1. 首页
  2. 问答
  3. JSL-WS(部署在WL 10.3中)的SSL ssl/https连接失败

JSL-WS(部署在WL 10.3中)的SSL ssl/https连接失败

2013-03-08 108 views
0

我正在尝试使用jdk 1.6.0_29编写Java https客户端(使用HttpsURLConnection)。 然后,我将证书/wlserver_10.3/server/lib/CertGenCA.der导入到客户端的密钥库中。按下面的命令:JSL-WS(部署在WL 10.3中)的SSL ssl/https连接失败

keytool -import -alias test -keystore "D:\Program Files\Java\jdk1.6.0_29\jre\lib\security\cacerts" -file CertGenCA.der

的问题是,我不断收到“在线程异常‘主要’javax.net.ssl.SSLHandshakeException:远程主机关闭握手期间连接”的SSL调试输出如下:

  keyStore is : 
      keyStore type is : 
      jks keyStore provider is : 
      init keystore 

      init keymanager of type SunX509 
      trustStore is: D:\Program Files\Java\jdk1.6.0_29\jre\lib\security\cacerts 
      trustStore type is : jks 
      trustStore provider is : 
      init truststore 
enter code here 
adding as trusted cert: 
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH 
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH 
Algorithm: RSA; Serial number: 0x4eb200670c035d4f 
Valid from Wed Oct 25 04:36:00 VET 2006 until Sat Oct 25 04:06:00 VET 2036 



adding as trusted cert: 
Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

发行商:[email protected],CN = http://www.valicert.com/,OU = ValiCert 1级策略验证机构,O = “ValiCert公司”,L = ValiCert验证网络 算法:RSA;序列号:为0x1 有效期从星期五6月25日18时23分48秒VET 1999年至周二6月25日十七点53分48秒VET 2019

.. .. ..

  trigger seeding of SecureRandom 
      done seeding SecureRandom 

      Allow unsafe renegotiation: false 
      Allow legacy hello messages: true 
      Is initial handshake: true 
      Is secure renegotiation: false 

      %% No cached client session 
      *** ClientHello, SSLv3 
      RandomCookie: GMT: 1362670800 bytes = { 77, 1, 89, 245, 75, 245, 125, 199, 168, 78, 33, 255, 83, 57, 65, 228, 118, 11, 240, 48, 210, 7, 245, 45, 70, 153, 149, 149 } 


      Session ID: {} 
      Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 

       Compression Methods: { 0 } 
       *** 
       main, WRITE: SSLv3 Handshake, length = 75 
       main, received EOFException: error 
       Exception in thread "main" javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

主,处理例外:javax.net.ssl.SSLHandshakeException:远程主机握手

   main, SEND TLSv1 ALERT: fatal, description = handshake_failure 
       main, WRITE: TLSv1 Alert, length = 2 
       main, called closeSocket()

主要期间关闭连接,所谓的close() 主,被叫closeInternal(真) 在com.sun.net.ssl。 internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:849)

.. ..

   Caused by: java.io.EOFException: SSL peer shut down incorrectly 
       at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333) 
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:830) 
... 7 more

不知道如何解释所有这些信息

我的代码是从Eclipse中运行和URL(JAX-WS),它是打是在实验室和Solaris系统

我的测试客户端代码如下:


URL wsdlLocation = new URL(" https://server.lab.ciso.com:8833/Impl/Service?wsdl ");
 


System.setProperty("weblogic.security.SSL.ignoreHostnameVerification", "true"); 
    System.setProperty("javax.net.ssl.trustStore", "D:\\Program Files\\Java\\jdk1.6.0_29\\jre\\lib\\security\\cacerts"); 
    System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); 
    System.setProperty("https.protocols", "SSLv3"); 

    SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); 

    HttpsURLConnection conn = null; 
    try { 
     conn = (HttpsURLConnection) wsdlLocation.openConnection(); 
     conn.setSSLSocketFactory(sslsocketfactory); 
     conn.setDoOutput(true); 
     conn.setUseCaches(false); 
     conn.setRequestMethod("GET"); 
     conn.setRequestProperty("Content-Type","application/Json"); 
     conn.setDoInput(true); 
     conn.connect(); 
     BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream())); 
     StringBuilder sb = new StringBuilder(); 
     String line; 
     while (((line = br.readLine()) != null)) { 
      if((line.indexOf("wsp:PolicyReference") == -1)) 
       sb.append(line+"\n"); 
     } 
     br.close(); 
     System.out.println("Random code::"+sb.toString()); 

    } finally { 
     if (conn != null) { 
      conn.disconnect(); 
     } 
    }

来源

2013-03-08 user2040528

回答

0

首先修改JDK安装的cacerts信任是非常不好的做法,因为你将失去与当前被释放,因为安全漏洞的每周一次的JDK更新修改。

如果您想使用修改后的Java信任库将其复制到您的项目中并从中修改/使用它。

您的代码的主要问题(我认为)是您使用以下调用将协议限制为SSLv3:System.setProperty("https.protocols", "SSLv3");

SSL3在某些情况下很旧且不安全,因此您应该使用TLS v1.0或更高版本。如果服务器仅限于TLS(这似乎是这种情况),则连接将失败。

因此将"SSLv3"改为"TLSv1""TLSv1.1""TLSv1.2"是AFAIR仅受Java 7支持)。

来源

2013-03-08 12:52:34 Robert

+0

感谢您的快速响应,是的,我同意修改JDK的证书是一个糟糕的主意:-( 早些时候我尝试用错误的端口(我的坏)现在我有一个正确的SSL端口连接到,也下线: 'System.setProperty( “https.protocols”, “SSLv3的”);' 现在我收到这个错误: “主,SEND使用TLSv1 ALERT:致命的,描述= certificate_unknown 主,WRITE:使用TLSv1异动,长度= 2 main,名为closeSocket() main,处理异常:javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:没有与名称匹配的server.lab.cisco.com名称' 请指教! – user2040528 2013-03-08 14:17:44

+0

您确定您在服务器端使用的证书是否为dns名称'server.lab.ciso.com'颁发? – Robert 2013-03-08 14:27:01

+0

我的服务器端是WL 10.3 我已经以复制生成以下文件的keyStore: /wlserver_10.3/server/lib/CertGenCA.der 我打算从SSL和密钥库标签连接两个卡扣镜头我的服务器在WL,那么你能分辨哪一个使用? – user2040528 2013-03-08 14:34:50

相关问题

 相关问题