Java TLS 1.2 相互认证超时结束

Question

我正在尝试通过 tls1.2 连接客户端和服务器。客户端不接受协商密码套件，不知道如何处理。

我使用 jvm arg javax.net.debug=SSL,handshake 激活了 ssl 调试日志，可以看到服务器收到了 ClientHello。服务器执行以下操作:

Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Thread-1 (activemq-netty-threads), READ: TLSv1.2 Handshake, length = 59
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -1608433540 bytes = { BYTES }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA384withRSA, SHA256withRSA, SHA1withRSA
***
Warning: No renegotiation indication in ClientHello, allow legacy ClientHello
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
Standard ciphersuite chosen: TLS_RSA_WITH_AES_256_CBC_SHA256
%% Negotiating:  [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA256]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1517787192 bytes = { BYTES }
Session ID:  {BYTES}
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Compression Method: 0
***
Cipher suite:  TLS_RSA_WITH_AES_256_CBC_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=subject_cn, O=subject_o, ST=PT, C=PT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key:  Sun RSA public key, 2048 bits
modulus: 29015987492349369229882970151237521665167957662510378450862540616622071854222726707712019298238587360512255793898937171225998663963095565298176277746307308842731113381493806617809755872635884654331768273583706812260841747492158530339516600730782510664549590782759663576346514054669279219650747333448381861327917816304051329475151462041391594291646947378495917447126780576974145276677671320013905217999988910738893500705389080299683007424691979475125418370308532635617504805014524719693897613122508271520133389717960149085839400280013902677341336202478008173403581601539568993773406783352636080748784965572598933438447
public exponent: 65537
Validity: [From: Fri Feb 02 19:20:34 WET 2018,
          To: Mon Jan 31 19:20:34 WET 2028]
Issuer: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
SerialNumber: [    1007]

Certificate Extensions: 7
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
<OCTET STRING>


[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT]
SerialNumber: [    84adba39 85c4a2c4]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]

[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<KEY IDENTIFIER>
]

]
Algorithm: [SHA256withRSA]
Signature:
<SIGNATURE>

]
chain [1] = [
[
Version: V1
Subject: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key:  Sun RSA public key, 4096 bits
modulus: 772642972303139838780709148958585369659263236466933975897684608521412098825919189354237122454024585440305346976195938447521179283381402256724407054886816122118702558876139603031503190893817256531731958885366418340075851175803932561840988978766750003938437503102425392846313350005528280678493861097867478907543592485376687739703952658746973265147862493215415696011008301372003730539214411254074488082192462310249699822199576712038207915612588146080682804726455410692837994635705721729847523735628418454502509894132524292922941334882301489573844052552145914371526175890068045278020298478426818036308867221570421452322486667351819099655095021674741234831795961314884813355920169539988863996321182070870364027323542460568464832570843818187525195851314441942294150743131343242106153746613659600974062131919507399729814610624864380422021048112964111616176710483770153874039347998021176496290178692983179619474804643147525920703982570793650375904590665612945490822575557619964743315412570783968475614249318137708703870150763126150252670464204907333319211805038483983840672999153429362303177433070797659970548018701110361935770595827178549690448631362303751647551358010951561847167019220036401389512936125354700325811813665747108156298237309
public exponent: 65537
Validity: [From: Fri Feb 02 11:41:04 WET 2018,
          To: Mon Jan 31 11:41:04 WET 2028]
Issuer: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
SerialNumber: [    84adba39 85c4a2c4]

]
Algorithm: [SHA256withRSA]
Signature:
<SIGNATURE>

]
***
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT>
*** ServerHelloDone
Thread-1 (activemq-netty-threads), WRITE: TLSv1.2 Handshake, length = 3079
Thread-1 (activemq-netty-threads), READ: TLSv1.2 Handshake, length = 1334
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=TEST01, O=subject_o, ST=PT, C=PT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key:  Sun RSA public key, 2048 bits
modulus: 23134801789439862758953434230286154428814279768287853373499436058114736605743710581551280904839901482179662922876777231282777161173622884062408603327815353852276746627442616624413051854717848004045100943694213226807191957763926809531243084935999278428818652492245444444875525639174280359137699705345587701327165516736271203211172284295019741808522601433815546974135394180726046632154867451842242323720019201204422829291922595592652513130397989212564095314679373054695806353606791437720734936324903589933612434115278813888829413855391631779541732018467103609097525698250908638923388363014150370482350492152108210301927
public exponent: 65537
Validity: [From: Mon Feb 05 09:04:16 WET 2018,
          To: Thu Feb 03 09:04:16 WET 2028]
Issuer: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
SerialNumber: [    1014]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT]
SerialNumber: [    84adba39 85c4a2c4]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<key identifier>
]

]
Algorithm: [SHA256withRSA]
Signature:
<SIGNATURE>

]
***
Found trusted certificate:
[
[
Version: V1
Subject: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key:  Sun RSA public key, 4096 bits
modulus: 772642972303139838780709148958585369659263236466933975897684608521412098825919189354237122454024585440305346976195938447521179283381402256724407054886816122118702558876139603031503190893817256531731958885366418340075851175803932561840988978766750003938437503102425392846313350005528280678493861097867478907543592485376687739703952658746973265147862493215415696011008301372003730539214411254074488082192462310249699822199576712038207915612588146080682804726455410692837994635705721729847523735628418454502509894132524292922941334882301489573844052552145914371526175890068045278020298478426818036308867221570421452322486667351819099655095021674741234831795961314884813355920169539988863996321182070870364027323542460568464832570843818187525195851314441942294150743131343242106153746613659600974062131919507399729814610624864380422021048112964111616176710483770153874039347998021176496290178692983179619474804643147525920703982570793650375904590665612945490822575557619964743315412570783968475614249318137708703870150763126150252670464204907333319211805038483983840672999153429362303177433070797659970548018701110361935770595827178549690448631362303751647551358010951561847167019220036401389512936125354700325811813665747108156298237309
public exponent: 65537
Validity: [From: Fri Feb 02 11:41:04 WET 2018,
          To: Mon Jan 31 11:41:04 WET 2028]
Issuer: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
SerialNumber: [    84adba39 85c4a2c4]

]
Algorithm: [SHA256withRSA]
Signature:
<SIGNATURE>

]
Thread-1 (activemq-netty-threads), READ: TLSv1.2 Handshake, length = 262
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
SESSION KEYGEN:
PreMaster Secret:
<SECRET>
CONNECTION KEYGEN:
Client Nonce:
<CLIENT NONCE>
Server Nonce:
<SERVER NONCE>
Master Secret:
<MASTER SECRET>
Client MAC write Secret:
<CLIENT MAC SECRET>
Server MAC write Secret:
<SERVER MAC SECRET>
Client write key:
<CLIENT KEY>
Server write key:
<SERVER KEY>
... no IV derived for this protocol
***
found key for : 1
chain [0] = [
[
Version: V3
Subject: CN=subject_cn, O=subject_o, ST=PT, C=PT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key:  Sun RSA public key, 2048 bits
modulus: 29015987492349369229882970151237521665167957662510378450862540616622071854222726707712019298238587360512255793898937171225998663963095565298176277746307308842731113381493806617809755872635884654331768273583706812260841747492158530339516600730782510664549590782759663576346514054669279219650747333448381861327917816304051329475151462041391594291646947378495917447126780576974145276677671320013905217999988910738893500705389080299683007424691979475125418370308532635617504805014524719693897613122508271520133389717960149085839400280013902677341336202478008173403581601539568993773406783352636080748784965572598933438447
public exponent: 65537
Validity: [From: Fri Feb 02 19:20:34 WET 2018,
          To: Mon Jan 31 19:20:34 WET 2028]
Issuer: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
SerialNumber: [    1007]

Certificate Extensions: 7
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
<OCTET STRING>


[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT]
SerialNumber: [    84adba39 85c4a2c4]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]

[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<KEY IDENTIFIER>
]

]
Algorithm: [SHA256withRSA]
Signature:
<SIGNATURE>
]
chain [1] = [
[
Version: V1
Subject: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key:  Sun RSA public key, 4096 bits
modulus: 772642972303139838780709148958585369659263236466933975897684608521412098825919189354237122454024585440305346976195938447521179283381402256724407054886816122118702558876139603031503190893817256531731958885366418340075851175803932561840988978766750003938437503102425392846313350005528280678493861097867478907543592485376687739703952658746973265147862493215415696011008301372003730539214411254074488082192462310249699822199576712038207915612588146080682804726455410692837994635705721729847523735628418454502509894132524292922941334882301489573844052552145914371526175890068045278020298478426818036308867221570421452322486667351819099655095021674741234831795961314884813355920169539988863996321182070870364027323542460568464832570843818187525195851314441942294150743131343242106153746613659600974062131919507399729814610624864380422021048112964111616176710483770153874039347998021176496290178692983179619474804643147525920703982570793650375904590665612945490822575557619964743315412570783968475614249318137708703870150763126150252670464204907333319211805038483983840672999153429362303177433070797659970548018701110361935770595827178549690448631362303751647551358010951561847167019220036401389512936125354700325811813665747108156298237309
public exponent: 65537
Validity: [From: Fri Feb 02 11:41:04 WET 2018,
          To: Mon Jan 31 11:41:04 WET 2028]
Issuer: EMAILADDRESS=email@some.com, OU=some.com, O=subject_o, L=LOCATION, ST=PT, C=PT
SerialNumber: [    84adba39 85c4a2c4]

]
Algorithm: [SHA256withRSA]
Signature:
<SIGNATURE>
]

最终它给出了超时并且 ssl 连接没有完成。

我已经尝试将以下属性添加到 jvm

• sun.security.ssl.allowUnsafeRenegotiation=true
• sun.security.ssl.allowLegacyHelloMessages=true

我认为它缺少 SSL 2-WAY 身份验证的“完成”阶段

你能帮我理解哪里出了问题吗？

Answer 1

我发现了问题。服务器未读取握手超时属性并使用默认值，结果拒绝连接。我更改了服务器代码(开源项目)并且超时已修复。