时间戳

首页 > 解决方案 > JAVA - 使用 SSL 外部证书来保护 Socket 服务器

java - JAVA - 使用 SSL 外部证书来保护 Socket 服务器

问题描述

我有一个通过 SSL 证书(来自 GoDaddy)在端口 443 上保护的 Web 应用程序。

现在我还需要保护套接字服务器应该监听的 TCP 端口。

我想使用我已经拥有的证书(应该吗?)

所以我以这种方式使用openssl将crt文件和私钥导入到密钥库中

openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out keystore.jks

如果我这样做,keytool -list -keystore keystore.jks 我会在里面看到我的证书。

现在,在我的 SocketServer 类中,我执行以下操作

 final KeyStore keyStore = KeyStore.getInstance(new File("/home/ubuntu/certificates/keystore.jks"), password);

final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(keyStore);

final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("NewSunX509");


keyManagerFactory.init(keyStore, password);

final SSLContext context = SSLContext.getInstance("TLS");//"SSL" "TLS"

context.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

SSLServerSocketFactory sslssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();

            serverSocket = (SSLServerSocket) sslssf.createServerSocket(port);

现在我想检查

如果我尝试在我的网络应用程序上使用标准 443 端口

openssl s_client -connect host:443 -showcerts -servername www.host.com

我得到了关于证书的所有信息。如果我去我的套接字端口

openssl s_client -connect host:9000 -showcerts -servername www.host.com

我明白了

CONNECTED(00000005)
4542131820:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
4542131820:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1589219540
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

但如果我尝试从主机本身连接

openssl s_client -connect localhost:9000 -showcerts -servername www.host.com

我明白了

CONNECTED(00000003)
139667580962456:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 334 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1589219636
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

似乎没有考虑任何证书...

编辑

当我尝试连接 openssl 时,在应用程序日志中我看到了这个异常

javax.net.ssl.SSLHandshakeException: no cipher suites in common

标签: javasslserversocket

解决方案

推荐阅读