java - SOAP 适配器的 SSL 握手失败

标签 java ssl soap jetty

我们有一个第三方应用程序,它有一个使用 Jetty 6.1 构建的 soap 适配器。应用程序通过 SOAP 适配器通过 SSL 从 .Net 应用程序获取入站请求。

最近 SSL 证书过期,安全团队已将新证书添加到信任库。

问题是 Jetty 获取了所有证书的列表,但只使用了第一个(已过期)并且握手失败。

以下是一些日志片段。几行被标记为 xxxxxxxxx 以隐藏文本。

这显示了 3 个别名,第一个已于 2017 年 10 月 8 日过期。

JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.2
JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.2
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
matching alias: 44240-xxxx-xxxxx-xxxxxx-org
matching alias: 111824-xxxx-xxxxx-xxxxxx-org
matching alias: 109491-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias 44240-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true

**%% Negotiating:  [Session-1, SSL_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1491745993 bytes = { 73, 37, 191, 131, 31, 235, 131, 242, 96, 119, 124, 73, 57, 221, 38, 112, 19, 216, 144, 221, 184, 25, 181, 210, 229, 39, 62, 50 }
Session ID:  {89, 234, 61, 201, 31, 215, 166, 2, 132, 100, 188, 234, 63, 57, 167, 114, 199, 190, 119, 228, 154, 176, 153, 236, 115, 222, 35, 98, 53, 182, 88, 140}
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
***
Cipher suite:  SSL_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=xxxx-xxxxx-xxxxxx.org, OU=TreSOAP Server Test-PROD Primary, O=XXXX-XXXXX - internal dmz, L=Saint Louis, ST=Missouri, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  IBMPKCS11Impl RSA Public Key: 
 Token: false
 Private: false
 Label: IBMPKCS1162112826090763885165327
 Modifiable: true
 KeyType: 0
 ID: 
 Start Date: Wed Dec 31 17:59:59 CST 1969
 End Date: Wed Dec 31 17:59:59 CST 1969
 Derive: false
 Local: false
 Subject: 
 Encrypt: true
 Verify: true
 VerifyRecover: true
 Wrap: true
 modulus: 26606850225087850589932908027067524318268268224826270839465320725092268136382373728617246685378243753417909514269416692823470338958771068354701078301334195882971493513282715502700026787422539437203244486983379743077668035555448903482759728453372918271687510462097996374206565621965829077017536736170426765991639165149047482746818974654077122772442139310513169191565788646178636478714837968871155118100289147723685748486274263964655017819372517057114974155848311538134591086912352063631149931407513232621741060410510212626457131410022996185588768438731050436344397255226489472133617477053078911021189068729861786067773
 modulus bits: 2048
 public exponent: 65537
  Validity: [From: Wed Oct 09 12:59:36 CDT 2013,
               To: Sun Oct 08 12:49:19 CDT 2017]
  Issuer: CN=MC Internal Zone Applications sub CA, OU=Global Information Security, O=XXXX, DC=xxxx, DC=com
  SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: cf 53 c3 63 61 83 f7 cd  4c 99 6a af 72 16 63 ee  .S.ca...L.j.r.c.
0010: 63 48 23 2c                                        cH..
]

[CN=Internal Zone Applications root CA, OU=Global Information Security, O=XXXX XXXX, DC=xxxx, DC=com]
SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxx]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[3]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
    1.3.6.1.5.5.7.3.1   1.3.6.1.5.5.7.3.2]

[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[5]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8b 74 8c b4 9e 21 d6 dd  86 f0 51 5f 77 c0 21 52  .t........Q.w..R
0010: 78 ab a8 2a                                        x...
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

]
***
*** ServerHelloDone
301601274@qtp-1542806517-9, WRITE: TLSv1 Handshake, length = 1443
301601274@qtp-1542806517-9, READ: TLSv1 Alert, length = 2
301601274@qtp-1542806517-9, RECV TLSv1 ALERT:  fatal, handshake_failure
301601274@qtp-1542806517-9, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
301601274@qtp-1542806517-9, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure**

需要专家的帮助来找出问题所在。

最佳答案

问题出在应用程序中被覆盖以支持 HSM 的 SslSelectChannelConnector,但是 jetty 版本已更新,支持新版本 jetty 的更改未包含在覆盖类中。

关于java - SOAP 适配器的 SSL 握手失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46923825/

上一篇:java - 相互认证 (SSL) 设置 Java 堆栈(生产云)

下一篇:ssl - 我怎样才能让 Heroku 的 SSL 功能,证书 :auto, 为我的非 www 域工作?

相关文章:

PHP curl : "Unknown cipher in list"

java - 调试 Web 服务请求

perl - 如何更改在 perl 中生成 SOAP::Lite 请求的 xml 元素的顺序?

java - 对私有(private)和公共(public)的使用感到困惑

java - 以预设的纵横比和宽度/高度裁剪图像并保存

java - getClass().getResource + Tomcat + hibernate

java - 如何在 Spring MVC 中添加包含 PathVariable 的重定向 url

java - 在 CertificateVerify 步骤之后,两种方式 SSL 握手失败 (javax.net.ssl.SSLHandshakeException),同时更改为新建立的密码套件

http - 主机名验证和证书验证的 akka http SSLConfig 问题

c# - 在 WP7 中使用 JSON 代替 SOAP

©2024 IT工具网  联系我们