Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java Jetty 9-为域验证证书启用OCSP装订_Java_Ssl_Certificate_Jetty_Ocsp - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java Jetty 9-为域验证证书启用OCSP装订

Java Jetty 9-为域验证证书启用OCSP装订

java ssl certificate jetty

Java Jetty 9-为域验证证书启用OCSP装订,java,ssl,certificate,jetty,ocsp,Java,Ssl,Certificate,Jetty,Ocsp,我在Jetty 9中启用OCSP装订时遇到了一些问题,我真的希望有人能在这里帮助我……希望如此 对于我的测试,我从PositiveSSL(Comodo)购买了一个SSL证书,它给了我一个有效/可信的证书。本例中的域是“dev.mydomain.com”,它将简单地指向我的本地ip(127.0.0.1) 然后,我将提供的证书转换为Java密钥库格式 # Convert certificate to pkcs12 openssl pkcs12 -export -out dev.mydomain.co

我在Jetty 9中启用OCSP装订时遇到了一些问题,我真的希望有人能在这里帮助我……希望如此

对于我的测试,我从PositiveSSL(Comodo)购买了一个SSL证书,它给了我一个有效/可信的证书。本例中的域是“dev.mydomain.com”,它将简单地指向我的本地ip(127.0.0.1)

然后,我将提供的证书转换为Java密钥库格式

# Convert certificate to pkcs12
openssl pkcs12 -export -out dev.mydomain.com.pkcs12 -inkey dev.mydomain.com.key -in dev_mydomain_com.crt

# Create java keystore
keytool -importkeystore -srckeystore dev.mydomain.com.pkcs12 -srcstoretype pkcs12 -destkeystore dev.mydomain.com.keystore -deststoretype JKS
这是我用于创建Jetty服务器、激活证书、侦听443端口(https)以及理论上激活OCSP的简化Java代码:

Server _server = new Server(); // org.eclipse.jetty.server.Server

HttpConfiguration httpsConfig = new HttpConfiguration();
HttpConnectionFactory http1 = new HttpConnectionFactory(httpsConfig);

SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("dev.mydomain.com.keystore");
sslContextFactory.setKeyStorePassword("mypass");
sslContextFactory.setKeyManagerPassword("mypass");

// sslContextFactory.setValidateCerts(true); // tested
sslContextFactory.setEnableOCSP(true);

SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, http1.getProtocol());

// SSL Connector
ServerConnector sslConnector = new ServerConnector(_server, ssl, http1);

sslConnector.setHost("127.0.0.1");
sslConnector.setPort(443);

_server.addConnector(sslConnector);

_server.start();
_server.join();
在Java VM启动时,我还启用了以下系统属性:

Security.setProperty("ocsp.enable", "true");
System.setProperty("jdk.tls.server.enableStatusRequestExtension", "true");
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
经过几次尝试后,我还尝试将证书链导入密钥库,但结果没有任何差别

keytool -import -trustcacerts -alias ca -file COMODORSAAddTrustCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias dv -file COMODORSADomainValidationSecureServerCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias te -file AddTrustExternalCARoot.crt -keystore dev.mydomain.com.keystore
为了测试OCSP是否正确启用,我使用了一个名为sslyze的工具,但无论我尝试做什么,OCSP的响应总是否定的:

OCSP Stapling - NOT SUPPORTED - Server did not send back an OCSP response
以下是sslyze的完整输出:

C:\Tools\sslyze-1_4_1>sslyze --certinfo dev.mydomain.com:443


 AVAILABLE PLUGINS
 -----------------

  OpenSslCipherSuitesPlugin
  RobotPlugin
  CertificateInfoPlugin
  FallbackScsvPlugin
  SessionRenegotiationPlugin
  HeartbleedPlugin
  CompressionPlugin
  OpenSslCcsInjectionPlugin
  SessionResumptionPlugin
  HttpHeadersPlugin



 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   dev.mydomain.com:443                       => 127.0.0.1




 SCAN RESULTS FOR DEV.MYDOMAIN.COM:443 - 127.0.0.1
 ------------------------------------------------

 * Certificate Information:
     Content
       SHA1 Fingerprint:                  7c398c59bac3a231efc9823c6958a7bc711bfc0e
       Common Name:                       dev.mydomain.com
       Issuer:                            COMODO RSA Domain Validation Secure Server CA
       Serial Number:                     103185809289011988533713848804380317148
       Not Before:                        2018-04-18 00:00:00
       Not After:                         2019-04-18 23:59:59
       Signature Algorithm:               sha256
       Public Key Algorithm:              RSA
       Key Size:                          2048
       Exponent:                          65537 (0x10001)
       DNS Subject Alternative Names:     ['dev.mydomain.com', 'www.dev.mydomain.com']

     Trust
       Hostname Validation:               OK - Certificate matches dev.mydomain.com
       Android CA Store (8.1.0_r9):       FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       iOS CA Store (11):                 FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       macOS CA Store (High Sierra):      FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Mozilla CA Store (2018-01-14):     FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Windows CA Store (2018-02-09):     FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
       Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate
       Received Chain:                    dev.mydomain.com
       Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
       Received Chain Order:              OK - Order is valid
       Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

     Extensions
       OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
       Certificate Transparency:          WARNING - Only 2 SCTs included but Google recommends 3 or more

     OCSP Stapling
                                          NOT SUPPORTED - Server did not send back an OCSP response


 SCAN COMPLETED IN 0.78 S
 ------------------------
很抱歉,这篇文章太长了,但我尽力提供尽可能多的细节

谢谢大家!!
Yuvi

Jetty在OSCP配置值方面确实做得不多

3个关键配置值

1.启用OCSP 
SslContextFactory.setEnableOCSP(真)
该配置只需设置
ocsp.enable
JVM安全属性

2.设置OCSP响应程序URL 
SslContextFactory.setOcspResponderURL(ocspResponderURL)
如果
setEnableOSCP(true)
并且设置了
OcspResponderURL
,则设置了
ocsp.responderURL
JVM安全属性

码头规范

if(_enableOCSP)
{
//启用联机证书状态协议(OCSP)支持
Security.setProperty(“ocsp.enable”、“true”);
如果(_ocsResponderUrl!=null)
{
//OCSP响应程序的覆盖位置
Security.setProperty(“ocsp.responderURL”,ocspResponderURL);
}
}
这两个是JVM级别的配置,此时JVM负责将OCSP内容添加到TLS/SSL协商中

3.自定义证书验证程序 
SslContextFactory.setValidateCerts(true)
如果设置了此选项,那么其他两个的值将被传递到定制的Eclipse Jetty
CertificateValidator

更多码头代码

if(isValidateCerts())
{
CertificateValidator validator=新的CertificateValidator(信任库,crls);
setMaxCertPathLength(getMaxCertPathLength());
setEnableCRLDP(isEnableCRLDP());
setEnableOCSP(isEnableOCSP());
setOcspResponderURL(getOcspResponderURL());
validator.validate(密钥库,x509C);
}
这是一个服务器端组件,它只验证服务器在启动时将使用的证书。当加载密钥库/信任库时,它只发生一次。

您的证书是否包含权限信息访问扩展(OCSPSigning)?@JoakimErdfelt是,它包含:权限信息访问方法=在线证书状态协议(1.3.6.1.5.5.7.48.1)备选名称:URL=您的服务器是否有权访问OCSPSigning URL?您是否也尝试过设置
SslContextFactory.setOcspResponderURL()
?谢谢您的回答。是的,我也尝试手动设置URL,但仍然没有调用。我将我的电脑用作服务器,未阻止任何传出连接:(