我有两个客户端 pkcs12 keystore 。我从这两个证书中导出了证书,并使用 keyman 将它们添加到新的 jks 中。奇怪的是,每个 keystore 单独工作正常,但是当我将它们组合成一个 keystore 时,对每个客户端的两次调用都失败并显示
<pre><code>org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, WRITE: TLSv1 Handshake, length = 32
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, handling exception: java.net.SocketException: Connection reset
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, SEND TLSv1 ALERT: fatal, description = unexpected_message
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, WRITE: TLSv1 Alert, length = 18
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, Exception sending alert: java.net.SocketException: Broken pipe
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeSocket()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called close()
org.springframework.jms.listener.DefaultMessageListenerContainer#0-1, called closeInternal(true)
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:632)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody4(HttpRequestUtil.java:140)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody5$advice(HttpRequestUtil.java:65)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post(HttpRequestUtil.java:1)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody2(HttpRequestUtil.java:89)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post_aroundBody3$advice(HttpRequestUtil.java:65)
at com.att.socialnetworkingmanager.util.HttpRequestUtil.post(HttpRequestUtil.java:1)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken_aroundBody0(SocialNetworkingAuthenticationImpl.java:87)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken_aroundBody1$advice(SocialNetworkingAuthenticationImpl.java:65)
at com.att.socialnetworkingmanager.sng.impl.SocialNetworkingAuthenticationImpl.getSngAccessToken(SocialNetworkingAuthenticationImpl.java:1)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng_aroundBody0(UploadManagerImpl.java:61)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng_aroundBody1$advice(UploadManagerImpl.java:65)
at com.att.socialnetworkingmanager.service.impl.UploadManagerImpl.sendToSng(UploadManagerImpl.java:1)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage_aroundBody0(SocialNetworkingManagerQueueListener.java:52)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage_aroundBody1$advice(SocialNetworkingManagerQueueListener.java:65)
at com.att.socialnetworkingmanager.jms.SocialNetworkingManagerQueueListener.onMessage(SocialNetworkingManagerQueueListener.java:1)
at org.springframework.jms.listener.adapter.MessageListenerAdapter.onMessage(MessageListenerAdapter.java:343)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:518)
at org.springframework.jms.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:479)
at org.springframework.jms.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:451)
at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.doReceiveAndExecute(AbstractPollingMessageListenerContainer.java:323)
at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.receiveAndExecute(AbstractPollingMessageListenerContainer.java:261)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:982)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:974)
at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:876)
at java.lang.Thread.run(Thread.java:662)</code></pre>
我不确定发生了什么,因为我以前做过。合并来自两个客户端的证书时为什么会失败?
最佳答案
您说您从两个 keystore 中导出了证书 - 您是否也导出了关联的 key ?
TLS 客户端身份验证也需要 key 。光靠证书不会让你走得太远。
此外,在为给定连接选择正确的 key /证书时,您的想法可能会导致问题:您必须确保正确选择它们,通常客户端身份验证 key /证书对应该仅适用于一个专用服务,因此混淆 key 会导致连接尝试被拒绝。
关于security - 在 jks (ssl) 中使用多个 key 时出现问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/7640243/