Jetty 发送与密钥库中配置的不同的 SSL 证书
Jetty sends different SSL certificate than what's configured in keystore
Jetty 9.3.1.v20150714 配置了包含 3 个证书的密钥库:服务器证书、CA 证书和 GeoTrust 根证书。
使用 keytool -list -keystore jetty/etc/keystore -storetype pkcs12 显示它有这些证书 -
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 4 entries
jetty, Aug 29, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): A3:...:10
root, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
ca, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 0E:34:14:18:46:E7:42:3D:37:F2:0D:C0:AB:06:C9:BB:D8:43:DC:24
server, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 20:...:E3
当服务器加载时,日志显示它加载证书 -
2015-08-30 05:32:47 main ServerConnector [INFO] Started ServerConnector@34849eef{HTTP/1.1,[http/1.1, h2c, h2c-17, h2c-16, h2c-15, h2c-14]}{0.0.0.0:8080}
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=jetty cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=root cn=GeoTrust Global CA in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate SAN alias=server cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [INFO] x509={example.com=server} wild={} alias=null for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] managers=[sun.security.ssl.SunX509KeyManagerImpl@36c54a56] for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
但是当尝试使用 HTTPS 连接服务器时,由于错误的(自签名)证书而失败。
检查返回的证书 openssl s_client -connect example.com:443 returns -
CONNECTED(00000003)
depth=0 C = ..., CN = example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ..., CN = example.com
verify return:1
---
Certificate chain
0 s:/C=.../CN=example.com
i:/C=.../CN=example.com
---
这只显示了 1 个自签名证书,而不是密钥库中的证书。尝试向服务器发送 HTTPS 命令时,它显示在日志中 -
2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Customize 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Enable SNI matching 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matches=type=host_name (0), value=example.com for org.eclipse.jetty.util.ssl.SslContextFactory$AliasSNIMatcher@22497dda
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matched example.com->server
2015-08-30 06:06:52 qtp1579572132-16 HttpParser [WARN] parse exception: java.lang.IllegalStateException: too much data seeking EOF in CLOSE for HttpChannelOverHttp@37b97125{r=1,c=false,a=IDLE,uri=-}
我已经通过关闭它来确保它连接到正确的服务器,然后得到一个 CONNECTION REFUSED,还尝试删除密钥库文件并且服务器加载失败,这意味着它使用了正确的文件.
这个自签名的 1 长证书链从何而来?服务器是否可能定义了两个密钥库?
更新
使用 openssl s_client 正确显示了用不同的(有效的)密钥库替换密钥库,以及所有 3 个证书。
这意味着问题出在原始密钥库上,如上所示它有 3 个 public 证书,但 openssl 仅输出 1 个自签名证书。
以下是用于生成密钥库的命令 -
keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -alias jetty
keytool -certreq -alias jetty -keystore keystore.p12 -storetype pkcs12 -file jetty.csr -keyalg RSA
# send CSR file to a CA for signing. got back 3 CRT files.
keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt
keytool -import -alias ca -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias server -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt
密钥库构建不正确。
添加到密钥库的最后一个条目具有别名 server 而不是 jetty,这是私钥的别名。这样做会阻止识别证书对私钥的回复。
为了解决这个问题,我从密钥库中删除了所有证书并添加了正确的别名。
keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt
keytool -import -alias inter -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias jetty -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt
在最后一个命令之后,keytool 将响应 Certificate reply was installed in keystore,表明它识别服务器证书响应。
我不确定它是否有影响,但我没有调用 CA 的中间证书 ca,而是在工作密钥库中调用它 inter,我认为这不是必需的但这值得一提,以防万一。
Jetty 9.3.1.v20150714 配置了包含 3 个证书的密钥库:服务器证书、CA 证书和 GeoTrust 根证书。
使用 keytool -list -keystore jetty/etc/keystore -storetype pkcs12 显示它有这些证书 -
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 4 entries
jetty, Aug 29, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): A3:...:10
root, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
ca, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 0E:34:14:18:46:E7:42:3D:37:F2:0D:C0:AB:06:C9:BB:D8:43:DC:24
server, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 20:...:E3
当服务器加载时,日志显示它加载证书 -
2015-08-30 05:32:47 main ServerConnector [INFO] Started ServerConnector@34849eef{HTTP/1.1,[http/1.1, h2c, h2c-17, h2c-16, h2c-15, h2c-14]}{0.0.0.0:8080}
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=jetty cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=root cn=GeoTrust Global CA in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate SAN alias=server cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [INFO] x509={example.com=server} wild={} alias=null for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] managers=[sun.security.ssl.SunX509KeyManagerImpl@36c54a56] for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
但是当尝试使用 HTTPS 连接服务器时,由于错误的(自签名)证书而失败。
检查返回的证书 openssl s_client -connect example.com:443 returns -
CONNECTED(00000003)
depth=0 C = ..., CN = example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ..., CN = example.com
verify return:1
---
Certificate chain
0 s:/C=.../CN=example.com
i:/C=.../CN=example.com
---
这只显示了 1 个自签名证书,而不是密钥库中的证书。尝试向服务器发送 HTTPS 命令时,它显示在日志中 -
2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Customize 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Enable SNI matching 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matches=type=host_name (0), value=example.com for org.eclipse.jetty.util.ssl.SslContextFactory$AliasSNIMatcher@22497dda
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matched example.com->server
2015-08-30 06:06:52 qtp1579572132-16 HttpParser [WARN] parse exception: java.lang.IllegalStateException: too much data seeking EOF in CLOSE for HttpChannelOverHttp@37b97125{r=1,c=false,a=IDLE,uri=-}
我已经通过关闭它来确保它连接到正确的服务器,然后得到一个 CONNECTION REFUSED,还尝试删除密钥库文件并且服务器加载失败,这意味着它使用了正确的文件.
这个自签名的 1 长证书链从何而来?服务器是否可能定义了两个密钥库?
更新
使用 openssl s_client 正确显示了用不同的(有效的)密钥库替换密钥库,以及所有 3 个证书。
这意味着问题出在原始密钥库上,如上所示它有 3 个 public 证书,但 openssl 仅输出 1 个自签名证书。
以下是用于生成密钥库的命令 -
keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -alias jetty
keytool -certreq -alias jetty -keystore keystore.p12 -storetype pkcs12 -file jetty.csr -keyalg RSA
# send CSR file to a CA for signing. got back 3 CRT files.
keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt
keytool -import -alias ca -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias server -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt
密钥库构建不正确。
添加到密钥库的最后一个条目具有别名 server 而不是 jetty,这是私钥的别名。这样做会阻止识别证书对私钥的回复。
为了解决这个问题,我从密钥库中删除了所有证书并添加了正确的别名。
keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt
keytool -import -alias inter -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias jetty -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt
在最后一个命令之后,keytool 将响应 Certificate reply was installed in keystore,表明它识别服务器证书响应。
我不确定它是否有影响,但我没有调用 CA 的中间证书 ca,而是在工作密钥库中调用它 inter,我认为这不是必需的但这值得一提,以防万一。