使用 Jersey HTTPS 的 Weblogic REST 客户端：握手失败

发布于 2024-11-06 02:31:26 字数 1978 浏览 0 评论 0原文

设置：WL 的 Jrockit 上的 WL 9.2 + Jersey 1.1.5.1。我相信，选择 Jersey 1.1.5.1 是因为较新的版本需要 Java 6。 Weblogic EJB 充当 REST 客户端并不断收到此错误：

ClientHandlerException：javax.net.ssl.SSLKeyException：[安全性：090477]从 svcpoint.restprovider.com 收到的证书链 - xx.xxx.xxx.xx 不受信任，导致 SSL 握手失败。

由于这只是一个 POC 实现，Weblogic 设置了各种标志来忽略证书验证，只是为了使此错误消失：

-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off  -Dweblogic.webservice.client.ssl.strictcertchecking=false

此外，Jersey 配置设置包括此位：

SSLContext ctx = SSLContext.getInstance("SSL");
HTTPSProperties prop = new HTTPSProperties(
new HostnameVerifier () {
    public boolean verify(String hostname, SSLSession session) {
        System.out.println("\n\nFAKE_Verifier: " + hostname+"\n\n");
        return true;
    }
}, ctx);
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, prop);

最后，唯一的 WL 服务器（技术上是管理 srv）在管理控制台 SSL.Advanced 设置为不使用主机名验证。

现在，我很确定我的 Jersey 假验证器设置实际上并未涉及，因为我从 SSL 调试中看到了此错误：

<SecuritySSL> <000000> <weblogic user specified trustmanager validation status 16> 
<Security> <BEA-090477> <Certificate chain received from svcpoint.restprovider.com - xx.xxx.xxx.xx was not trusted causing SSL handshake failure.> 
<SecuritySSL> <000000> <Validation error = 16> 
<SecuritySSL> <000000> <Certificate chain is untrusted> 
<SecuritySSL> <000000> <SSLTrustValidator returns: 16> 
<SecuritySSL> <000000> <Trust status (16):  CERT_CHAIN_UNTRUSTED> 
<SecuritySSL> <000000> <NEW ALERT with Severity: FATAL, Type: 42
  java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)

我已经在 google 上搜索并查看了其他类似的问题，但我可能遗漏了一些东西。另外，据我判断，该证书似乎有效，显示它适用于 CN=*.restprovider.com，将于 2011 年 11 月到期。

原文

Setup: WL 9.2 + Jersey 1.1.5.1 on WL's Jrockit.
Picked Jersey 1.1.5.1 because newer versions require Java 6, I believe.
Weblogic EJB acts as REST Client and keeps getting this error:

ClientHandlerException: javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from svcpoint.restprovider.com - xx.xxx.xxx.xx was not trusted causing SSL handshake failure.

As this just a POC implementation, Weblogic is setup with various flags to ignore cert verification just to make this error go away:

-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off  -Dweblogic.webservice.client.ssl.strictcertchecking=false

Also, the Jersey config setup includes this bit:

SSLContext ctx = SSLContext.getInstance("SSL");
HTTPSProperties prop = new HTTPSProperties(
new HostnameVerifier () {
    public boolean verify(String hostname, SSLSession session) {
        System.out.println("\n\nFAKE_Verifier: " + hostname+"\n\n");
        return true;
    }
}, ctx);
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, prop);

Finally, the sole WL server, technically the admin srv, was configured in the admin console SSL.Advanced settings to not use Hostname Verification.

Now, I'm pretty sure my fake validator setup for Jersey is not actually involved, as I see this error from SSL debug:

<SecuritySSL> <000000> <weblogic user specified trustmanager validation status 16> 
<Security> <BEA-090477> <Certificate chain received from svcpoint.restprovider.com - xx.xxx.xxx.xx was not trusted causing SSL handshake failure.> 
<SecuritySSL> <000000> <Validation error = 16> 
<SecuritySSL> <000000> <Certificate chain is untrusted> 
<SecuritySSL> <000000> <SSLTrustValidator returns: 16> 
<SecuritySSL> <000000> <Trust status (16):  CERT_CHAIN_UNTRUSTED> 
<SecuritySSL> <000000> <NEW ALERT with Severity: FATAL, Type: 42
  java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)

I've googled and looked at other similar issues here on SO, but I'm probably missing something. Also, from what I can judge the cert seems valid, showing it's for CN=*.restprovider.com, expiring in Nov 2011.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

夏花。依旧 2024-11-13 02:31:27

该证书不受信任。我认为最好的解决方案是使用 keytool 将其添加到 Weblogic 的信任存储中：

keytool -importcert -trustcacerts ...

您也可以在代码中执行此操作：

   TrustManagerFactory trustManagerFactory = TrustManagerFactory
                .getInstance("SunX509");
   trustManagerFactory.init(trustStore);
   trustManagers = trustManagerFactory.getTrustManagers();
   SSLContext context = SSLContext.getInstance("TLS");
   context.init(keyManagers, trustManagers, new SecureRandom());
   HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());

trustStore - 是包含证书的密钥存储

The certificate is untrusted. I think the best solution would be adding it to the Weblogic's trust store using the keytool:

keytool -importcert -trustcacerts ...

You can also do it in code:

   TrustManagerFactory trustManagerFactory = TrustManagerFactory
                .getInstance("SunX509");
   trustManagerFactory.init(trustStore);
   trustManagers = trustManagerFactory.getTrustManagers();
   SSLContext context = SSLContext.getInstance("TLS");
   context.init(keyManagers, trustManagers, new SecureRandom());
   HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());

trustStore - is a keystore containing the certificate

回复收藏 0 原文

~没有更多了~