Java 使用WebServiceTemplate的SOAP客户端和资源之间的双向SSL协商失败
我刚刚继承了一个SpringBoot应用程序,它使用WebServiceTemplate作为客户端访问一些SOAP端点 到目前为止,我对客户机和资源密钥库和信任库的了解Java 使用WebServiceTemplate的SOAP客户端和资源之间的双向SSL协商失败,java,spring-boot,ssl,soap,webservicetemplate,Java,Spring Boot,Ssl,Soap,Webservicetemplate,我刚刚继承了一个SpringBoot应用程序,它使用WebServiceTemplate作为客户端访问一些SOAP端点 到目前为止,我对客户机和资源密钥库和信任库的了解 已验证签名证书生成的客户端密钥库 客户端的证书已导入资源的信任库 application.yml中的我的配置: endpoint: https://target_endpoint endpoint_dw: https://target_endpoint:8443/query trust_store: classpath:trus
endpoint: https://target_endpoint
endpoint_dw: https://target_endpoint:8443/query
trust_store: classpath:truststore/truststore.jks
trust_store_password: changeit
key_store: classpath:keystore/keystore.jks
key_store_password: changeit
HttpClient、SSLContext和WebServiceTemplate对象配置的源代码:
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.util.ResourceUtils;
import org.springframework.ws.client.core.WebServiceTemplate;
import org.springframework.ws.transport.http.HttpComponentsMessageSender;
import java.io.File;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
@Configuration
public class WebServiceTemplateSslConfig {
@Autowired
private MarshallConfig marshallConfig;
@Value("${config.trust_store}")
private Resource trustStore;
@Value("${config.trust_store_password}")
private String trustStorePassword;
@Value("${config.key_store}")
private Resource keyStore;
@Value("${config.key_store_password}")
private String keyStorePassword;
@Value("${config.endpoint}")
private String endpoint;
@Bean
public WebServiceTemplate webServiceTemplate() throws Exception {
WebServiceTemplate webServiceTemplate = new WebServiceTemplate();
webServiceTemplate.setMarshaller(marshallConfig.marshaller());
webServiceTemplate.setUnmarshaller(marshallConfig.marshaller());
webServiceTemplate.setMessageSender(httpComponentsMessageSender());
webServiceTemplate.setDefaultUri(webserviceEndpoint);
return webServiceTemplate;
}
@Bean
public HttpComponentsMessageSender httpComponentsMessageSender() throws Exception {
HttpComponentsMessageSender httpComponentsMessageSender = new HttpComponentsMessageSender();
httpComponentsMessageSender.setHttpClient(httpClient());
return httpComponentsMessageSender;
}
public HttpClient httpClient() throws Exception {
return HttpClientBuilder
.create()
.setSSLSocketFactory(sslConnectionSocketFactory())
.addInterceptorFirst(new HttpComponentsMessageSender.RemoveSoapHeadersInterceptor())
.build();
}
public SSLConnectionSocketFactory sslConnectionSocketFactory() throws Exception {
return new SSLConnectionSocketFactory(sslContext(), NoopHostnameVerifier.INSTANCE);
}
public SSLContext sslContext() throws Exception {
return SSLContextBuilder.create()
.loadTrustMaterial(trustStore.getFile(), trustStorePassword.toCharArray())
.loadKeyMaterial(keyStore.getFile(), keyStorePassword.toCharArray(),keyStorePassword.toCharArray())
.build();
}
}
通过-Djavax.net.debug=ssl,handshake为我的客户机创建日志条目
*** CertificateRequest
Cert Types: ECDSA, RSA, DSS
Supported Signature Algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, Unknown (hash:0x8, signature:0x4), Unknown (hash:0x8, signature:0x5), Unknown (hash:0x8, signature:0x6), Unknown (hash:0x8, signature:0x9), Unknown (hash:0x8, signature:0xa), Unknown (hash:0x8, signature:0xb), SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA256withDSA, Unknown (hash:0x3, signature:0x3), Unknown (hash:0x3, signature:0x1), Unknown (hash:0x3, signature:0x2), SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
...
...
...
...
...
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
http-nio-9999-exec-2, WRITE: TLSv1.2 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 18 B3 88 5F 1E B8 52 A6 94 21 F6 22 A2 A9 ....._..R..!."..
0010: E7 63 6E 55 82 34 4C 87 3A 32 BF 0D 66 BA 00 C3 .cnU.4L.:2..f...
0020: 8F 8D DF 25 7C 89 42 4B 34 81 DB 68 65 6D CC 2F ...%..BK4..hem./
CONNECTION KEYGEN:
Client Nonce:
0000: ..... _...$r<=.:......
0010: ..... C. c..<(...t....
Server Nonce:
0000: ..... [z,.Y..02.5_.9gv
0010: ..... SUJ>f..p.Hh..k..
Master Secret:
0000: ..... ..Q..yhL..r..e..
0010: ..... .m.....Z..!.....
0020: ..... ..].D6.4Z.._h..r
Client MAC write Secret:
0000: ..... .....a.@..2....j
0010: ..... ..........g....#
Server MAC write Secret:
0000: ..... nS...T'.........
0010:...... .6Z.?.z..r......
Client write key:
0000: ..... ..YT............
0010: ..... .....C....Y.-(.3
Server write key:
0000: ..... .6.....r%@.f.Q..
0010: ..... ...i.Y.h.f......
... no IV derived for this protocol
http-nio-9999-exec-2, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 145, 215, 100, 173, 191, 54, 196, 70, 130, 193, 49, 168 }
***
http-nio-9999-exec-2, WRITE: TLSv1.2 Handshake, length = 80
http-nio-9999-exec-2, waiting for close_notify or alert: state 1
http-nio-9999-exec-2, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
http-nio-9999-exec-2, handling exception: java.net.SocketException: Software caused connection abort: recv failed
%% Invalidated: [Session-8, TLS_RSA_WITH_AES_256_CBC_SHA256]
http-nio-9999-exec-2, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
http-nio-9999-exec-2, WRITE: TLSv1.2 Alert, length = 64
http-nio-9999-exec-2, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
http-nio-9999-exec-2, called closeSocket()
http-nio-9999-exec-2, called close()
http-nio-9999-exec-2, called closeInternal(true)
17:19:18.665 ERROR g.d.i.r.p.c.AdviceController - I/O error: Software caused connection abort: recv failed; nested exception is java.net.SocketException: Software caused connection abort: recv failed
org.springframework.ws.client.WebServiceIOException: I/O error: Software caused connection abort: recv failed; nested exception is java.net.SocketException: Software caused connection abort: recv failed
org.springframework.ws.client.WebServiceIOException: I/O error: Software caused connection abort: recv failed; nested excepti on is java.net.SocketException: Software caused connection abort: recv failed
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:561)
at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:390)
at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:378)
at gov.dhs.ice.raven.passport.config.SOAPConnector.callWebService(SOAPConnector.java:15)
.....
.....
.....
at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:171)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
at org.springframework.ws.transport.http.HttpUrlConnection.getRequestOutputStream(HttpUrlConnection.java:89)
at org.springframework.ws.transport.AbstractSenderConnection$RequestTransportOutputStream.createOutputStream(Abstract SenderConnection.java:87)
at org.springframework.ws.transport.TransportOutputStream.getOutputStream(TransportOutputStream.java:41)
at org.springframework.ws.transport.TransportOutputStream.write(TransportOutputStream.java:64)
at com.sun.xml.internal.messaging.saaj.soap.MessageImpl.writeTo(MessageImpl.java:1314)
at org.springframework.ws.soap.saaj.SaajSoapMessage.writeTo(SaajSoapMessage.java:272)
at org.springframework.ws.transport.AbstractWebServiceConnection.send(AbstractWebServiceConnection.java:46)
at org.springframework.ws.client.core.WebServiceTemplate.sendRequest(WebServiceTemplate.java:658)
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:606)
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:555)
... 103 common frames omitted
org.spring
***认证请求
证书类型:ECDSA、RSA、DSS
支持的签名算法:SHA256withECDSA、SHA384withECDSA、SHA512 WithECDSA、Unknown(哈希:0x8,签名:0x4)、Unknown(哈希:0x8,签名:0x5)、Unknown(哈希:0x8,签名:0x9)、Unknown(哈希:0x8,签名:0xa)、Unknown(哈希:0x8,签名:0xb)、SHA256withRSA、SHA384withRSA、SHA512withRSA、,SHA256withDSA,未知(散列:0x3,签名:0x3),未知(散列:0x3,签名:0x1),未知(散列:0x3,签名:0x2),SHA1 WithECDSA,SHA1 WithRSA,SHA1 WithDSA
核证机关:
...
...
...
...
...
***海龙石
警告:找不到合适的证书-在没有客户端身份验证的情况下继续
***证书链
***
***ClientKeyExchange,RSA PreMasterSecret,TLSv1.2
http-nio-9999-exec-2,WRITE:TLSv1.2握手,长度=269
会话密钥:
毕业前的秘密:
0000:03 03 18 B3 88 5F 1E B8 52 A6 94 21 F6 22 A2 A9。。!。"..
0010:E7 63 6E 55 82 34 4C 87 3A 32 BF 0D 66 BA 00 C3.cnU.4L.:2..f。。。
0020:8F 8D DF 25 7C 89 42 4B 34 81 DB 68 65 6D CC 2F…%…BK4..hem/
连接键:
客户暂时:
0000:…..…$r