1
当尝试使用JavaMail的库来验证TLS方面,我随机得到以下验证错误:的JavaMail(TLS):不稳定的故障,以验证证书路径
javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我运行在Linux机器上,使用jdk1.7.0并使用最新的jdk的cacerts文件(截止撰写本文时为1.8.0_73),我已经将该文件导入了smtp服务器证书。
该smtp服务器是一个交换服务器,与明文TLS验证。
我说随机,因为有时连接成功,但在其他时间,它抱怨无法识别证书验证路径并失败,看起来没有给定的模式。
一般重试连接的工作原理,虽然重试的次数并不一致,有时需要无,有时2或3,有时超过20
为了去除任何外部影响,我写一个简单的邮件发送应用程序,我使用的调查此问题(我们的应用程序在Tomcat上部署运行)的,所以我可以肯定的是,问题在于这些中的一个:
- JDK
- JavaMail的库
- 网络连接
我的问题是,如果任何人都知道可能背后的这种行为的任何限制/错误/问题?
现在重试连接已成为解决方法,但由于许多消息是异步发送的,因此我们的项目需要将其视为一种永久解决方案,因此,在连接失败的情况下,用户不会收到失败的反馈。
编辑:
服务器证书是通过OpenSSL的检索,即该命令的一些详细信息:
openssl s_client -connect exchange.***.com:25 -starttls smtp 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.pem
需要注意的是,如果没有STARTTLS参数,命令止跌没有工作(花了一段时间才弄清楚,因为大多数在线资源,包括这里的SO,都不会包括这一步)。原始openssl指令的 的(清理)输出中如下:
depth=0 CN = smtpserver-ch-01
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = smtpserver-ch-01
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=smtpserver-ch-01
i:/CN=smtpserver-ch-01
---
Server certificate
-----BEGIN CERTIFICATE-----
*** CERTIFICATE DATA
-----END CERTIFICATE-----
subject=/CN=smtpserver-ch-01
issuer=/CN=smtpserver-ch-01
---
No client certificate CA names sent
---
SSL handshake has read *** bytes and written *** bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: ***
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 XSHADOW
而下面是javax.net的大规模打印。调试= SSL输出: (希望这是很好的形式发布这些海量文本转储)
Sending message to [email protected]; Attempt attempt 0 of 20...
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: certs/cacerts_1.8.0_73
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
** Standard certificates **
adding as trusted cert:
Subject: CN=smtpserver-ch-01
Issuer: CN=smtpserver-ch-01
Algorithm: RSA; Serial number: **********************************
Valid from ddd MMM DD 00:00:00 CEST 2013 until ddd MMM DD 00:00:00 CEST 2018
adding as trusted cert:
** The rest of the standard certificates **
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: XXX bytes = { XXX, ··· XXX }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension server_name, server_name: [host_name: exchange.***.com]
***
main, WRITE: TLSv1 Handshake, length = **
main, READ: TLSv1 Handshake, length = ***
*** ServerHello, TLSv1
RandomCookie: GMT: XXX bytes = { XXX, ··· XXX }
Session ID: {XX, ··· XXX}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=smtpserver-ch-02
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, xxx bits
modulus: ***
public exponent: ***
Validity: [From: ddd MMM DD 00:00:00 CEST 2013,
To: ddd MMM DD 00:00:00 CEST 2018]
Issuer: CN=smtpserver-ch-02
SerialNumber: [ xxx ]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: smtpserver-ch-02
DNSName: smtpserver-ch-02.domain.com
]
]
Algorithm: [SHA1withRSA]
Signature:
*** SIGNATURE HEX DUMP ***
]
***
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Failed attempt: javax.mail.MessagingException: Can't send command to SMTP host
Sending message to [email protected]; Attempt attempt 1 of 20...
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: XXX bytes = { XXX, ··· XXX }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension server_name, server_name: [host_name: exchange.***.com]
***
main, WRITE: TLSv1 Handshake, length = **
main, READ: TLSv1 Handshake, length = **
*** ServerHello, TLSv1
RandomCookie: GMT: XXX bytes = { XXX, ··· XXX }
Session ID: {XXX, ··· XXX}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=smtpserver-ch-02
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: ***
public exponent: ***
Validity: [From: ddd MMM DD 00:00:00 CEST 2013,
To: ddd MMM DD 00:00:00 CEST 2018]
Issuer: CN=smtpserver-ch-02
SerialNumber: [ xxx]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: smtpserver-ch-02
DNSName: smtpserver-ch-02.domain.com
]
]
Algorithm: [SHA1withRSA]
Signature:
*** SIGNATURE HEX DUMP ***
]
***
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Failed attempt: javax.mail.MessagingException: Can't send command to SMTP host
Sending message to [email protected]; Attempt attempt 2 of 20...
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: XXX bytes = { XXX, ··· XXX }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension server_name, server_name: [host_name: exchange.***.com]
***
main, WRITE: TLSv1 Handshake, length = **
main, READ: TLSv1 Handshake, length = **
*** ServerHello, TLSv1
RandomCookie: GMT: *** bytes = { XXX, ··· XXX }
Session ID: {XXX, ··· XXX}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-3, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=smtpserver-ch-01
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: ***
public exponent: ***
Validity: [From: ddd MMM DD 00:00:00 CEST 2013,
To: ddd MMM DD 00:00:00 CEST 2018]
Issuer: CN=smtpserver-ch-01
SerialNumber: [ XXX]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: smtpserver-ch-01
DNSName: smtpserver-ch-01.domain.com
]
]
Algorithm: [SHA1withRSA]
Signature:
*** SIGNATURE HEX DUMP ***
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=smtpserver-ch-01
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: ***
public exponent: ***
Validity: [From: ddd MMM DD 00:00:00 CEST 2013,
To: ddd MMM DD 00:00:00 CEST 2018]
Issuer: CN=smtpserver-ch-01
SerialNumber: [ XXX]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: smtpserver-ch-01
DNSName: smtpserver-ch-01.domain.com
]
]
Algorithm: [SHA1withRSA]
Signature:
*** SIGNATURE HEX DUMP ***
]
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = ***
SESSION KEYGEN:
PreMaster Secret:
*** HEX DUMP
CONNECTION KEYGEN:
Client Nonce:
*** HEX DUMP
Server Nonce:
*** HEX DUMP
Master Secret:
*** HEX DUMP
Client MAC write Secret:
*** HEX DUMP
Server MAC write Secret:
*** HEX DUMP
Client write key:
*** HEX DUMP
Server write key:
*** HEX DUMP
Client write IV:
*** HEX DUMP
Server write IV:
*** HEX DUMP
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { XXX, ··· XXX }
***
main, WRITE: TLSv1 Handshake, length = **
main, READ: TLSv1 Change Cipher Spec, length = **
main, READ: TLSv1 Handshake, length = **
*** Finished
verify_data: { XXX, ··· XXX }
***
%% Cached client session: [Session-3, TLS_RSA_WITH_AES_128_CBC_SHA]
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = ****
main, READ: TLSv1 Application Data, length = ***
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, called close()
main, called closeInternal(true)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = **
main, called closeSocket(selfInitiated)
Message sent!
以前的日志显示了两个在连接失败的尝试,并成功的第三个。
编辑20160315:。如已通过下面评论者所说,它似乎像交换* COM主机重定向到不同主机,每一个都有自己的证书,作为连接失败时有出示的证书与CN = smtpserver-ch-02,虽然它与CN = smtpserver-ch-01提供的证书成功。
如果是这种情况,那么可能解决方案是执行openssl命令的几次运行,以检索两个证书并将其添加到信任库。
EDIT(解决):上述解决方案工作,我推出OpenSSL的命令几次,并比较所产生的数据,直到我隔离I所需的两个唯一的证书。
将它们导入到信任库后,一切工作正常。
服务器是您的客户端指定的主机可能解析为其他服务的任何类型的群集,负载平衡或多租户系统的一部分吗? – erickson
@erickson对于运行Tomcat服务器的Linux机器,如交换机smtp服务器,由于服务器配置,我不确定是否由客户端处理,因此我只管理已部署的Java应用程序。 我唯一确定的是试图使用浏览器来检索交换。***。com网站的证书不起作用,我不得不通过openssl和-starttls选项来检索它,所以我猜有一个“内部”证书的种类,交换地址是一个前端(我不知道关于服务器配置) – Oskuro