Fatal编程技术网
  • ssl/
  • Jetty发送的SSL证书与';在密钥库中配置的

Jetty发送的SSL证书与';在密钥库中配置的

ssl https jetty

Jetty发送的SSL证书与';在密钥库中配置的,ssl,https,jetty,keystore,jetty-9,Ssl,Https,Jetty,Keystore,Jetty 9,Jetty9.3.1.v20150714配置了一个包含3个证书的密钥库:服务器证书、CA证书和GeoTrust根证书 使用keytool-list-keystorejetty/etc/keystore-storetype pkcs12显示它拥有这些证书- Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 4 entries jetty, Aug 29, 2015, PrivateKeyEntry,

Jetty
9.3.1.v20150714
配置了一个包含3个证书的密钥库:服务器证书、CA证书和GeoTrust根证书

使用
keytool-list-keystorejetty/etc/keystore-storetype pkcs12
显示它拥有这些证书-

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 4 entries

jetty, Aug 29, 2015, PrivateKeyEntry, 
Certificate fingerprint (SHA1): A3:...:10
root, Aug 30, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
ca, Aug 30, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 0E:34:14:18:46:E7:42:3D:37:F2:0D:C0:AB:06:C9:BB:D8:43:DC:24
server, Aug 30, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 20:...:E3
服务器加载时,日志显示它加载证书-

2015-08-30 05:32:47 main ServerConnector [INFO] Started ServerConnector@34849eef{HTTP/1.1,[http/1.1, h2c, h2c-17, h2c-16, h2c-15, h2c-14]}{0.0.0.0:8080}
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=jetty cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=root cn=GeoTrust Global CA in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate SAN alias=server cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [INFO] x509={example.com=server} wild={} alias=null for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] managers=[sun.security.ssl.SunX509KeyManagerImpl@36c54a56] for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
但是,当尝试使用HTTPS连接服务器时,由于错误(自签名)证书而失败

使用openssl s_client-connect example.com:443检查返回的证书返回-

CONNECTED(00000003)
depth=0 C = ..., CN = example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ..., CN = example.com
verify return:1
---
Certificate chain
 0 s:/C=.../CN=example.com
   i:/C=.../CN=example.com
---
这只显示1个自签名证书,而不是密钥库中的证书。尝试向服务器发送HTTPS命令时,它会显示在日志中-

2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Customize 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Enable SNI matching 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matches=type=host_name (0), value=example.com for org.eclipse.jetty.util.ssl.SslContextFactory$AliasSNIMatcher@22497dda
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matched example.com->server
2015-08-30 06:06:52 qtp1579572132-16 HttpParser [WARN] parse exception: java.lang.IllegalStateException: too much data seeking EOF in CLOSE for HttpChannelOverHttp@37b97125{r=1,c=false,a=IDLE,uri=-}
我通过关闭它来确保它连接到正确的服务器,然后连接被拒绝,还试图删除密钥库文件,服务器无法加载,这意味着它使用了正确的文件

这个自签名的1长证书链来自哪里?服务器是否可能定义了两个密钥库

更新

使用
openssl s_client
将密钥库替换为其他(工作)密钥库,并使用所有3个证书正确显示

这意味着问题在于原始密钥库,如上图所示,它有3个公共证书,但
openssl
只输出1个自签名证书

以下是用于生成密钥库的命令-

keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -alias jetty
keytool -certreq -alias jetty -keystore keystore.p12 -storetype pkcs12 -file jetty.csr -keyalg RSA

# send CSR file to a CA for signing. got back 3 CRT files.

keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt 
keytool -import -alias ca -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias server -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt
密钥库构建不正确

添加到密钥库的最后一个条目的别名是
服务器,而不是
jetty
,后者是私钥的别名。这样做会阻止识别对私钥的证书回复

为了解决这个问题,我从密钥库中删除了所有证书,并添加了正确的别名


keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt 
keytool -import -alias inter -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias jetty -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt


在最后一个命令之后,keytool将使用密钥库中安装的
证书回复进行响应,表示它识别服务器证书响应


我不确定它是否有影响,但不是调用CA的中间证书
CA
,而是在工作密钥库中调用它
inter
,我认为这不是必需的,但如果需要的话,这一点值得一提。
您确定在
s\u client
命令中使用的主机名实际解析为服务器吗?典型错误是
www.example.com
example.com
解析为不同的IP地址,并且测试时使用了错误的IP地址。是的,请确保它是正确的地址,与证书中设置的地址完全一致。当码头关闭时,它无法连接。