java SSLHandshakeException:空证书链
我正在尝试在Java客户机-服务器应用程序中建立SSL连接。我已经提供了一个带有完整证书链的JKS密钥库,但在服务器中仍然出现以下异常:
upcoming handshake states: server finished[20]
*** Certificate chain
<Empty>
***
fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-5, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
MyThread
, SEND TLSv1.2 ALERT:
fatal,
description = bad_certificate
MyThread, WRITE: TLSv1.2 Alert, length = 2
MyThread, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
Stack Trace
javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) ~[?:1.8.0_211]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_211]
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) ~[?:1.8.0_211]
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) ~[?:1.8.0_211]
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[?:1.8.0_211]
... 4 more
Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_211]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647) ~[?:1.8.0_211]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) ~[?:1.8.0_211]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306) ~[?:1.8.0_211]
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1939) ~[?:1.8.0_211]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:1.8.0_211]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_211]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_211]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_211]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_211]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_211]
... 2 more
这不是由于缺少证书造成的。在调试的前面,我们看到以下证书,它们的SSL顺序正确(最具体的第一个,根ca最后一个):
upcoming handshake states: server finished[20]
chain [0] = [
[
Version: V3
Subject: CN=ABC
...
Issuer: CN=DEF
...
]
chain [1] = [
[
Version: V3
Subject: CN=DEF
...
Issuer: CN=GHI
...
]
chain [2] = [
[
Version: V3
Subject: CN=GHI
...
Issuer: CN=GHI
...
]
有人能告诉我为什么会这样吗?可能是客户端拒绝证书吗
注:密钥和证书由另一方提供;我不能只产生我自己的
# 1 楼答案
当服务器的信任库不包含CA时,我得到了上述异常。服务器在其CertificateRequest中不包含CA,因此客户端别无选择,只能返回一个空列表。我进口了全链。pem从LetsEncrypt certbot进入truststore,但这似乎不包括letsencryptauthorityx3。佩姆
通过下载letsencryptauthorityx3解决。来自https://letsencrypt.org/certificates/的pem keytool-import-v-trustcacerts-alias letsencryptoauthorityx3-file letsencryptoauthorityx3。pem——密钥库信任库。ks
# 2 楼答案
问题出在服务器的证书链上。服务器拒绝连接,因为它希望客户端对自己进行身份验证。我认为我们可以这样说,因为堆栈跟踪包括
ServerHandshaker.clientCertificate()Java的SSL引擎只有在调用SSLEngine.setNeedClientAuth()时才需要客户端身份验证