java安全客户端套接字身份验证
对于安全服务器套接字,为了发送服务器证书,我所做的就是使用已使用我的密钥库初始化的 KeyManagerFactory.getKeyManagers() 初始化 SSLContext。
但我怎样才能在客户端做到这一点?
即对于客户端,我这样做:
System.setProperty("javax.net.ssl.keyStore", "clientKeystore.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
System.setProperty("javax.net.ssl.trustStore", "clientKeystore.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "secret");
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket("localhost", 7890);
我使用与信任存储相同的密钥存储。我认为仅仅为了寻找 JSSE 就可以了。
问题是我进入了服务器部分(我将 serversocket 中的 setNeedClientAuth 设置为 true)。
Exception in thread "main" javax.net.ssl.SSLHandshakeException: null cert chain
那么我应该如何配置客户端来发送证书?系统属性不是正确的方法吗?
因为我不知道如何在客户端使用 SSLContext。
谢谢你!
For secure server sockets in order to send the server certificate, all I do is initialize SSLContext with a KeyManagerFactory.getKeyManagers() that has been initialized with my keystore.
But how can I do this in client side?
I.e. for client I do:
System.setProperty("javax.net.ssl.keyStore", "clientKeystore.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
System.setProperty("javax.net.ssl.trustStore", "clientKeystore.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "secret");
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket("localhost", 7890);
I use the same keystore as trust store. I assume that just for looking arround JSSE it is ok.
Problem is that I get in the server part (I have setNeedClientAuth in the serversocket to true).
Exception in thread "main" javax.net.ssl.SSLHandshakeException: null cert chain
So how am I supposed to configure the client side to send a certificate?Isn't the system properties a correct approach?
Because I do not see how the SSLContext can be used in client side.
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您不必在客户端设置特定配置即可使用证书进行身份验证。也许密钥库中缺少一些中间 CA,客户端无法从服务器发送的信任锚构建证书路径,因此无法确定证书是否适合身份验证。
您可以将系统属性
javax.net.debug添加到all以在标准输出上打印调试流。也许您可以获得有关该错误的更多信息。You do not have to set a specific configuration on the client side to use a certificate for authentication. Maybe some intermediate CAs are missing in the keystore, and the client is not able to build a certificate path from the trust anchor sent by the server and therefore cannot determine if the certificate is suitable for authentication.
You can add the system property
javax.net.debugtoallto print the debug stream on the standard output. Maybe you can get more information on the error.