以 javax.net.ssl.SSLException 结尾的 SSL 握手:readHandshakeRecord
SSL Handshake ending with javax.net.ssl.SSLException: readHandshakeRecord
我们正在尝试进行客户端-服务器身份验证。客户端和服务器有 2 个由同一个 CA 和中间 CA 签名的机器证书。当尝试使用 javax.net.debug=ssl:handshake 启动握手时,这些是打印出 varoius 证书后的日志。使用的协议是 TLS v.1.2,java 是 OpenJDK 11
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [VARIOUS CAs]
}
)
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.913 CEST|ECDHClientKeyExchange.java:396|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 04 11 88 67 1F E4 73 35 2B 1A 81 23 BF D7 40 57 ...g..s5+..#..@W
.....AND MORE k
},
}
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.921 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|ERROR|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.925 CEST|TransportContext.java:318|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLException: readHandshakeRecord
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1320)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
更新:似乎在JKS中找不到正确算法的证书,使用一段代码检查是否可以手动找到它并且工作正常。
有没有其他方法可以检查不匹配的可用证书?
更新 2:
完全调试屏蔽
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "31 18 43 1E A8 0B 29 B4 5A F0 F2 A3 C1 2D 0A 35 AA A4 93 79 5A 5E 38 88 48 ED 1E AF 76 A0 4A E6",
"session id" : "10 17 F6 A9 A3 E9 E1 4E 80 5E A0 95 7C 7B 53 03 17 59 84 98 55 71 A9 4F 13 68 C2 24 3A E6 CD 09",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=clienthostname.dmz.test-group.net
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: 79 10 30 AA 4A 56 70 8B 51 26 11 78 9
..AND MORE
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS13 handshake, length = 409
12:42:58.868 CEST|SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 3968
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.873 CEST|SSLSocketInputRecord.java:247|READ: TLSv1.2 handshake, length = 3968
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.874 CEST|ServerHello.java:872|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "61 1C E4 32 61 9B 53 5D B7 CF 38 FC DC 1A 01 86 42 67 0B 44 64 05 CF CB 88 01 A1 D7 45 6A 30 50",
"session id" : "61 1C E4 32 64 3A 16 64 2B 53 63 A5 68 C6 6B 1A 25 8F 9B 11 04 5D 42 A4 3B 0E 12 6E 57 57 15 C6",
"cipher suite" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|ServerHello.java:968|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: pre_shared_key
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLSessionImpl.java:210|Session initialized: Session(1629283378875|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.878 CEST|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "12 2F 77 E8 55 D7 E6 2A 5C 5A BC 82 98 CD 5F 94",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate System CA, O=TEST Group",
"not before" : "2019-02-06 11:52:50.000 CET",
"not after" : "2022-02-06 11:52:50.000 CET",
"subject" : "CN=prestest.sis.dom, OU=b2c, O=TEST Group AG, L=Dallas, ST=Dallas, C=COM",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 E2 82 6A BA CD 96 8E 7C
..AND MORE
]
},
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
timeStamping
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: prestest.sis.dom
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1F B0 29 8F 09 13 12 A2
..AND MORE
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 15:23:27.000 CEST",
"not after" : "2027-10-19 15:23:27.000 CEST",
"subject" : "CN=TEST Corporate System CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D0 69 0E 0C 2A B6 1F 4C D4 B1 B4 7C 59 3A
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 E2 82 6A BA CD 96 8E 7C CE 36 F9 2E A9 DC
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "13 B8 D6 3B 49 E6 08 EA 59 E9 E8 3E 59 5E 06 E3",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 14:12:46.000 CEST",
"not after" : "2027-10-20 14:12:46.000 CEST",
"subject" : "CN=TEST Corporate Root CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D0 69 0E 0C 2A B6 1F 4C D4 B1 B4 7C 59 3A
..AND MORE
]
]
}
]}
]
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.879 CEST|X509TrustManagerImpl.java:238|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 15:23:27.000 CEST",
"not after" : "2027-10-19 15:23:27.000 CEST",
"subject" : "CN=TEST Corporate System CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D0 69
..AND MORE
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 E2 8
]
]
}
]}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|ECDHServerKeyExchange.java:505|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
"parameters": {
"named group": "secp256r1"
"ecdh public": {
0000: 04 25
..AND MORE
},
},
"digital signature": {
"signature algorithm": "rsa_pkcs1_sha256"
"signature": {
0000: 13 FA 5
..AND MORE
},
}
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [CN=TEST Corporate Root CA, O=TEST Group, CN=TEST System CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=TEST Corporate Root CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=Test Service ID CA 1024 Class 1, C=COM, OU=Class 1 (Service Certificates), OU=CA Services, O=Test Services AG]
}
)
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 7
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:255|Raw write (
0000: 16 03 03 00 07 0B 00 00 03 00 00 00 ............
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|ECDHClientKeyExchange.java:400|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 04 88 CE
..AND MORE .
},
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 70
更新 3:在我看来,密钥库没有被加载,从自定义代码中它被更正加载。
问题出在调用服务器的 Axis 客户端。
Axis 正在从产品库 am-client.jar 的 client-config.wsdd 加载配置,该配置被设置为默认以下 属性:
<parameter name="axis.socketSecureFactory" value="com.rsa.webservice.transport.IMSSecureSocketFactory" />
IMSSecureSocketFactory 未从系统读取密钥库 (javax.net.ssl.keyStore) 的 属性。
所以 X509Authentication 是从 KeyManager 读取的,没有条目导致没有证书匹配。
向 AxisProperties 添加以下属性解决了问题:
AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.JSSESocketFactory");
我希望这可以帮助其他人,调试真的很有挑战性。
我们正在尝试进行客户端-服务器身份验证。客户端和服务器有 2 个由同一个 CA 和中间 CA 签名的机器证书。当尝试使用 javax.net.debug=ssl:handshake 启动握手时,这些是打印出 varoius 证书后的日志。使用的协议是 TLS v.1.2,java 是 OpenJDK 11
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [VARIOUS CAs]
}
)
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.913 CEST|ECDHClientKeyExchange.java:396|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 04 11 88 67 1F E4 73 35 2B 1A 81 23 BF D7 40 57 ...g..s5+..#..@W
.....AND MORE k
},
}
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.921 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|ERROR|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.925 CEST|TransportContext.java:318|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLException: readHandshakeRecord
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1320)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
更新:似乎在JKS中找不到正确算法的证书,使用一段代码检查是否可以手动找到它并且工作正常。 有没有其他方法可以检查不匹配的可用证书?
更新 2: 完全调试屏蔽
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "31 18 43 1E A8 0B 29 B4 5A F0 F2 A3 C1 2D 0A 35 AA A4 93 79 5A 5E 38 88 48 ED 1E AF 76 A0 4A E6",
"session id" : "10 17 F6 A9 A3 E9 E1 4E 80 5E A0 95 7C 7B 53 03 17 59 84 98 55 71 A9 4F 13 68 C2 24 3A E6 CD 09",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=clienthostname.dmz.test-group.net
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: 79 10 30 AA 4A 56 70 8B 51 26 11 78 9
..AND MORE
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS13 handshake, length = 409
12:42:58.868 CEST|SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 3968
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.873 CEST|SSLSocketInputRecord.java:247|READ: TLSv1.2 handshake, length = 3968
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.874 CEST|ServerHello.java:872|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "61 1C E4 32 61 9B 53 5D B7 CF 38 FC DC 1A 01 86 42 67 0B 44 64 05 CF CB 88 01 A1 D7 45 6A 30 50",
"session id" : "61 1C E4 32 64 3A 16 64 2B 53 63 A5 68 C6 6B 1A 25 8F 9B 11 04 5D 42 A4 3B 0E 12 6E 57 57 15 C6",
"cipher suite" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|ServerHello.java:968|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: pre_shared_key
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLSessionImpl.java:210|Session initialized: Session(1629283378875|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.878 CEST|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "12 2F 77 E8 55 D7 E6 2A 5C 5A BC 82 98 CD 5F 94",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate System CA, O=TEST Group",
"not before" : "2019-02-06 11:52:50.000 CET",
"not after" : "2022-02-06 11:52:50.000 CET",
"subject" : "CN=prestest.sis.dom, OU=b2c, O=TEST Group AG, L=Dallas, ST=Dallas, C=COM",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 E2 82 6A BA CD 96 8E 7C
..AND MORE
]
},
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
timeStamping
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: prestest.sis.dom
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1F B0 29 8F 09 13 12 A2
..AND MORE
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 15:23:27.000 CEST",
"not after" : "2027-10-19 15:23:27.000 CEST",
"subject" : "CN=TEST Corporate System CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D0 69 0E 0C 2A B6 1F 4C D4 B1 B4 7C 59 3A
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 E2 82 6A BA CD 96 8E 7C CE 36 F9 2E A9 DC
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "13 B8 D6 3B 49 E6 08 EA 59 E9 E8 3E 59 5E 06 E3",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 14:12:46.000 CEST",
"not after" : "2027-10-20 14:12:46.000 CEST",
"subject" : "CN=TEST Corporate Root CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D0 69 0E 0C 2A B6 1F 4C D4 B1 B4 7C 59 3A
..AND MORE
]
]
}
]}
]
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.879 CEST|X509TrustManagerImpl.java:238|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 15:23:27.000 CEST",
"not after" : "2027-10-19 15:23:27.000 CEST",
"subject" : "CN=TEST Corporate System CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D0 69
..AND MORE
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: certificates.test@test-group.com
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 E2 8
]
]
}
]}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|ECDHServerKeyExchange.java:505|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
"parameters": {
"named group": "secp256r1"
"ecdh public": {
0000: 04 25
..AND MORE
},
},
"digital signature": {
"signature algorithm": "rsa_pkcs1_sha256"
"signature": {
0000: 13 FA 5
..AND MORE
},
}
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [CN=TEST Corporate Root CA, O=TEST Group, CN=TEST System CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=TEST Corporate Root CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=Test Service ID CA 1024 Class 1, C=COM, OU=Class 1 (Service Certificates), OU=CA Services, O=Test Services AG]
}
)
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 7
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:255|Raw write (
0000: 16 03 03 00 07 0B 00 00 03 00 00 00 ............
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|ECDHClientKeyExchange.java:400|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 04 88 CE
..AND MORE .
},
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 70
更新 3:在我看来,密钥库没有被加载,从自定义代码中它被更正加载。
问题出在调用服务器的 Axis 客户端。 Axis 正在从产品库 am-client.jar 的 client-config.wsdd 加载配置,该配置被设置为默认以下 属性:
<parameter name="axis.socketSecureFactory" value="com.rsa.webservice.transport.IMSSecureSocketFactory" />
IMSSecureSocketFactory 未从系统读取密钥库 (javax.net.ssl.keyStore) 的 属性。 所以 X509Authentication 是从 KeyManager 读取的,没有条目导致没有证书匹配。
向 AxisProperties 添加以下属性解决了问题:
AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.JSSESocketFactory");
我希望这可以帮助其他人,调试真的很有挑战性。