证书未知错误 -- Java 是否使用了 trustStore
Certificate unknown error -- Is trustStore used by Java
使用 JDK 1.4.2,我的服务器端代码尝试通过 Https(用于 reCAPTCHA 验证)连接到 Google URL,但失败了。握手过程似乎在到达链中的 GeoTrust 证书时失败,并出现致命警报 certificate_unknown。我已经使用 keytool 来验证有效的 geotrust 证书是否在信任库中。客户端的证书是自签名的,由 keytool 生成。它似乎还没有涉及到这个错误的地步。我的问题是:
- JDK 版本太旧了吗?
- 我如何确定信任库正在被使用。调试输出在这方面没有任何指示。为了确保安全,我在我的代码中明确设置了信任存储位置。
对于如何让它发挥作用的任何见解,我将不胜感激。谢谢。
我的部分代码:
System.setProperty("javax.net.debug", "all");
debug.println(" -- java home: " + System.getProperty("java.home"));
System.setProperty("javax.net.ssl.trustStore", System.getProperty("java.home") + "/lib/security/cacerts");
debug.println(" -- javax.net.ssl.trustStore: " + System.getProperty("javax.net.ssl.trustStore"));
System.setProperty("javax.net.ssl.keyStore", System.getProperty("java.home") + "/lib/security/sl-test.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
URL u = new URL(VERIFY_URL);
HttpsURLConnection urlConn = (HttpsURLConnection)u.openConnection();
debug.println(" -- set params");
urlConn.setRequestMethod("POST");
urlConn.setDoOutput(true);
String params = "secret=" + secretKey + "&response=" + answer + "remoteip=" + remoteIP;
debug.println(" -- write");
DataOutputStream wr = new DataOutputStream(urlConn.getOutputStream());
wr.writeBytes(params);
wr.flush();
...
调试输出:
11/1/16 6:29:59 AM, Debug: -- java home: /usr/local/j2sdk1.4.2_13/jre
11/1/16 6:29:59 AM, Debug: -- javax.net.ssl.trustStore: /usr/local/j2sdk1.4.2_13/jre/lib/security/cacerts
11/1/16 6:29:59 AM, Debug: -- set params
11/1/16 6:29:59 AM, Debug: -- write
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1477941207 bytes = { 45, 37, 131, 243, 221, 171, 180, 252, 49, 49, 23, 95, 184, 46, 27, 142, 123, 251, 231, 191, 36, 237, 192, 105, 13, 131, 247, 18 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
thread-pool-26, WRITE: TLSv1 Handshake, length = 73
thread-pool-26, WRITE: SSLv2 client hello message, length = 98
thread-pool-26, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1477941207 bytes = { 197, 41, 29, 25, 107, 127, 2, 82, 166, 216, 201, 197, 71, 86, 192, 136, 13, 41, 74, 115, 11, 230, 3, 56, 247, 142, 3, 84 }
Session ID: {98, 65, 244, 32, 10, 29, 122, 200, 236, 125, 14, 230, 208, 25, 47, 42, 248, 37, 243, 170, 183, 55, 207, 106, 178, 32, 136, 84, 11, 199, 209, 223}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
%% Created: [Session-7, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
thread-pool-26, READ: TLSv1 Handshake, length = 3081
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
930c0073 cd6105e6 7f838615 e1ec7f03 b6c37090 6768877d 5ca8d3dc f859a602
744ccd31 bff5a67d 15ea0e5a c556191c d7749342 43635694 31377d0f 5a2ac2a7
dc49f4e0 ca19a1f4 d7f41943 e2ce56fc 7638ffa0 e70cef9c 2396e05e b4638987
bb238f06 a0c8b826 05de9310 e717ede8 6e2cfcb1 fab5cea5 9c98a0bd 712a1639
e7dfce2b e6757238 38b995b9 ceb7f73d 944377dd f1ed7fe3 4b881e9f 2b9da8d8
2083552b 07f951f7 ac186edf d3f92d84 47caec93 b5bf34fc 324e7856 af4343b3
c3be2f41 c826cbe5 61eeb2da db22e0e2 b0a61e14 78b3a266 2dd33c38 56b5a28f
615c5e7f 8b75f708 49816aae 09e807b2 a0ecf8e2 632bfe64 03ed38c0 1425c90f
Validity: [From: Wed Oct 26 03:08:50 PDT 2016,
To: Wed Jan 18 01:56:00 PST 2017]
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
SerialNumber: [ 1311feb2 5eb90fa0]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 5C 30 5A 30 2B 06 08 2B 06 01 05 05 07 30 02 .[=12=]Z0+..+.....0.
0010: 86 1F 68 74 74 70 3A 2F 2F 70 6B 69 2E 67 6F 6F ..http://pki.goo
0020: 67 6C 65 2E 63 6F 6D 2F 47 49 41 47 32 2E 63 72 gle.com/GIAG2.cr
0030: 74 30 2B 06 08 2B 06 01 05 05 07 30 01 86 1F 68 t0+..+.....0...h
0040: 74 74 70 3A 2F 2F 63 6C 69 65 6E 74 73 31 2E 67 ttp://clients1.g
0050: 6F 6F 67 6C 65 2E 63 6F 6D 2F 6F 63 73 70 oogle.com/ocsp
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 C0 2B 4A D4 81 93 09 DD 23 15 24 87 95 D4 6A ..+J.....#.$...j
0010: AB 70 CE B3 .p..
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki.google.com/GIAG2.crl]
]]
[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[DNSName: www.google.com]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [1.2.840.113549.1.1.11]
Signature:
0000: 22 09 AA 59 92 54 50 BF C8 C5 4C 6A DC F5 86 D1 "..Y.TP...Lj....
0010: F8 F3 2A CF C1 72 CB AE 12 A7 3E 0A 88 8E 3D FF ..*..r....>...=.
0020: E3 14 B5 EB E6 EB 36 45 BD E3 86 D9 61 26 21 55 ......6E....a&!U
0030: 1D 6F 28 D9 23 F2 75 13 47 15 C4 ED DF 1A 52 59 .o(.#.u.G.....RY
0040: 36 95 80 17 D4 89 18 8D BC 32 0F FF D8 FA 5E 64 6........2....^d
0050: FA 79 1E B4 60 E1 71 41 8D 7A E7 B8 FF C3 3B 21 .y..`.qA.z....;!
0060: CA 45 62 5B B4 BD 31 F1 7A 74 D2 51 2A 11 98 42 .Eb[..1.zt.Q*..B
0070: 1D 14 F1 1F 44 D9 0B 50 B6 C4 52 4F 79 89 03 47 ....D..P..ROy..G
0080: 96 89 33 E3 FF 21 DF 9D 66 B8 FC 9C 01 86 9C 12 ..3..!..f.......
0090: 4E 86 E1 34 79 4B 27 F9 FE 98 C9 CC 40 A3 15 29 N..4yK'.....@..)
00A0: 4A F6 4B F3 1A 2F E4 F4 B6 8A 97 80 A6 53 70 27 J.K../.......Sp'
00B0: FD 29 B1 6E 6D 5A D2 B6 DE 7A A8 FC C4 1F 54 9C .).nmZ...z....T.
00C0: DB E3 8A 36 96 13 D9 10 11 95 11 F9 8B EF 7B 87 ...6............
00D0: 7E 70 54 B6 06 1B 16 65 91 7A 4D DA C1 17 DE E7 .pT....e.zM.....
00E0: 0D 57 F1 8A 98 BE C8 E7 3E 82 7A 14 C7 B7 3F 7A .W......>.z...?z
00F0: 7F E4 0C 6D 8B 62 E5 4A 94 23 FD 2A 5D A2 4D 4F ...m.b.J.#.*].MO
]
chain [1] = [
[
Version: V3
Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
9c2a0477 5cd85091 3a06a382 e0d85048 bc893ff1 19701a88 467ee08f c5f189ce
21ee5afe 610db732 4489a074 0b534f55 a4ce8262 95eeeb59 5fc6e105 8012c45e
943fbc5b 4838f453 f724e6fb 91e915c4 cff4530d f44afc9f 54de7dbe a06b6f87
c0d0501f 28300340 da087351 6c7fff3a 3ca73706 8ebd4b11 04eb7d24 dee6f9fc
3171fb94 d560f32e 4aaf42d2 cbeac46a 1ab2cc53 dd154b8b 1fc81961 1fcd9da8
3e632b84 35696584 c819c546 22f85395 bee3804a 10c62aec ba972011 c7399910
04a0f061 7a95258c 4e5275e2 b6ed08ca 14fcce22 6ab34ecf 46039797 037ec0b1
de7baf45 33cfba3e 71b7def4 2525c20d 35899d9d fb0e1179 891e37c5 af8e7269
Validity: [From: Tue Mar 31 17:00:00 PDT 2015,
To: Sun Dec 31 15:59:59 PST 2017]
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
SerialNumber: [ 023a92]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 22 30 20 30 1E 06 08 2B 06 01 05 05 07 30 01 ."0 0...+.....0.
0010: 86 12 68 74 74 70 3A 2F 2F 67 2E 73 79 6D 63 64 ..http://g.symcd
0020: 2E 63 6F 6D .com
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://g.symcb.com/crls/gtglobal.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [1.2.840.113549.1.1.11]
Signature:
0000: 08 4E 04 A7 80 7F 10 16 43 5E 02 AD D7 42 80 F4 .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D 90 84 18 7D E7 90 15 FB ................
0020: 49 7F A8 99 05 91 BB 7A C9 D6 3C 37 18 09 9A B6 I......z..<7....
0030: C7 92 20 07 35 33 09 E4 28 63 72 0D B4 E0 32 9C .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1 50 58 B0 13 AA 13 1A 1B ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48 63 49 E9 99 5D 20 37 CC 2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9 DE 49 82 C0 10 70 F4 2C .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC A5 D9 5E 1E 6D 92 C1 A7 ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C 65 69 CD 87 A4 41 50 3F .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E 8C 09 A1 AC 7A A4 12 A5 .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03 06 F7 66 58 5F 5F 64 E1 '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98 4C 29 5A 3A 8D D3 2B CA .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5 80 AC 26 ED 17 89 A6 93 .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E 64 E3 7D 9A E2 00 B3 49 l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7 70 90 46 4E BE D0 DB 59 .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71 CC 01 C2 12 C1 21 C6 16 .l...6.q.....!..
]
chain [2] = [
[
Version: V3
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
dacc1863 30fdf417 231a567e 5bdf3c6c 38e471b7 7891d4bc a1d84cf8 a843b603
e94d2107 0888da58 2f663929 bd05788b 9d38e805 b76a7e71 a4e6c460 a6b0ef80
e489280f 9e25d6ed 83f3ada6 91c798c9 42183514 9dad9846 922e4fca f18743c1
1695572d 50ef892d 807a57ad f2ee5f6b d2008db9 14f81415 35d9c046 a37b72c8
91bfc955 2bcdd097 3e9c2664 ccdfce83 1971ca4e e6d4d57b a919cd55 dec8ecd2
5e3853e5 5c4f8c2d fe502336 fc66e6cb 8ea43919 00b79502 39910b0e fe382ed1
1d059af6 4d3e6f0f 071daf2c 1e8f6039 e2fa3653 1339d45e 262bdb3d a814bd32
eb180328 520471e5 ab333de1 38bb0736 84629c79 ea1630f4 5fc02be8 716be4f9
Validity: [From: Mon May 20 21:00:00 PDT 2002,
To: Mon Aug 20 21:00:00 PDT 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 12bbe6]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.geotrust.com/crls/secureca.crl]
]]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou
0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.
]
***
thread-pool-26, SEND TLSv1 ALERT: fatal, description = certificate_unknown
thread-pool-26, WRITE: TLSv1 Alert, length = 2
thread-pool-26, called closeSocket()
thread-pool-26, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Critical: ReCaptcha.verify(), error: Exception while contacting verification site, exception: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Debug: ReCaptcha.verify(), success ? false
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
... sun.security.validator.ValidatorException: Certificate signature validation failed
问题不是信任库中缺少 CA,而是无法验证签名。算法 1.2.840.113549.1.1.11 指的是 sha256WithRSAEncryption 看起来你的应用程序不理解这个。
虽然此签名算法是在 JDK 1.4.2 中添加的,但还有其他报告具有完全相同的 JDK 版本和相同的问题。如果无法升级到更高的 Java 版本,建议似乎是使用 BouncyCastle。有关详细信息,请参阅 。
使用 JDK 1.4.2,我的服务器端代码尝试通过 Https(用于 reCAPTCHA 验证)连接到 Google URL,但失败了。握手过程似乎在到达链中的 GeoTrust 证书时失败,并出现致命警报 certificate_unknown。我已经使用 keytool 来验证有效的 geotrust 证书是否在信任库中。客户端的证书是自签名的,由 keytool 生成。它似乎还没有涉及到这个错误的地步。我的问题是:
- JDK 版本太旧了吗?
- 我如何确定信任库正在被使用。调试输出在这方面没有任何指示。为了确保安全,我在我的代码中明确设置了信任存储位置。
对于如何让它发挥作用的任何见解,我将不胜感激。谢谢。
我的部分代码:
System.setProperty("javax.net.debug", "all");
debug.println(" -- java home: " + System.getProperty("java.home"));
System.setProperty("javax.net.ssl.trustStore", System.getProperty("java.home") + "/lib/security/cacerts");
debug.println(" -- javax.net.ssl.trustStore: " + System.getProperty("javax.net.ssl.trustStore"));
System.setProperty("javax.net.ssl.keyStore", System.getProperty("java.home") + "/lib/security/sl-test.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
URL u = new URL(VERIFY_URL);
HttpsURLConnection urlConn = (HttpsURLConnection)u.openConnection();
debug.println(" -- set params");
urlConn.setRequestMethod("POST");
urlConn.setDoOutput(true);
String params = "secret=" + secretKey + "&response=" + answer + "remoteip=" + remoteIP;
debug.println(" -- write");
DataOutputStream wr = new DataOutputStream(urlConn.getOutputStream());
wr.writeBytes(params);
wr.flush();
...
调试输出:
11/1/16 6:29:59 AM, Debug: -- java home: /usr/local/j2sdk1.4.2_13/jre
11/1/16 6:29:59 AM, Debug: -- javax.net.ssl.trustStore: /usr/local/j2sdk1.4.2_13/jre/lib/security/cacerts
11/1/16 6:29:59 AM, Debug: -- set params
11/1/16 6:29:59 AM, Debug: -- write
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1477941207 bytes = { 45, 37, 131, 243, 221, 171, 180, 252, 49, 49, 23, 95, 184, 46, 27, 142, 123, 251, 231, 191, 36, 237, 192, 105, 13, 131, 247, 18 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
thread-pool-26, WRITE: TLSv1 Handshake, length = 73
thread-pool-26, WRITE: SSLv2 client hello message, length = 98
thread-pool-26, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1477941207 bytes = { 197, 41, 29, 25, 107, 127, 2, 82, 166, 216, 201, 197, 71, 86, 192, 136, 13, 41, 74, 115, 11, 230, 3, 56, 247, 142, 3, 84 }
Session ID: {98, 65, 244, 32, 10, 29, 122, 200, 236, 125, 14, 230, 208, 25, 47, 42, 248, 37, 243, 170, 183, 55, 207, 106, 178, 32, 136, 84, 11, 199, 209, 223}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
%% Created: [Session-7, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
thread-pool-26, READ: TLSv1 Handshake, length = 3081
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
930c0073 cd6105e6 7f838615 e1ec7f03 b6c37090 6768877d 5ca8d3dc f859a602
744ccd31 bff5a67d 15ea0e5a c556191c d7749342 43635694 31377d0f 5a2ac2a7
dc49f4e0 ca19a1f4 d7f41943 e2ce56fc 7638ffa0 e70cef9c 2396e05e b4638987
bb238f06 a0c8b826 05de9310 e717ede8 6e2cfcb1 fab5cea5 9c98a0bd 712a1639
e7dfce2b e6757238 38b995b9 ceb7f73d 944377dd f1ed7fe3 4b881e9f 2b9da8d8
2083552b 07f951f7 ac186edf d3f92d84 47caec93 b5bf34fc 324e7856 af4343b3
c3be2f41 c826cbe5 61eeb2da db22e0e2 b0a61e14 78b3a266 2dd33c38 56b5a28f
615c5e7f 8b75f708 49816aae 09e807b2 a0ecf8e2 632bfe64 03ed38c0 1425c90f
Validity: [From: Wed Oct 26 03:08:50 PDT 2016,
To: Wed Jan 18 01:56:00 PST 2017]
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
SerialNumber: [ 1311feb2 5eb90fa0]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 5C 30 5A 30 2B 06 08 2B 06 01 05 05 07 30 02 .[=12=]Z0+..+.....0.
0010: 86 1F 68 74 74 70 3A 2F 2F 70 6B 69 2E 67 6F 6F ..http://pki.goo
0020: 67 6C 65 2E 63 6F 6D 2F 47 49 41 47 32 2E 63 72 gle.com/GIAG2.cr
0030: 74 30 2B 06 08 2B 06 01 05 05 07 30 01 86 1F 68 t0+..+.....0...h
0040: 74 74 70 3A 2F 2F 63 6C 69 65 6E 74 73 31 2E 67 ttp://clients1.g
0050: 6F 6F 67 6C 65 2E 63 6F 6D 2F 6F 63 73 70 oogle.com/ocsp
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 C0 2B 4A D4 81 93 09 DD 23 15 24 87 95 D4 6A ..+J.....#.$...j
0010: AB 70 CE B3 .p..
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki.google.com/GIAG2.crl]
]]
[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[DNSName: www.google.com]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [1.2.840.113549.1.1.11]
Signature:
0000: 22 09 AA 59 92 54 50 BF C8 C5 4C 6A DC F5 86 D1 "..Y.TP...Lj....
0010: F8 F3 2A CF C1 72 CB AE 12 A7 3E 0A 88 8E 3D FF ..*..r....>...=.
0020: E3 14 B5 EB E6 EB 36 45 BD E3 86 D9 61 26 21 55 ......6E....a&!U
0030: 1D 6F 28 D9 23 F2 75 13 47 15 C4 ED DF 1A 52 59 .o(.#.u.G.....RY
0040: 36 95 80 17 D4 89 18 8D BC 32 0F FF D8 FA 5E 64 6........2....^d
0050: FA 79 1E B4 60 E1 71 41 8D 7A E7 B8 FF C3 3B 21 .y..`.qA.z....;!
0060: CA 45 62 5B B4 BD 31 F1 7A 74 D2 51 2A 11 98 42 .Eb[..1.zt.Q*..B
0070: 1D 14 F1 1F 44 D9 0B 50 B6 C4 52 4F 79 89 03 47 ....D..P..ROy..G
0080: 96 89 33 E3 FF 21 DF 9D 66 B8 FC 9C 01 86 9C 12 ..3..!..f.......
0090: 4E 86 E1 34 79 4B 27 F9 FE 98 C9 CC 40 A3 15 29 N..4yK'.....@..)
00A0: 4A F6 4B F3 1A 2F E4 F4 B6 8A 97 80 A6 53 70 27 J.K../.......Sp'
00B0: FD 29 B1 6E 6D 5A D2 B6 DE 7A A8 FC C4 1F 54 9C .).nmZ...z....T.
00C0: DB E3 8A 36 96 13 D9 10 11 95 11 F9 8B EF 7B 87 ...6............
00D0: 7E 70 54 B6 06 1B 16 65 91 7A 4D DA C1 17 DE E7 .pT....e.zM.....
00E0: 0D 57 F1 8A 98 BE C8 E7 3E 82 7A 14 C7 B7 3F 7A .W......>.z...?z
00F0: 7F E4 0C 6D 8B 62 E5 4A 94 23 FD 2A 5D A2 4D 4F ...m.b.J.#.*].MO
]
chain [1] = [
[
Version: V3
Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
9c2a0477 5cd85091 3a06a382 e0d85048 bc893ff1 19701a88 467ee08f c5f189ce
21ee5afe 610db732 4489a074 0b534f55 a4ce8262 95eeeb59 5fc6e105 8012c45e
943fbc5b 4838f453 f724e6fb 91e915c4 cff4530d f44afc9f 54de7dbe a06b6f87
c0d0501f 28300340 da087351 6c7fff3a 3ca73706 8ebd4b11 04eb7d24 dee6f9fc
3171fb94 d560f32e 4aaf42d2 cbeac46a 1ab2cc53 dd154b8b 1fc81961 1fcd9da8
3e632b84 35696584 c819c546 22f85395 bee3804a 10c62aec ba972011 c7399910
04a0f061 7a95258c 4e5275e2 b6ed08ca 14fcce22 6ab34ecf 46039797 037ec0b1
de7baf45 33cfba3e 71b7def4 2525c20d 35899d9d fb0e1179 891e37c5 af8e7269
Validity: [From: Tue Mar 31 17:00:00 PDT 2015,
To: Sun Dec 31 15:59:59 PST 2017]
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
SerialNumber: [ 023a92]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 22 30 20 30 1E 06 08 2B 06 01 05 05 07 30 01 ."0 0...+.....0.
0010: 86 12 68 74 74 70 3A 2F 2F 67 2E 73 79 6D 63 64 ..http://g.symcd
0020: 2E 63 6F 6D .com
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://g.symcb.com/crls/gtglobal.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [1.2.840.113549.1.1.11]
Signature:
0000: 08 4E 04 A7 80 7F 10 16 43 5E 02 AD D7 42 80 F4 .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D 90 84 18 7D E7 90 15 FB ................
0020: 49 7F A8 99 05 91 BB 7A C9 D6 3C 37 18 09 9A B6 I......z..<7....
0030: C7 92 20 07 35 33 09 E4 28 63 72 0D B4 E0 32 9C .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1 50 58 B0 13 AA 13 1A 1B ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48 63 49 E9 99 5D 20 37 CC 2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9 DE 49 82 C0 10 70 F4 2C .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC A5 D9 5E 1E 6D 92 C1 A7 ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C 65 69 CD 87 A4 41 50 3F .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E 8C 09 A1 AC 7A A4 12 A5 .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03 06 F7 66 58 5F 5F 64 E1 '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98 4C 29 5A 3A 8D D3 2B CA .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5 80 AC 26 ED 17 89 A6 93 .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E 64 E3 7D 9A E2 00 B3 49 l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7 70 90 46 4E BE D0 DB 59 .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71 CC 01 C2 12 C1 21 C6 16 .l...6.q.....!..
]
chain [2] = [
[
Version: V3
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
dacc1863 30fdf417 231a567e 5bdf3c6c 38e471b7 7891d4bc a1d84cf8 a843b603
e94d2107 0888da58 2f663929 bd05788b 9d38e805 b76a7e71 a4e6c460 a6b0ef80
e489280f 9e25d6ed 83f3ada6 91c798c9 42183514 9dad9846 922e4fca f18743c1
1695572d 50ef892d 807a57ad f2ee5f6b d2008db9 14f81415 35d9c046 a37b72c8
91bfc955 2bcdd097 3e9c2664 ccdfce83 1971ca4e e6d4d57b a919cd55 dec8ecd2
5e3853e5 5c4f8c2d fe502336 fc66e6cb 8ea43919 00b79502 39910b0e fe382ed1
1d059af6 4d3e6f0f 071daf2c 1e8f6039 e2fa3653 1339d45e 262bdb3d a814bd32
eb180328 520471e5 ab333de1 38bb0736 84629c79 ea1630f4 5fc02be8 716be4f9
Validity: [From: Mon May 20 21:00:00 PDT 2002,
To: Mon Aug 20 21:00:00 PDT 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 12bbe6]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.geotrust.com/crls/secureca.crl]
]]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou
0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.
]
***
thread-pool-26, SEND TLSv1 ALERT: fatal, description = certificate_unknown
thread-pool-26, WRITE: TLSv1 Alert, length = 2
thread-pool-26, called closeSocket()
thread-pool-26, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Critical: ReCaptcha.verify(), error: Exception while contacting verification site, exception: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Debug: ReCaptcha.verify(), success ? false
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
... sun.security.validator.ValidatorException: Certificate signature validation failed
问题不是信任库中缺少 CA,而是无法验证签名。算法 1.2.840.113549.1.1.11 指的是 sha256WithRSAEncryption 看起来你的应用程序不理解这个。
虽然此签名算法是在 JDK 1.4.2 中添加的,但还有其他报告具有完全相同的 JDK 版本和相同的问题。如果无法升级到更高的 Java 版本,建议似乎是使用 BouncyCastle。有关详细信息,请参阅