以 javax.net.ssl.SSLException 结尾的 SSL 握手:readHandshakeRecord

SSL Handshake ending with javax.net.ssl.SSLException: readHandshakeRecord

我们正在尝试进行客户端-服务器身份验证。客户端和服务器有 2 个由同一个 CA 和中间 CA 签名的机器证书。当尝试使用 javax.net.debug=ssl:handshake 启动握手时,这些是打印出 varoius 证书后的日志。使用的协议是 TLS v.1.2,java 是 OpenJDK 11

javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [rsa_sign, dss_sign, ecdsa_sign]
  "supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
  "certificate authorities": [VARIOUS CAs]
}
)
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.913 CEST|ECDHClientKeyExchange.java:396|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
  "ecdh public": {
    0000: 04 11 88 67 1F E4 73 35   2B 1A 81 23 BF D7 40 57  ...g..s5+..#..@W
    .....AND MORE                                                k
  },
}
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.921 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|ERROR|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.925 CEST|TransportContext.java:318|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
  javax.net.ssl.SSLException: readHandshakeRecord
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1320)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)

更新:似乎在JKS中找不到正确算法的证书,使用一段代码检查是否可以手动找到它并且工作正常。 有没有其他方法可以检查不匹配的可用证书?

更新 2: 完全调试屏蔽

javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "31 18 43 1E A8 0B 29 B4 5A F0 F2 A3 C1 2D 0A 35 AA A4 93 79 5A 5E 38 88 48 ED 1E AF 76 A0 4A E6",
  "session id"          : "10 17 F6 A9 A3 E9 E1 4E 80 5E A0 95 7C 7B 53 03 17 59 84 98 55 71 A9 4F 13 68 C2 24 3A E6 CD 09",
  "cipher suites"       : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=clienthostname.dmz.test-group.net
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "key_share (51)": {
      "client_shares": [
        {
          "named group": x25519
          "key_exchange": {
            0000: 79 10 30 AA 4A 56 70 8B   51 26 11 78 9
              ..AND MORE
          }
        },
      ]
    }
  ]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS13 handshake, length = 409
12:42:58.868 CEST|SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 3968

javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.873 CEST|SSLSocketInputRecord.java:247|READ: TLSv1.2 handshake, length = 3968
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.874 CEST|ServerHello.java:872|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "61 1C E4 32 61 9B 53 5D B7 CF 38 FC DC 1A 01 86 42 67 0B 44 64 05 CF CB 88 01 A1 D7 45 6A 30 50",
  "session id"          : "61 1C E4 32 64 3A 16 64 2B 53 63 A5 68 C6 6B 1A 25 8F 9B 11 04 5D 42 A4 3B 0E 12 6E 57 57 15 C6",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
  "compression methods" : "00",
  "extensions"          : [
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|ServerHello.java:968|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: pre_shared_key
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLSessionImpl.java:210|Session initialized:  Session(1629283378875|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.878 CEST|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "12 2F 77 E8 55 D7 E6 2A 5C 5A BC 82 98 CD 5F 94",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=TEST Corporate System CA, O=TEST Group",
    "not before"         : "2019-02-06 11:52:50.000 CET",
    "not  after"         : "2022-02-06 11:52:50.000 CET",
    "subject"            : "CN=prestest.sis.dom, OU=b2c, O=TEST Group AG, L=Dallas, ST=Dallas, C=COM",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: A8 E2 82 6A BA CD 96 8E   7C 
          ..AND MORE
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
          timeStamping
        ]
      },
      {
        ObjectId: 2.5.29.18 Criticality=false
        IssuerAlternativeName [
          CN=TEST Corporate System CA, O=TEST Group
          RFC822Name: certificates.test@test-group.com
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=false
        KeyUsage [
          DigitalSignature
          Key_Encipherment
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: prestest.sis.dom
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 1F B0 29 8F 09 13 12 A2   
  ..AND MORE    
        ]
        ]
      }
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=TEST Corporate Root CA, O=TEST Group",
    "not before"         : "2017-10-20 15:23:27.000 CEST",
    "not  after"         : "2027-10-19 15:23:27.000 CEST",
    "subject"            : "CN=TEST Corporate System CA, O=TEST Group",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: D0 69 0E 0C 2A B6 1F 4C   D4 B1 B4 7C 59 3A
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.18 Criticality=false
        IssuerAlternativeName [
          CN=TEST Corporate Root CA, O=TEST Group
          RFC822Name: certificates.test@test-group.com
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          CN=TEST Corporate System CA, O=TEST Group
          RFC822Name: certificates.test@test-group.com
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: A8 E2 82 6A BA CD 96 8E   7C CE 36 F9 2E A9 DC
        ]
        ]
      }
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "13 B8 D6 3B 49 E6 08 EA 59 E9 E8 3E 59 5E 06 E3",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=TEST Corporate Root CA, O=TEST Group",
    "not before"         : "2017-10-20 14:12:46.000 CEST",
    "not  after"         : "2027-10-20 14:12:46.000 CEST",
    "subject"            : "CN=TEST Corporate Root CA, O=TEST Group",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          CN=TEST Corporate Root CA, O=TEST Group
          RFC822Name: certificates.test@test-group.com
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: D0 69 0E 0C 2A B6 1F 4C   D4 B1 B4 7C 59 3A 
          ..AND MORE
        ]
        ]
      }
    ]}
]
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.879 CEST|X509TrustManagerImpl.java:238|Found trusted certificate (
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=TEST Corporate Root CA, O=TEST Group",
    "not before"         : "2017-10-20 15:23:27.000 CEST",
    "not  after"         : "2027-10-19 15:23:27.000 CEST",
    "subject"            : "CN=TEST Corporate System CA, O=TEST Group",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: D0 69
          ..AND MORE
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:true
          PathLen:2147483647
        ]
      },
      {
        ObjectId: 2.5.29.18 Criticality=false
        IssuerAlternativeName [
          CN=TEST Corporate Root CA, O=TEST Group
          RFC822Name: certificates.test@test-group.com
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          Key_CertSign
          Crl_Sign
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          CN=TEST Corporate System CA, O=TEST Group
          RFC822Name: certificates.test@test-group.com
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: A8 E2 8
        ]
        ]
      }
    ]}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|ECDHServerKeyExchange.java:505|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
  "parameters": {
    "named group": "secp256r1"
    "ecdh public": {
      0000: 04 25 
  ..AND MORE
    },
  },
  "digital signature":  {
    "signature algorithm": "rsa_pkcs1_sha256"
    "signature": {
      0000: 13 FA 5
   ..AND MORE
    },
  }
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [rsa_sign, dss_sign, ecdsa_sign]
  "supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
  "certificate authorities": [CN=TEST Corporate Root CA, O=TEST Group, CN=TEST System CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=TEST Corporate Root CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=Test Service ID CA 1024 Class 1, C=COM, OU=Class 1 (Service Certificates), OU=CA Services, O=Test Services AG]
}
)
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 7
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:255|Raw write (
  0000: 16 03 03 00 07 0B 00 00   03 00 00 00              ............
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|ECDHClientKeyExchange.java:400|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
  "ecdh public": {
    0000: 04 88 CE
  ..AND MORE                                                 .
  },
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 70

更新 3:在我看来,密钥库没有被加载,从自定义代码中它被更正加载。

问题出在调用服务器的 Axis 客户端。 Axis 正在从产品库 am-client.jarclient-config.wsdd 加载配置,该配置被设置为默认以下 属性:

        <parameter name="axis.socketSecureFactory" value="com.rsa.webservice.transport.IMSSecureSocketFactory" />

IMSSecureSocketFactory 未从系统读取密钥库 (javax.net.ssl.keyStore) 的 属性。 所以 X509Authentication 是从 KeyManager 读取的,没有条目导致没有证书匹配。

向 AxisProperties 添加以下属性解决了问题:

AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.JSSESocketFactory"); 

我希望这可以帮助其他人,调试真的很有挑战性。