Java ClientKeyExchange后JAX-WS相互身份验证失败
它的简称…… 我有一个JAX-WS服务驻留在使用SSL的web服务器上,需要相互验证 首先,为了测试相互身份验证是否正常工作,我将客户端证书导入浏览器。然后我将浏览器指向受保护的站点,它成功地连接和检索内容 然后,我编写了java代码以连接到同一web站点上的服务。我将相同的证书导入java密钥库文件(jks),我收到一个TLSv1警报:致命,握手失败 我做了一个测试Java ClientKeyExchange后JAX-WS相互身份验证失败,java,jax-ws,x509,mutual-authentication,Java,Jax Ws,X509,Mutual Authentication,它的简称…… 我有一个JAX-WS服务驻留在使用SSL的web服务器上,需要相互验证 首先,为了测试相互身份验证是否正常工作,我将客户端证书导入浏览器。然后我将浏览器指向受保护的站点,它成功地连接和检索内容 然后,我编写了java代码以连接到同一web站点上的服务。我将相同的证书导入java密钥库文件(jks),我收到一个TLSv1警报:致命,握手失败 我做了一个测试 -Djavax.net.debug=ssl:handshake 并发现ClientHello和ServerHello成功。然后
-Djavax.net.debug=ssl:handshake
它的长度…… 这很长,我包括加载密钥和信任库的代码,最后包括javax.net.debug输出 为了支持动态加载密钥库和信任库,我创建了一个自定义SocketFactory
public abstract class AbstractSSLSocketFactory extends SSLSocketFactory {
private static final Logger logger = Logger.getLogger(AbstractSSLSocketFactory.class);
protected AbstractSocketFactoryAdapter adapter = null;
@Override
public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3)
throws IOException {
return this.adapter.getFactory().createSocket(arg0, arg1, arg2, arg3);
}
@Override
public String[] getDefaultCipherSuites() {
String[] cipherSuites = null;
try {
cipherSuites = this.adapter.getFactory().getDefaultCipherSuites();
}
catch (ServiceSecurityException e) {
logger.error("There was an error retrieving the SSLSocketFactory", e);
}
return cipherSuites;
}
@Override
public String[] getSupportedCipherSuites() {
String[] cipherSuites = null;
try {
cipherSuites = this.adapter.getFactory().getSupportedCipherSuites();
}
catch (ServiceSecurityException e) {
logger.error("There was an error retrieving the SSLSocketFactory", e);
}
return cipherSuites;
}
@Override
public Socket createSocket(String arg0, int arg1) throws IOException,
UnknownHostException {
return this.adapter.getFactory().createSocket(arg0, arg1);
}
@Override
public Socket createSocket(InetAddress arg0, int arg1) throws IOException {
return this.adapter.getFactory().createSocket(arg0, arg1);
}
@Override
public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
throws IOException, UnknownHostException {
return this.adapter.getFactory().createSocket(arg0, arg1, arg2, arg3);
}
@Override
public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
int arg3) throws IOException {
return this.adapter.getFactory().createSocket(arg0, arg1, arg2, arg3);
}
}
public abstract class AbstractSocketFactoryAdapter {
private SSLSocketFactory socketFactory = null;
protected abstract String getProtocol() throws ServiceSecurityException;
protected abstract KeyManagerFactory getKeyManagerFactory() throws ServiceSecurityException;
protected abstract TrustManagerFactory getTrustManagerFactory() throws ServiceSecurityException;
public SSLSocketFactory getFactory() throws ServiceSecurityException {
if (this.socketFactory == null ) {
// Create a new socket factory
try {
// Retrieve the KeyManagerFactory from the implementing class
KeyManagerFactory keyManagerFactory = this.getKeyManagerFactory();
// Retrieve the TrustManagerFactory
TrustManagerFactory trustManagerFactory = this.getTrustManagerFactory();
// Retrieve the Protocol
String protocol = this.getProtocol();
// Create the SSL Context to create the Socket Factory
SSLContext context = SSLContext.getInstance(protocol);
KeyManager[] keyManagers = null;
if ( keyManagerFactory != null ) {
keyManagers = keyManagerFactory.getKeyManagers();
}
TrustManager[] trustManagers = null;
if ( trustManagerFactory != null ) {
trustManagers = trustManagerFactory.getTrustManagers();
}
// Associate the KeyManagerFactory with the SSLContext
// if the keyManagers and/or trustManagers are null then
// the jvm default is used for the respective manager
context.init(keyManagers, trustManagers, new SecureRandom());
// cache the socket factory for later use
this.socketFactory = context.getSocketFactory();
} catch (NoSuchAlgorithmException e) {
throw new ServiceSecurityException(e);
} catch (KeyManagementException e) {
throw new ServiceSecurityException(e);
}
}
return this.socketFactory;
}
}
public class SecureFileWebServiceProxy extends AbstractSecureWebServiceProxy {
public SecureFileWebServiceProxy(Class<?> serviceImplementationClass,
String keyStoreFileName,
String keyStorePassword,
String trustStoreFileName,
String trustStorePassword) throws InstantiationException, IllegalAccessException {
this(serviceImplementationClass, new FileSSLSocketFactory( keyStoreFileName,
keyStorePassword,
trustStoreFileName,
trustStorePassword));
}
public SecureFileWebServiceProxy(Class<?> serviceImplementationClass,
String keyStoreFileName,
String keyStorePassword,
String keyStoreType,
String trustStoreFileName,
String trustStorePassword,
String trustStoreType,
String protocol) throws InstantiationException, IllegalAccessException {
this(serviceImplementationClass, new FileSSLSocketFactory( keyStoreFileName,
keyStorePassword,
keyStoreType,
trustStoreFileName,
trustStorePassword,
trustStoreType,
protocol));
}
private SecureFileWebServiceProxy(Class<?> serviceImplementationClass, SSLSocketFactory factory) throws InstantiationException,
IllegalAccessException {
super(serviceImplementationClass, factory);
}
}
这是调试的输出,数据被修改,因为我们使用的是真正的证书,而不是自签名的
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files\Java\jdk1.6.0_45\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
trigger seeding of SecureRandom
done seeding SecureRandom
***
found key for : ALIAS_ONE
chain [0] = [
[
Version: V3
Subject: CN=mycn, OU=myou,
Signature Algorithm: SHA1withRSA, OID = xxxxx
Key: Sun RSA public key, 2048 bits
modulus: xxx
public exponent: xxx
Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
To: Wed Aug 27 05:12:07 EDT 2014]
Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
SerialNumber: [ xxx
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ca.url,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://gtssldv-aia.geotrust.com/gtssldv.crt]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: xxx]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [xxx]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mycn
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
]
Algorithm: [SHA1withRSA]
Signature:
]
***
adding as trusted cert:
Subject: CN=mycn, OU=myou,
Issuer: CN=GeoTrust DV SSL CA, OU=Domain Validated SSL, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x6f6aa
Valid from Tue Jun 25 06:48:52 EDT 2013 until Wed Aug 27 05:12:07 EDT 2014
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1373718630 bytes = { 45, 50, 83, 121, 185, 87, 15, 156, 174, 186, 215, 252, 210, 107, 14, 19, 172, 248, 56, 25, 231, 241, 37, 54, 112, 176, 190, 36 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie: GMT: -1105040847 bytes = { 16, 23, 184, 87, 110, 87, 29, 130, 248, 27, 222, 32, 33, 115, 97, 142, 220, 156, 82, 25, 208, 181, 219, 152, 205, 115, 123, 184 }
Session ID: {69, 58, 206, 144, 22, 133, 165, 252, 186, 223, 39, 102, 91, 170, 133, 90, 27, 58, 195, 5, 57, 147, 222, 112, 205, 227, 143, 154, 228, 220, 68, 100}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
main, READ: TLSv1 Handshake, length = 1406
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=mycn, OU=myou,
Signature Algorithm: SHA1withRSA, OID = xxx
Key: Sun RSA public key, 2048 bits
modulus: xxx
public exponent: xxx
Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
To: Wed Aug 27 05:12:07 EDT 2014]
Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
SerialNumber: [ 06f6aa]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ca.url,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://gtssldv-aia.geotrust.com/gtssldv.crt]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 8C F4 D9 93 0A 47 BC 00 A0 4A CE 4B 75 6E A0 B6 .....G...J.Kun..
0010: B0 B2 7E FC ....
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: xxx]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mycn
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
]
Algorithm: [SHA1withRSA]
Signature:
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=mycn, OU=myou,
Signature Algorithm: SHA1withRSA, OID = xxx
Key: Sun RSA public key, 2048 bits
modulus: xxx
public exponent: 65537
Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
To: Wed Aug 27 05:12:07 EDT 2014]
Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
SerialNumber: [ 06f6aa]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ca.url,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://ca.url/ca.crt]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: xxx]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mycn
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
]
Algorithm: [SHA1withRSA]
Signature:
]
main, READ: TLSv1 Handshake, length = 8
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
matching alias: ALIAS_ONE
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=mycn, OU=myou,
Signature Algorithm: SHA1withRSA, OID = xxx
Key: Sun RSA public key, 2048 bits
modulus: xxx
public exponent: 65537
Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
To: Wed Aug 27 05:12:07 EDT 2014]
Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
SerialNumber: [ xxx]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ca.url,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://ca.url/ca.crt]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: xxx]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mycn
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
]
Algorithm: [SHA1withRSA]
Signature:
]
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 1668
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
... no IV used for this cipher
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 262
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { xxx }
***
main, WRITE: TLSv1 Handshake, length = 36
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2014-01-23 11:50:47,034 FATAL (Main.java:main():70) - There was an error calling the service
com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:134)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:135)
at com.sun.xml.xwss.XWSSClientPipe.process(XWSSClientPipe.java:118)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at com.sun.proxy.$Proxy34.testMethod(Unknown Source)
at Main.main(Main.java:66)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:122)
... 14 more
密钥库是:
密钥库类型为:jks
密钥库提供程序为:
初始化密钥库
SunX509类型的初始化密钥管理器
信任库是:C:\Program Files\Java\jdk1.6.0\U 45\jre\lib\security\cacerts
信任库类型为:jks
信任库提供程序是:
初始化信任库
添加为受信任证书:
随机触发种子
随机完成
***
已找到别名为“”的密钥
链[0]=[
[
版本:V3
主题:CN=mycn,OU=myou,
签名算法:SHA1withRSA,OID=xxxxx
密钥:Sun RSA公钥,2048位
模数:xxx
公众指数:xxx
有效期:[自:2013年6月25日星期二06:48:52美国东部时间,
收件人:星期三8月27日05:12:07美国东部时间2014]
发卡机构:CN=Trusted CA,OU=CA OU,O=CA O,C=US
序列号:[xxx
证书扩展:9
[1] :ObjectId:1.3.6.1.5.5.7.1.1临界性=错误
权威信息访问[
[
访问方法:1.3.6.1.5.5.7.48.1
访问位置:小便器名称:http://ca.url,
访问方法:1.3.6.1.5.5.7.48.2
访问位置:小便器名称:http://gtssldv-aia.geotrust.com/gtssldv.crt]
]
[2] :ObjectId:2.5.29.35临界性=错误
AuthorityKeyIdentifier[
键标识符[
]
]
[3] :ObjectId:2.5.29.19临界性=真实
基本约束:[
CA:错
路径:未定义
]
[4] :ObjectId:2.5.29.31临界性=错误
CRL分布点[
[分配点:
[姓名:xxx]
]]
[5] :ObjectId:2.5.29.32临界性=错误
证书政策[
[证书政策:[xxx]
[保单限定信息:[
限定符ID:1.3.6.1.5.5.7.2.1
]] ]
]
[6] :ObjectId:2.5.29.37临界性=错误
扩展键用法[
服务器身份验证
克利恩塔斯
]
[7] :ObjectId:2.5.29.15临界性=真实
密钥用法[
数字签名
密钥加密
]
[8] :ObjectId:2.5.29.17临界性=错误
SubjectAlternativeName[
DNSName:mycn
]
[9] :ObjectId:2.5.29.14临界性=错误
SubjectKeyIdentifier[
键标识符[
]
]
]
算法:[sha1 with rsa]
签名:
]
***
添加为受信任证书:
主题:CN=mycn,OU=myou,
发卡机构:CN=GeoTrust DV SSL CA,OU=Domain Validated SSL,O=GeoTrust Inc.,C=US
算法:RSA;序列号:0x6f6aa
有效期为2013年6月25日星期二06:48:52至2014年8月27日星期三05:12:07
随机触发种子
随机完成
允许不安全的重新协商:false
允许旧版hello消息:true
第一次握手是否正确
是否安全重新谈判:错误
%%没有缓存的客户端会话
***ClientHello,TLSv1
RandomCookie:GMT:1373718630字节={45、50、83、121、185、87、15、156、174、186、215、252、210、107、14、19、172、248、56、25、231、241、37、54、112、176、190、36}
会话ID:{}
密码套件:18.SSL(SSL)和RSA(RSA)和(4)10 10 8个10 10 8个10 10 10个5,SSL(SSL)和(4)10 8个10 8个10 10 8个10 10 8个10 10 8个10 10 8个10 10 8个10 10 8个10 10 8个10 10 8个10 10 8个10 8个10 8个10 8个10 8个10 8个10 8个10 8个10的沙,TLS S和RSA(10个12个10个10个10个10个8个8个8个8个8个8个8个10 8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个8个10的SSL、带CBC的SSL、带CBC的SSL、带CBC的SSL、带DSS、带CBC的SSLORT_与_RC4_40_MD5、SSL_RSA_导出_与_DES40_CBC_SHA、SSL_DHE_RSA_导出_与_DES40_CBC_SHA、SSL_DHE_DSS_导出_与_DES40_CBC_SHA、TLS_清空_重新协商_信息_SCSV]
压缩方法:{0}
***
main,WRITE:TLSv1握手,长度=75
main,WRITE:SSLv2客户端hello消息,长度=101
main,读取:TLSv1握手,长度=81
***你好,TLSv1
RandomCookie:GMT:-1105040847字节={16,23,184,87,110,87,29,130,248,27,222,32,33,115,97,142,220,156,82,25,208,181,219,152,205,115,123,184}
会话ID:{69、58、206、144、22、133、165、252、186、223、39、102、91、170、133、90、27、58、195、5、57、147、222、112、205、227、143、154、228、220、68、100}
密码套件:SSL\u RSA\u和RC4\u 128\u SHA
压缩方法:0
扩展重新协商\u信息,重新协商的\u连接:
***
%%已创建:[会话1,SSL\u RSA\u与\u RC4\u 128\u SHA]
**SSL_RSA_与_RC4_128_SHA
main,读取:TLSv1握手,长度=1406
***证书链
链[0]=[
[
版本:V3
主题:CN=mycn,OU=myou,
签名算法:SHA1withRSA,OID=xxx
密钥:Sun RSA公钥,2048位
模数:xxx
公众指数:xxx
有效期:[自:2013年6月25日星期二06:48:52美国东部时间,
public class SecureFileWebServiceProxy extends AbstractSecureWebServiceProxy {
public SecureFileWebServiceProxy(Class<?> serviceImplementationClass,
String keyStoreFileName,
String keyStorePassword,
String trustStoreFileName,
String trustStorePassword) throws InstantiationException, IllegalAccessException {
this(serviceImplementationClass, new FileSSLSocketFactory( keyStoreFileName,
keyStorePassword,
trustStoreFileName,
trustStorePassword));
}
public SecureFileWebServiceProxy(Class<?> serviceImplementationClass,
String keyStoreFileName,
String keyStorePassword,
String keyStoreType,
String trustStoreFileName,
String trustStorePassword,
String trustStoreType,
String protocol) throws InstantiationException, IllegalAccessException {
this(serviceImplementationClass, new FileSSLSocketFactory( keyStoreFileName,
keyStorePassword,
keyStoreType,
trustStoreFileName,
trustStorePassword,
trustStoreType,
protocol));
}
private SecureFileWebServiceProxy(Class<?> serviceImplementationClass, SSLSocketFactory factory) throws InstantiationException,
IllegalAccessException {
super(serviceImplementationClass, factory);
}
}
public static void main(String[] args) {
String keyStoreFileName = "keystores/keystore.jks";
String keyStorePassword = "changeit";
String trustStoreFileName = "keystores/keystore.jks";
String trustStorePassword = "changeit";
SecureFileWebServiceProxy proxy = null;
try {
proxy = new SecureFileWebServiceProxy(SampleWebServiceService.class, keyStoreFileName, keyStorePassword, "JKS", trustStoreFileName, trustStorePassword, "JKS", "TLS");
}
catch ( Throwable th ) {
logger.fatal("There was an error creating the service factory", th);
return;
}
SampleWebService service = null;
try {
service = proxy.getPort(SampleWebService.class);
}
catch ( Throwable th ) {
logger.fatal("There was an error creating the service", th);
return;
}
try {
String rvalue = service.testMethod("test");
logger.debug("The service returned the value: " + rvalue);
}
catch ( Throwable th ) {
logger.fatal("There was an error calling the service", th);
}
}
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files\Java\jdk1.6.0_45\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
trigger seeding of SecureRandom
done seeding SecureRandom
***
found key for : ALIAS_ONE
chain [0] = [
[
Version: V3
Subject: CN=mycn, OU=myou,
Signature Algorithm: SHA1withRSA, OID = xxxxx
Key: Sun RSA public key, 2048 bits
modulus: xxx
public exponent: xxx
Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
To: Wed Aug 27 05:12:07 EDT 2014]
Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
SerialNumber: [ xxx
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ca.url,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://gtssldv-aia.geotrust.com/gtssldv.crt]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: xxx]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [xxx]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mycn
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
]
Algorithm: [SHA1withRSA]
Signature:
]
***
adding as trusted cert:
Subject: CN=mycn, OU=myou,
Issuer: CN=GeoTrust DV SSL CA, OU=Domain Validated SSL, O=GeoTrust Inc., C=US
Algorithm: RSA; Serial number: 0x6f6aa
Valid from Tue Jun 25 06:48:52 EDT 2013 until Wed Aug 27 05:12:07 EDT 2014
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1373718630 bytes = { 45, 50, 83, 121, 185, 87, 15, 156, 174, 186, 215, 252, 210, 107, 14, 19, 172, 248, 56, 25, 231, 241, 37, 54, 112, 176, 190, 36 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 75
main, WRITE: SSLv2 client hello message, length = 101
main, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie: GMT: -1105040847 bytes = { 16, 23, 184, 87, 110, 87, 29, 130, 248, 27, 222, 32, 33, 115, 97, 142, 220, 156, 82, 25, 208, 181, 219, 152, 205, 115, 123, 184 }
Session ID: {69, 58, 206, 144, 22, 133, 165, 252, 186, 223, 39, 102, 91, 170, 133, 90, 27, 58, 195, 5, 57, 147, 222, 112, 205, 227, 143, 154, 228, 220, 68, 100}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
main, READ: TLSv1 Handshake, length = 1406
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=mycn, OU=myou,
Signature Algorithm: SHA1withRSA, OID = xxx
Key: Sun RSA public key, 2048 bits
modulus: xxx
public exponent: xxx
Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
To: Wed Aug 27 05:12:07 EDT 2014]
Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
SerialNumber: [ 06f6aa]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ca.url,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://gtssldv-aia.geotrust.com/gtssldv.crt]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 8C F4 D9 93 0A 47 BC 00 A0 4A CE 4B 75 6E A0 B6 .....G...J.Kun..
0010: B0 B2 7E FC ....
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: xxx]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mycn
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
]
Algorithm: [SHA1withRSA]
Signature:
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=mycn, OU=myou,
Signature Algorithm: SHA1withRSA, OID = xxx
Key: Sun RSA public key, 2048 bits
modulus: xxx
public exponent: 65537
Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
To: Wed Aug 27 05:12:07 EDT 2014]
Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
SerialNumber: [ 06f6aa]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ca.url,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://ca.url/ca.crt]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: xxx]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mycn
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
]
Algorithm: [SHA1withRSA]
Signature:
]
main, READ: TLSv1 Handshake, length = 8
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
main, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
matching alias: ALIAS_ONE
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=mycn, OU=myou,
Signature Algorithm: SHA1withRSA, OID = xxx
Key: Sun RSA public key, 2048 bits
modulus: xxx
public exponent: 65537
Validity: [From: Tue Jun 25 06:48:52 EDT 2013,
To: Wed Aug 27 05:12:07 EDT 2014]
Issuer: CN=Trusted CA, OU=CA OU, O=CA O, C=US
SerialNumber: [ xxx]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ca.url,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://ca.url/ca.crt]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: xxx]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mycn
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
]
Algorithm: [SHA1withRSA]
Signature:
]
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 1668
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
... no IV used for this cipher
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 262
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { xxx }
***
main, WRITE: TLSv1 Handshake, length = 36
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2014-01-23 11:50:47,034 FATAL (Main.java:main():70) - There was an error calling the service
com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:134)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:135)
at com.sun.xml.xwss.XWSSClientPipe.process(XWSSClientPipe.java:118)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:595)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:554)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:539)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:436)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at com.sun.proxy.$Proxy34.testMethod(Unknown Source)
at Main.main(Main.java:66)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:122)
... 14 more