使用 Apache HttpClient 发送带有 SSL 身份验证的 HTTP 请求
Sending HTTP request with SSL authontication using Apache HttpClient
我是 Java 中 SSL 身份验证和 Httpclient 请求主题的新手。而且我需要执行与服务提供商的安全连接,以便能够从服务提供商 api.
获取一些数据
我现在所在的位置:
我制作了一个 .jks 密钥库,其中包含我已发送给远程服务提供商的私钥和 csr 请求。我有一个签名的 .cer 证书。到目前为止,我已经通过将私钥导出到 pem 文件并在 Postman 设置中通过 CRT+KEY+Keypassword 设置客户端证书,在我的 Postman 中对其进行了测试。请求 运行 就好了。现在,我必须使用 Java 来解决这个问题,并且我之前已经使用 Apache fluent-hc 发送未经身份验证的 POST 请求。
我应该采取什么措施来实施客户端证书保护的 HTTP 请求?
更新。到目前为止,我已经用谷歌搜索了下一步:
我使用 PrivateKey 将我的 .CER 签名证书导入现有的 jks 密钥库:
keytool -importcert -file ./signed.cer -keystore trusted.jks -alias mykey
列出密钥库时,我得到两个条目:PrivateKeyEntry 和 trustedCertEntry
然后我从资源加载我的密钥库:
public KeyStore loadKeyStore() throws Exception {
KeyStore keystore = KeyStore.getInstance("JKS");
try (InputStream is = new ClassPathResource(authProperties.getKeyStore()
+ ".jks").getInputStream()) {
keystore.load(is, authProperties.getKeyPass().toCharArray());
}
return keystore;
}
加载好像没问题,我测试了一下,私钥和证书都拿到了。但不是证书链,不确定我这里是否需要。
然后我创建一个 SSLContext 并从同一个密钥库加载 TrustMaterial 和 KeyMaterial:
public SSLContext loadSSLContext() throws Exception {
return new SSLContextBuilder()
.loadTrustMaterial(loadKeyStore(), (x509Certificates, s) -> true)
.loadKeyMaterial(loadKeyStore(), authProperties.getKeyPass().toCharArray())
.build();
}
然后,我创建一个 SSLConnectionSocketFactory:
SSLContext context = loadSSLContext();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(context,
new NoopHostnameVerifier());
我使用 SSLConnectionSocketFactory 创建了一个 CloseableHttpClient:
CloseableHttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
并执行 GET 请求:
HttpGet request = new HttpGet("/private/openapi");
HttpResponse httpresponse = httpclient.execute(request);
当运行这个的时候,我得到了
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
可能是什么原因?这个问题我google了一下,好像主要是协议和密码套件不匹配。我不确定,是否是我的情况。
请帮助,任何想法或链接将不胜感激!
这是堆栈跟踪和调试输出(请忽略奇怪的 ip 地址):
16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >>
CONNECT api.serviceprovider.com:443 HTTP/1.1 16:46:08.727 [main] DEBUG
org.apache.http.headers - http-outgoing-0 >> Host:
api.serviceprovider.com:443 16:46:08.727 [main] DEBUG
org.apache.http.headers - http-outgoing-0 >> User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_232) 16:46:08.727 [main] DEBUG
org.apache.http.wire - http-outgoing-0 >> "CONNECT
api.serviceprovider.com:443 HTTP/1.1[\r][\n]" 16:46:08.727 [main]
DEBUG org.apache.http.wire - http-outgoing-0 >> "Host:
api.serviceprovider.com:443[\r][\n]" 16:46:08.727 [main] DEBUG
org.apache.http.wire - http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_232)[\r][\n]" 16:46:08.727 [main]
DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]"
16:46:08.878 [main] DEBUG org.apache.http.wire - http-outgoing-0 <<
"HTTP/1.1 200 Connection established[\r][\n]" 16:46:08.879 [main]
DEBUG org.apache.http.wire - http-outgoing-0 << "[\r][\n]"
16:46:08.880 [main] DEBUG org.apache.http.headers - http-outgoing-0 <<
HTTP/1.1 200 Connection established 16:46:08.881 [main] DEBUG
org.apache.http.impl.execchain.MainClientExec - Tunnel to target
created. 16:46:08.906 [main] DEBUG
org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled
protocols: [TLSv1, TLSv1.1, TLSv1.2] 16:46:08.906 [main] DEBUG
org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher
suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 16:46:08.906 [main] DEBUG
org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting
handshake 16:46:08.997 [main] DEBUG
org.apache.http.conn.ssl.SSLConnectionSocketFactory - Secure session
established 16:46:08.997 [main] DEBUG
org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated
protocol: TLSv1.2 16:46:08.997 [main] DEBUG
org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated
cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 16:46:08.998
[main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory -
peer principal: CN=api.serviceprovider.com, OU=IT Department,
O=ServiceProv, L=Moscow, C=RU 16:46:08.998 [main] DEBUG
org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer
alternative names: [api.serviceprovider.com,
developer.serviceprovider.com] 16:46:08.999 [main] DEBUG
org.apache.http.conn.ssl.SSLConnectionSocketFactory - issuer
principal: CN=Thawte TLS RSA CA G1, OU=www.digicert.com, O=DigiCert
Inc, C=US 16:46:08.999 [main] DEBUG
org.apache.http.impl.execchain.MainClientExec - Executing request GET
/private/openapi HTTP/1.1 16:46:08.999 [main] DEBUG
org.apache.http.impl.execchain.MainClientExec - Target auth state:
UNCHALLENGED 16:46:08.999 [main] DEBUG org.apache.http.headers -
http-outgoing-0 >> GET /private/openapi HTTP/1.1 16:46:08.999 [main]
DEBUG org.apache.http.headers - http-outgoing-0 >> Host:
api.serviceprovider.com:443 16:46:08.999 [main] DEBUG
org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive
16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >>
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232) 16:46:08.999
[main] DEBUG org.apache.http.headers - http-outgoing-0 >>
Accept-Encoding: gzip,deflate 16:46:08.999 [main] DEBUG
org.apache.http.wire - http-outgoing-0 >> "GET /private/openapi
HTTP/1.1[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire -
http-outgoing-0 >> "Host: api.serviceprovider.com:443[\r][\n]"
16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"Connection: Keep-Alive[\r][\n]" 16:46:08.999 [main] DEBUG
org.apache.http.wire - http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.3 (Java/1.8.0_232)[\r][\n]" 16:46:08.999 [main]
DEBUG org.apache.http.wire - http-outgoing-0 >> "Accept-Encoding:
gzip,deflate[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire -
http-outgoing-0 >> "[\r][\n]" 16:46:09.037 [main] DEBUG
org.apache.http.wire - http-outgoing-0 << "[read] I/O error: Received
fatal alert: handshake_failure" 16:46:09.037 [main] DEBUG
org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
http-outgoing-0: Close connection 16:46:09.037 [main] DEBUG
org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
http-outgoing-0: Shutdown connection 16:46:09.037 [main] DEBUG
org.apache.http.impl.execchain.MainClientExec - Connection discarded
16:46:09.038 [main] DEBUG
org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
Connection released: [id: 0][route:
{tls}->http://x.x.x.120:8080->https://api.serviceprovider.com:443][total
kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at
sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020) at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127) at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:933)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at
org.apache.http.impl.conn.LoggingInputStream.read(LoggingInputStream.java:84)
at
org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137)
at
org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153)
at
org.apache.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:282)
at
org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:138)
at
org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:56)
at
org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259)
at
org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163)
at
org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:165)
at
org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273)
at
org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118)
at
ru.bcs.creditmarkt.delivery.adapter.ServProvAuthTest.testConn(ServProvAuthTest.java:99)
问题已解决。问题出在 jks 密钥库中,而不是代码中。我已经导入了客户端证书,但它也需要一个带有根证书的证书链。一旦导入了带有客户端证书的整个链,它就可以工作了。
我是 Java 中 SSL 身份验证和 Httpclient 请求主题的新手。而且我需要执行与服务提供商的安全连接,以便能够从服务提供商 api.
获取一些数据我现在所在的位置:
我制作了一个 .jks 密钥库,其中包含我已发送给远程服务提供商的私钥和 csr 请求。我有一个签名的 .cer 证书。到目前为止,我已经通过将私钥导出到 pem 文件并在 Postman 设置中通过 CRT+KEY+Keypassword 设置客户端证书,在我的 Postman 中对其进行了测试。请求 运行 就好了。现在,我必须使用 Java 来解决这个问题,并且我之前已经使用 Apache fluent-hc 发送未经身份验证的 POST 请求。 我应该采取什么措施来实施客户端证书保护的 HTTP 请求?
更新。到目前为止,我已经用谷歌搜索了下一步:
我使用 PrivateKey 将我的 .CER 签名证书导入现有的 jks 密钥库:
keytool -importcert -file ./signed.cer -keystore trusted.jks -alias mykey
列出密钥库时,我得到两个条目:PrivateKeyEntry 和 trustedCertEntry
然后我从资源加载我的密钥库:
public KeyStore loadKeyStore() throws Exception {
KeyStore keystore = KeyStore.getInstance("JKS");
try (InputStream is = new ClassPathResource(authProperties.getKeyStore()
+ ".jks").getInputStream()) {
keystore.load(is, authProperties.getKeyPass().toCharArray());
}
return keystore;
}
加载好像没问题,我测试了一下,私钥和证书都拿到了。但不是证书链,不确定我这里是否需要。
然后我创建一个 SSLContext 并从同一个密钥库加载 TrustMaterial 和 KeyMaterial:
public SSLContext loadSSLContext() throws Exception {
return new SSLContextBuilder()
.loadTrustMaterial(loadKeyStore(), (x509Certificates, s) -> true)
.loadKeyMaterial(loadKeyStore(), authProperties.getKeyPass().toCharArray())
.build();
}
然后,我创建一个 SSLConnectionSocketFactory:
SSLContext context = loadSSLContext();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(context,
new NoopHostnameVerifier());
我使用 SSLConnectionSocketFactory 创建了一个 CloseableHttpClient:
CloseableHttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
并执行 GET 请求:
HttpGet request = new HttpGet("/private/openapi");
HttpResponse httpresponse = httpclient.execute(request);
当运行这个的时候,我得到了
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
可能是什么原因?这个问题我google了一下,好像主要是协议和密码套件不匹配。我不确定,是否是我的情况。 请帮助,任何想法或链接将不胜感激! 这是堆栈跟踪和调试输出(请忽略奇怪的 ip 地址):
16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> CONNECT api.serviceprovider.com:443 HTTP/1.1 16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: api.serviceprovider.com:443 16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232) 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "CONNECT api.serviceprovider.com:443 HTTP/1.1[\r][\n]" 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: api.serviceprovider.com:443[\r][\n]" 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232)[\r][\n]" 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]" 16:46:08.878 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 200 Connection established[\r][\n]" 16:46:08.879 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[\r][\n]" 16:46:08.880 [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 Connection established 16:46:08.881 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Tunnel to target created. 16:46:08.906 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2] 16:46:08.906 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 16:46:08.906 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Secure session established 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated protocol: TLSv1.2 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 16:46:08.998 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer principal: CN=api.serviceprovider.com, OU=IT Department, O=ServiceProv, L=Moscow, C=RU 16:46:08.998 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer alternative names: [api.serviceprovider.com, developer.serviceprovider.com] 16:46:08.999 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - issuer principal: CN=Thawte TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US 16:46:08.999 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request GET /private/openapi HTTP/1.1 16:46:08.999 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: UNCHALLENGED 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET /private/openapi HTTP/1.1 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: api.serviceprovider.com:443 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232) 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "GET /private/openapi HTTP/1.1[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: api.serviceprovider.com:443[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232)[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]" 16:46:09.037 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[read] I/O error: Received fatal alert: handshake_failure" 16:46:09.037 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Close connection 16:46:09.037 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection 16:46:09.037 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded 16:46:09.038 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {tls}->http://x.x.x.120:8080->https://api.serviceprovider.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:933) at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at org.apache.http.impl.conn.LoggingInputStream.read(LoggingInputStream.java:84) at org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137) at org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153) at org.apache.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:282) at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:138) at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:56) at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259) at org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163) at org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:165) at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273) at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118) at ru.bcs.creditmarkt.delivery.adapter.ServProvAuthTest.testConn(ServProvAuthTest.java:99)
问题已解决。问题出在 jks 密钥库中,而不是代码中。我已经导入了客户端证书,但它也需要一个带有根证书的证书链。一旦导入了带有客户端证书的整个链,它就可以工作了。