在 jks (ssl) 中使用多个密钥时出现问题
我有两个客户端 pkcs12 密钥库。我从这两个中导出了证书,并使用 keyman 将它们添加到新的 jks 中。奇怪的是,每个密钥库单独工作正常,但是当我将它们组合成一个密钥库时,对每个客户端的两次调用都会失败,
<pre><code>org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, WRITE: TLSv1 Handshake, length = 32
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, handling exception: java.net.SocketException: Connection reset
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, SEND TLSv1 ALERT: fatal, description = unexpected_message
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, WRITE: TLSv1 Alert, length = 18
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, Exception sending alert: java.net.SocketException: Broken pipe
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeSocket()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody4(HttpRequestUtil.java:140)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody5$advice(HttpRequestUtil.java:65)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post(HttpRequestUtil.java:1)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody2(HttpRequestUtil.java:89)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody3$advice(HttpRequestUtil.java:65)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post(HttpRequestUtil.java:1)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken_aroundBody0(SocialNetworkingAuthenticationImpl.java:87)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken_aroundBody1$advice(SocialNetworkingAuthenticationImpl.java:65)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken(SocialNetworkingAuthenticationImpl.java:1)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng_aroundBody0(UploadManagerImpl.java:61)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng_aroundBody1$advice(UploadManagerImpl.java:65)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng(UploadManagerImpl.java:1)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage_aroundBody0(SocialNetworkingManagerQueueListener.java:52)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage_aroundBody1$advice(SocialNetworkingManagerQueueListener.java:65)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage(SocialNetworkingManagerQueueListener.java:1)
at org.springframework.jms.listener.adapter.MessageListenerAdapter.onMessage(MessageListenerAdapter.java:343)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:518)
at org.springframework.jms.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:479)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:451)
at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.doReceiveAndExecute(AbstractPollingMessageListenerContainer.java:323)
at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.receiveAndExecute(AbstractPollingMessageListenerContainer.java:261)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:982)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:974)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:876)
at java.lang.Thread.run(Thread.java:662)</code></pre>
我不确定发生了什么,因为我之前已经这样做过。有什么想法为什么在合并两个客户端的证书时会失败?
I have two client pkcs12 keystores. I exported the certs out of both of those and added them to a new jks using keyman. The strange thing is that each keystore seperately works fine, but when i combine them into one keystore, both calls to each client fail with
<pre><code>org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, WRITE: TLSv1 Handshake, length = 32
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, handling exception: java.net.SocketException: Connection reset
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, SEND TLSv1 ALERT: fatal, description = unexpected_message
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, WRITE: TLSv1 Alert, length = 18
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, Exception sending alert: java.net.SocketException: Broken pipe
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeSocket()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody4(HttpRequestUtil.java:140)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody5$advice(HttpRequestUtil.java:65)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post(HttpRequestUtil.java:1)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody2(HttpRequestUtil.java:89)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody3$advice(HttpRequestUtil.java:65)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post(HttpRequestUtil.java:1)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken_aroundBody0(SocialNetworkingAuthenticationImpl.java:87)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken_aroundBody1$advice(SocialNetworkingAuthenticationImpl.java:65)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken(SocialNetworkingAuthenticationImpl.java:1)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng_aroundBody0(UploadManagerImpl.java:61)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng_aroundBody1$advice(UploadManagerImpl.java:65)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng(UploadManagerImpl.java:1)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage_aroundBody0(SocialNetworkingManagerQueueListener.java:52)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage_aroundBody1$advice(SocialNetworkingManagerQueueListener.java:65)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage(SocialNetworkingManagerQueueListener.java:1)
at org.springframework.jms.listener.adapter.MessageListenerAdapter.onMessage(MessageListenerAdapter.java:343)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:518)
at org.springframework.jms.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:479)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:451)
at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.doReceiveAndExecute(AbstractPollingMessageListenerContainer.java:323)
at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.receiveAndExecute(AbstractPollingMessageListenerContainer.java:261)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:982)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:974)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:876)
at java.lang.Thread.run(Thread.java:662)</code></pre>
I'm not sure what is happening because i have done this before. Any ideas why this fails when combining certs from both clients?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在同一个 keystore.jks 文件中使用多个密钥时,我们遇到了类似的问题。我们有相同的行为,当我们单独使用每个密钥时,访问工作没有任何问题。当我们将两个密钥放入同一个密钥库时,我们收到错误“403:禁止”。
创建新证书等后,我们发现密钥库中的证书名称会产生影响:
其中一个密钥的名称为(匿名):
并不起作用。更改为 cert_of_company 后,它起作用了。
我们猜测名称中的字符“-”确实导致了问题,替换为“_”解决了问题。也许这可以帮助你。
We had a similar problem when using multiple keys in the same keystore.jks file. We had the same behaviour, when we used each key separately, the access worked without any problem. When we put both keys into the same keystore, we got the error "403: Forbidden".
After creating new certificates and more, we found out that the name of the certificates in the keystore has an influence:
one of the keys had the name (anonymized):
and did not work. After changing to cert_of_company it worked.
We guess that the character "-" in the name did cause the problem and the replacement to "_" solved it. Maybe this can help you.
使用
keytool列出组合密钥存储的内容。每个条目的“类型”是什么?
它们应该是私钥条目;如果不是(如果它们是受信任的条目),则您无法导出关联的私钥。
两个证书是否来自同一颁发者?
Use
keytoolto list the contents of your combined key store.What is the "type" of each entry?
They should be a private key entries; if not (if they are trusted entries), you failed to export the associated private keys.
Are the two certificates from the same issuer?
您说您从两个密钥存储中导出了证书 - 您是否也导出了关联的密钥?
TLS 客户端身份验证也需要密钥。仅靠证书不会让你走得太远。
此外,在为给定连接选择正确的密钥/证书时,您的想法可能会导致问题:您必须确保正确选择它们,通常客户端身份验证密钥/证书对应该仅适用于一个专用服务,因此混合向上键将导致连接尝试被拒绝。
You said you exported the certificates out of both key stores - did you also export the associated keys?
TLS client authentication does need the keys, too. The certificates alone won't get you far.
Additionally, your idea could potentially cause problems when selecting the correct key/certificate for a given connection: you must be sure that you correctly select them, typically a client authentication key/certificate pair is supposed to work only for one dedicated service, so mixing up the keys would result in a rejected connection attempt.