Java RMI SSL 可能出现密钥库/信任库错误?

发布于 2024-08-21 12:29:01 字数 1990 浏览 3 评论 0原文

使用下面的代码通过 RMI 测试 ssl 连接:

public class HelloImpl extends UnicastRemoteObject implements Hello {
    public HelloImpl() throws RemoteException {
        super(0, new SslRMIClientSocketFactory(), new SslRMIServerSocketFactory());
    }
    public String sayHello() {
        return "Hello World!";
    }
    public static void main(String args[]) throws Exception {
        // Get reference to the RMI registry running on port 3000 in the local host
        Registry registry = LocateRegistry.getRegistry(null, 3000);
        // Bind this object instance to the name "HelloServer"
        HelloImpl obj = new HelloImpl();
        registry.bind("HelloServer", obj);
        System.out.println("HelloServer bound in registry");
    }
}

其余部分非常通用(从这里获取一些代码:http://blogs.oracle.com/lmalventosa/entry/using_the_ssl_tls_based),基本上尝试进行仅服务器身份验证以使 SSL 正常工作。然而,出现了这个令人烦恼的错误:

     RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], READ: TLSv1 Alert, length = 2
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], RECV TLSv1 ALERT:  fatal, bad_certificate
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], called closeSocket()
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

从调试转储看来,他们确实尝试握手,甚至交换对称密钥,但由于某种无法解释的原因在此期间失败了。在编译过程中,我们指定一个存储在文件夹中的信任存储:

# $ java -Djavax.net.ssl.trustStore=truststore -Djavax.net.ssl.trustStorePassword=trustword HelloClient

非常感谢任何帮助!

Using the below code to test an ssl connection over RMI:

public class HelloImpl extends UnicastRemoteObject implements Hello {
    public HelloImpl() throws RemoteException {
        super(0, new SslRMIClientSocketFactory(), new SslRMIServerSocketFactory());
    }
    public String sayHello() {
        return "Hello World!";
    }
    public static void main(String args[]) throws Exception {
        // Get reference to the RMI registry running on port 3000 in the local host
        Registry registry = LocateRegistry.getRegistry(null, 3000);
        // Bind this object instance to the name "HelloServer"
        HelloImpl obj = new HelloImpl();
        registry.bind("HelloServer", obj);
        System.out.println("HelloServer bound in registry");
    }
}

The rest is pretty generic (took some of the code from here: http://blogs.oracle.com/lmalventosa/entry/using_the_ssl_tls_based), basically attempting to do a server-only authentication to get SSL working. However, getting this nagging error:

     RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], READ: TLSv1 Alert, length = 2
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], RECV TLSv1 ALERT:  fatal, bad_certificate
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], called closeSocket()
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
RMI RenewClean-[146.169.51.86:60013,javax.rmi.ssl.SslRMIClientSocketFactory@4a63d8], handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

it appears from the debug dump that they do attempt a handshake, going as far as swapping the symmetric keys, but fail during this, for some inexplicable reason. During compile, we specifcy a trust store that is stored in the folder:

# $ java -Djavax.net.ssl.trustStore=truststore -Djavax.net.ssl.trustStorePassword=trustword HelloClient

Any help much appreciated!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

ペ泪落弦音 2024-08-28 12:29:01

在我看来,HelloImpl 服务器提供的证书存在问题,这可能意味着启动服务器的方式存在问题,或者密钥/证书生成过程存在问题。您是否可以

keytool -list -v -keystore keystore

在启动 HelloImpl 服务器的密钥库上运行,并使用 -Djavax.net.debug=SSL 启动服务器和客户端以查看是否有任何可用的添加信息? (如果是这样,请使用这些详细信息编辑您的问题)在不知道密钥库和信任库的状态以及创建它们的过程的情况下,很难从上面判断错误可能是什么。

It sounds to me like there's an issue with the certificate being served up by the HelloImpl server, which could mean an issue with the way you're starting the server, or an issue with the key/certificate generation process. Could you perhaps run

keytool -list -v -keystore keystore

on the keystore that your HelloImpl server is being started with, and perhaps start both the server and client with -Djavax.net.debug=SSL to see if any added info is available? (if so, editing your question with these details) It's difficult to tell from the above what the error could be without knowing the state of the keystore and truststore, and the process gone through to create them.

何以心动 2024-08-28 12:29:01

已编辑:

bad_certificate 表示服务器证书的格式是客户端无法理解或想要拒绝的。

除了获得新的服务器证书之外,您对前者无能为力。

然而,当 SSL 握手期间获取的服务器证书已过期、自签名、主机名验证失败等时,某些浏览器也会发送 bad_certficate 警报来关闭 HTTPS 连接。 Firefox 使用此警报来关闭 HTTPS 连接,而它向用户显示一个页面,询问是否信任此证书。如果用户同意,Firefox 将打开一个新的 HTTPS 连接,这次接受证书而不是发送 bad_certificate 警报。

据推测,发送警报而不是仅仅关闭连接,以便服务器可以记录实际发生的情况,或者可能在握手阶段中止连接,而不是冒着通过它发送数据的任何风险。

EDITED:

A bad_certificate means that the server's certificate is in a format the client either can't understand or wants to reject.

Not much you can do about the former except get a new server cert.

However it also appears that some browsers send a bad_certficate alert to close an HTTPS connection when the server certificate acquired during the SSL handshake has expired, is self-signed, fails the hostname verification, etc. Firefox uses this alert to close the HTTPS connection while it shows a page to the user asking whether to trust this certificate. If the user agrees, Firefox then opens a new HTTPS connection and this time accepts the certificate instead of sending the bad_certificate alert.

Presumably the alert is sent rather than just closing the connection so the server can have a record of what actually happened, or maybe to abort the connection during the handshake phase rather than run any risk of sending data over it.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文