384
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|X509Authentication.java:213|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_pss_sha512
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.441 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_rsae_sha256
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_rsae_sha384
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pss_rsae_sha512
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.442 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.443 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|ALL|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|WARNING|7A|myFunction-step-db|2021-06-10 14:10:52.444 CEST|CertificateRequest.java:774|No available authentication scheme
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.445 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.445 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.445 CEST|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.452 CEST|ECDHClientKeyExchange.java:396|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
  "ecdh public": {
    0000: 04 53 8E 83F(..
    0040: F                                              .
  },
}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.473 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.474 CEST|Finished.java:398|Produced client Finished handshake message (
"Finished": {
  "verify data": {
    0000: 9... 
  }'}
)
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.523 CEST|ChangeCipherSpec.java:149|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|7A|myFunction-step-db|2021-06-10 14:10:52.525 CEST|Finished.java:535|Consuming server Finished handshake message (
"Finished": {
  "verify data": {
    0000: 53 ...
  }'}
)

共 (1) 个答案

  1. # 1 楼答案

    最后,我可以通过添加/替换以下内容来解决此问题:

        KeyStore trustStore = KeyStore.getInstance("JKS");
    fileInputStream = new FileInputStream("C:/Program Files/Java/jdk1.8.0_181/jre/lib/security/cacerts");
    trustStore.load(fileInputStream, "changeit".toCharArray());
    
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keystore, keyStorePassword.toCharArray());
    
    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(trustStore);

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder
                    .<ConnectionSocketFactory> create()
                    .register("https", sslSocketFactory)
                    .register("http", PlainConnectionSocketFactory.INSTANCE)
                    .build();
        
    PoolingHttpClientConnectionManager poolingConnManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
    poolingConnManager.setDefaultMaxPerRoute(CONNECTION_MANAGER_MAX_PER_ROUTE);
    poolingConnManager.setMaxTotal(CONNECTION_MANAGER_MAX_TOTAL);
   
    HttpClientBuilder builder = HttpClientBuilder.create();
    builder.disableCookieManagement()
    .setDefaultCredentialsProvider(credentialsProvider)
    .setConnectionManager(poolingConnManager)
    .setSSLSocketFactory(sslSocketFactory)
    .setRoutePlanner(routePlanner);

    httpClient = builder.build();

    回顾中真正有帮助的是调试与SSL相关的所有内容,尤其是restTemplate,以备使用。在我的例子中,这个对象路径是需要修复的关键:authTemplate requestFactory httpClient connManager connectionOperator socketFactoryRegistry。在这里,我可以看到一个属性,其值类似于“DummyX509Keymanager”,但尚未设置。在我尝试了几件事之后,钥匙管理器终于设置好了