Java 客户端正在向服务器发送空证书链，尽管它拥有所有必需的证书和密钥_Java_Ssl_Jboss_Sslhandshakeexception_Jsse

Java 客户端正在向服务器发送空证书链，尽管它拥有所有必需的证书和密钥

java ssl jboss

Java 客户端正在向服务器发送空证书链，尽管它拥有所有必需的证书和密钥,java,ssl,jboss,sslhandshakeexception,jsse,Java,Ssl,Jboss,Sslhandshakeexception,Jsse,我的应用程序运行在JBoss6.4上，试图与负载平衡器通信。当服务器从客户端（jboss）请求证书链时，它发送一个空证书链，ssl握手失败我使用下面的命令在密钥库中生成自签名证书和密钥 keytool -genkey -alias bliui11345 -keyalg RSA -validity 365 -keysize 2048 -keystore bliui.jks CN=BLI，OU=BUK-IIT，O=Bank，L=London，ST=London，C=GB 然后我导出了证书 key

我的应用程序运行在JBoss6.4上，试图与负载平衡器通信。当服务器从客户端（jboss）请求证书链时，它发送一个空证书链，ssl握手失败

我使用下面的命令在密钥库中生成自签名证书和密钥

keytool -genkey -alias bliui11345 -keyalg RSA -validity 365 -keysize 2048 -keystore bliui.jks

CN=BLI，OU=BUK-IIT，O=Bank，L=London，ST=London，C=GB

然后我导出了证书

keytool -exportcert -rfc -file clientcert.pem –keystore bliui.jks -alias bliui11345

我在服务器信任库中安装了clientcert.pem。服务器的CA签名证书在我的信任库中

我在jboss standalone.xml中添加了以下连接器-

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
                <ssl name="https" password="xyz" certificate-key-file="/opt/eap/standalone/configuration/bliui.jks" verify-client="true" ca-certificate-file="/opt/eap/standalone/configuration/bliui.jks" ca-certificate-password="xyz" ssl-protocol="TLSv1.2"/>
</connector>

Keystore也可以正确加载，因为我可以看到使用debug=ssl在jboss日志中加载证书和密钥

Starting JCA Subsystem (IronJacamar 1.0.42.Final-redhat-2)
Starting Naming Service
Bound mail session [java:jboss/mail/Default]
System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
Ignoring disabled cipher suite: SSL_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
Ignoring disabled cipher suite: SSL_DH_anon_WITH_RC4_128_MD5
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
Ignoring disabled cipher suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_KRB5_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_RC4_128_MD5
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
trustStore is: /opt/eap/standalone/configuration/bliui.jks
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
Subject: CN=Test Global Infrastructure Intermediate CA (7), OU=Test Global Infrastructure Intermediate CA (7), O=Barclays PLC
Issuer:  CN=Test Global Infrastructure Root CA (7), OU=Test Global Infrastructure Root CA (7), O=Barclays PLC
Algorithm: RSA; Serial number: 0x4ed6d35d0cf5f88e2162399a05a3c7d1
Valid from Wed May 17 01:00:00 BST 2017 until Fri May 17 00:59:59 BST 2024

Ignoring disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
***
found key for : bliui11345
chain [0] = [
[
Version: V3
Subject: CN=BLI, OU=BUK-IIT, O=Bank, L=London, ST=London, C=GB
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key:  Sun RSA public key, 2048 bits
modulus: 20684769127101855227492774116772415979402075608086475705872282444802275351603045851226344549731179317732787593894367418004227770753430523757523483229300687424482724535998894744666727437462034313158018417744426363750571388616927327
public exponent: 65537
Validity: [From: Mon Jul 08 07:04:56 BST 2019,
To: Thu Jul 07 07:04:56 BST 2022]
Issuer: CN=BLI, OU=BUK-IIT, O=Bank, L=London, ST=London, C=GB
SerialNumber: [    47fc10c5]
Coyote HTTP/1.1 initializing on : http-0.0.0.0:8443
Coyote HTTP/1.1 initializing on : http-0.0.0.0:8080
Coyote HTTP/1.1 starting on: http-0.0.0.0:8443
Coyote HTTP/1.1 starting on: http-0.0.0.0:8080
Starting deployment of "1.0.012-BLIUI_SuppressedInsights.ear" (runtime-name: "1.0.012-BLIUI_SuppressedInsights.ear")
Started FileSystemDeploymentService for directory /opt/eap/standalone/deployments
Listening on 0.0.0.0:9999
Listening on 0.0.0.0:4447

客户你好-

*** ClientHello, TLSv1.2
RandomCookie:  , 58GMT: 1568247549 , bytes = { 41244, , 6763, , 6687, , 161230, , 6550, , 99210, , 213144, , 20220, , 230227, , 210158, , 12095, , 20275, , 95129, , 11094, , 9145, , 14205, , 146226, , 201215, , 161207, , 15196, , 196138, , 112156, , 195217, , 14195 }
Session ID:  , {}
51, 157Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Session ID:   }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
{ Extension extended_master_secret}
Extension server_name, server_name: [type=host_name (0), value=bliapi-11344.appcloud-np.barcapint.com]
***

服务器你好-

*** ServerHello, TLSv1.2
Session ID:  {171, 62, 204, 191, 99, 232, 72, 53, 55, 26, 33, 162, 114, 101, 185, 219, 42, 179, 21, 12, 23, 152, 37, 165, 42, 194, 74, 187, 121, 10, 95, 255}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
READ: TLSv1.2 Handshake, length = 3682
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: server finished[20]
 *** Certificate chain
chain [0] = [ few certificates here]

***服务器你好，TLSv1.2
会话ID:{171、62、204、191、99、232、72、53、55、26、33、162、114、101、185、219、42、179、21、12、23、152、37、165、42、194、74、187、121、10、95、255}
密码套件：TLS_ECDHE_RSA_与_AES_128_GCM_SHA256
压缩方法：0
扩展重新协商\u信息，重新协商的\u连接：
扩展服务器名称，服务器名称：
扩展ec_点_格式，格式：[未压缩]
***
%%已初始化：[会话2，TLS\u ECDHE\u RSA\u与\u AES\u 128\u GCM\u SHA256]
**TLS_ECDHE_RSA_与_AES_128_GCM_SHA256
更新握手状态：服务器\你好[2]
即将到来的握手状态：服务器证书[11]
即将到来的握手状态：服务器密钥交换[12]（可选）
即将到来的握手状态：证书请求[13]（可选）
即将到来的握手状态：服务器\你好\完成[14]
即将到来的握手状态：客户端证书[11]（可选）
即将到来的握手状态：客户端密钥交换[16]
即将到来的握手状态：证书验证[15]（可选）
即将到来的握手状态：客户端更改\u密码\u规范[-1]
即将到来的握手状态：客户端已完成[20]
即将到来的握手状态：服务器更改\u密码\u规范[-1]
即将到来的握手状态：服务器已完成[20]
读：TLSv1.2握手，长度=3682
检查握手状态：证书[11]
更新握手状态：证书[11]
即将到来的握手状态：服务器密钥交换[12]（可选）
证书申请[13]（可选）
即将到来的握手状态：服务器\你好\完成[14]
即将到来的握手状态：客户端证书[11]（可选）
即将到来的握手状态：客户端密钥交换[16]
即将到来的握手状态：证书验证[15]（可选）
即将到来的握手状态：客户端更改\u密码\u规范[-1]
即将到来的握手状态：客户端已完成[20]
即将到来的握手状态：服务器更改\u密码\u规范[-1]
即将到来的握手状态：客户端更改\u密码\u规范[-1]
即将到来的握手状态：服务器已完成[20]
***证书链
链[0]=[此处证书很少]

证书请求和客户端证书链为空-

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
check handshake state: server_key_exchange[12]
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=BLI, OU=BUK-IIT, O=Bank, L=London, ST=London, C=GB>
*** ECDH ServerKeyExchange
upcoming handshake states: client finished[20]
Signature Algorithm SHA256withRSA
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
Server key: Sun EC public key, 256 bits
public x coord: 9119033559767037929973738794301384386482607672191668181147945847562822
public y coord: 2509706886352702164670894720440491148370487015976959327973686224762
 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***

***认证请求
证书类型：RSA、DSS、ECDSA
检查握手状态：服务器密钥交换[12]
支持的签名算法：SHA256withRSA、SHA256withDSA、SHA256withECDSA、SHA384withRSA、未知（哈希：0x5，签名：0x2）、SHA384withECDSA、SHA512withRSA、未知（哈希：0x6，签名：0x2）、SHA512withECDSA、SHA1 WithRSA、SHA1 WithDSA、SHA1 WithECDSA
核证机关：
***ECDH服务器密钥交换
即将到来的握手状态：客户端已完成[20]
RSA签名算法SHA256
即将到来的握手状态：服务器更改\u密码\u规范[-1]
即将到来的握手状态：服务器已完成[20]
服务器密钥：Sun EC公钥，256位
公共x合作社：911903355976703792997373738794301384386482607672191668181147945847562822
公共y合作社：25097068863270216467089472040491148370470159769593279736866224762
参数：secp256r1[NIST P-256，X9.62 prime256v1]（1.2.840.10045.3.1.7）
***海龙石
警告：找不到合适的证书-在没有客户端身份验证的情况下继续
***证书链
***

客户端证书的签名算法是什么？它是否在服务器在

CertificateRequest

中发送的列表中？我猜它是SHA256 with RSA。这就是我在密钥库中的条目的样子-别名：Blui11345条目类型：PrivateKeyEntry证书链长度：1证书[1]：所有者：CN=BLI，OU=BUK-IIT，O=Bank，L=London，ST=London，C=GB发卡机构：CN=BLI，OU=BUK-IIT，O=Bank，L=London，ST=London，C=GB序列号：*******有效期：周一至七月08日11:34:56 IST 2019至：周四至七月07日11:34:56 IST 2022证书指纹：MD5:**SHA1:**SHA256:**签名算法名称：SHA256withRSA主题公钥算法：2048位RSA密钥版本：3然后我会询问客户端是否加载了其密钥库正确地这个信息也在客户机的JSSE调试日志中，更进一步，它说的是“添加的私钥”。当jboss启动时，它说的是bliui11345的find key，这就是你所说的吗？。日志-->找到的密钥：blui11345-chain[0]=[[Version:V3-Subject:CN=BLI，OU=BUK-IIT，O=Bank，L=London，ST=London，C=GB签名算法：SHA256withRSA，OID=1.2.840.113549.1.1.11如果您可以在问题中同时发布客户端JSSE日志的这两部分内容，那会有所帮助。它们作为注释是不清晰的。

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
check handshake state: server_key_exchange[12]
Supported Signature Algorithms: SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=BLI, OU=BUK-IIT, O=Bank, L=London, ST=London, C=GB>
*** ECDH ServerKeyExchange
upcoming handshake states: client finished[20]
Signature Algorithm SHA256withRSA
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
Server key: Sun EC public key, 256 bits
public x coord: 9119033559767037929973738794301384386482607672191668181147945847562822
public y coord: 2509706886352702164670894720440491148370487015976959327973686224762
 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***