java - 服务器问候完成后的 TLS 握手错误
问题描述
我有一个 python 应用程序正在连接到一个 java 应用程序,两者都使用相同的证书。这个证书也被导入到双方的trusted-certs中。
整个 TLS 握手过程的功能已通过自签名证书进行了验证。
但是,当我想改用全局 CA 签名证书时,会遇到握手错误:
这是我通过-Djavax.net.debug=ssl,handshake
在服务器端(java 应用程序)启用得到的 SSL 日志:
.
.
.
***
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
public y coord: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
update handshake state: server_key_exchange[12]
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ServerHelloDone
update handshake state: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
Thread-54, WRITE: TLSv1.2 Handshake, length = 2075
Thread-54, READ: TLSv1.2 Alert, length = 2
Thread-54, RECV TLSv1.2 ALERT: fatal, unknown_ca
%% Invalidated: [Session-2, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
Thread-54, called closeSocket()
Thread-54, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
最后几行,在ServerHelloDone之后,指示错误:
Thread-54, WRITE: TLSv1.2 Handshake, length = 2075
Thread-54, READ: TLSv1.2 Alert, length = 2
Thread-54, RECV TLSv1.2 ALERT: fatal, unknown_ca
%% Invalidated: [Session-2, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
Thread-54, called closeSocket()
Thread-54, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
下一步显然是client_key_exchange。它是否与客户的私钥有任何关系?
是什么unknown_ca
意思?客户端的 trust_cert 或服务器的证书中是否缺少证书?
下图也是使用 Wireshark 捕获的流量,主要行使用自签名证书,最后 3 行是有问题的证书,如上所述:
解决方案
unknown_ca 是什么意思?客户端的 trust_cert 或服务器的证书中是否缺少证书?
unknown_ca
表示由于信任库中缺少 CA,因此证书不受信任。由于警报是由客户端发送的,这意味着客户端不信任颁发服务器证书的 CA。这可能是因为信任存储中缺少根 CA,但也可能是服务器没有发送必要的中间证书,以便客户端可以建立到本地根 CA 的信任链。
推荐阅读
- flutter - 根据 Flutter 中即将发生的事件渲染视图
- java - 当依赖项是aar而不是jar时,Android gradle不能依赖mavenLocal如何解决?
- linux - Bash - 为什么圆括号和&符号从脚本中创建一个分离的实例?
- angular - HostListener 不监听输出发射器
- django - IntegrityError 1048:“列不能为空”
- cypress - 如何通过 Cypress 公开 VUE3 应用程序的内部 api?
- docker - 使用 Go Lang 从头开始的 Dockerfile 返回错误 no such file or directory
- laravel - 如何使用 Laravel 在登录中添加 Spatie 角色条件
- linux - rpm.spec 隐藏 %post 之后的警告
- c# - 对包含浮点数的字符串列表进行排序