[英]JBoss7 client-cert authentication: Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL
I am trying to set up client certificate authentication with JBoss (so far tested with 7.1.0 Final and 7.1.1 Final , Java 6 and Java7 ). 我正在尝试使用JBoss设置客户端证书认证(到目前为止已通过7.1.0 Final和7.1.1 Final , Java 6和Java7进行了测试 )。
1) I've generated certificate based on this 1)我已经基于此生成了证书
2) I've copied keystore.server and server.truststore into /standalone/configuration folder. 2)我已经将keystore.server和server.truststore复制到/ standalone / configuration文件夹中。
3) In standalone.xml I've created security domain 3)在standalone.xml中,我创建了安全域
<security-domain name="RequireCertificateDomain">
<authentication>
<login-module code="CertificateRoles" flag="required">
<module-option name="securityDomain" value="RequireCertificateDomain"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
<module-option name="usersProperties" value="${jboss.server.config.dir}/my-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/my-roles.properties"/>
</login-module>
</authentication>
<jsse keystore-password="changeit" keystore-url="file:C:/jboss/jboss-as-7.1.1.Final/standalone/configuration/server.keystore" truststore-password="changeit" truststore-url="file:C:/jboss/jboss-as-7.1.1.Final/standalone/configuration/server.truststore"/>
</security-domain>
and HTTPS connector: 和HTTPS连接器:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl password="changeit" certificate-key-file="${jboss.server.config.dir}/server.keystore" verify-client="want" ca-certificate-file="${jboss.server.config.dir}/server.truststore"/>
</connector>
4) I've imported certificate to /lib/security/cacerts (later I've been trying access my secured WS by Spring RestTemplate - also no luck) 4)我已经将证书导入到/ lib / security / cacerts (后来我一直在尝试通过Spring RestTemplate访问我的安全WS-也没有运气)
5) I've imported certificate into Internet Options -> Content -> Certificates -> Trusted Root CA (I can see that cert is trusted) 5)我已将证书导入Internet选项->内容->证书->受信任的根CA(我可以看到该证书受信任)
6) I've created simple JavaEE Rest WS, web.xml: 6)我创建了简单的JavaEE Rest WS,web.xml:
<security-constraint>
<display-name>Area secured</display-name>
<web-resource-collection>
<web-resource-name>protected_resources</web-resource-name>
<url-pattern>/api/account/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>User with any role</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
jboss-web.xml: jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>RequireCertificateDomain</security-domain>
</jboss-web>
7) When trying to access via browser (Chrome/Firefox/IE) I get HTTP Status 401 - No client certificate chain in this request . 7)尝试通过浏览器(Chrome / Firefox / IE)访问时,我收到HTTP状态401-此请求中没有客户端证书链 。 In server.log I can see the followings:
在server.log中,我可以看到以下内容:
Handshake failed: java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL
I've search the Internet and found out that it may be a bug but was supposed to be fixed in 7.1.0 Final release. 我搜索了Internet,发现它可能是一个错误,但应该在7.1.0最终版本中得到了修复。 Unfortunately I keep getting this error both on 7.1.0 and 7.1.1 versions.
不幸的是,我在7.1.0和7.1.1版本上都一直收到此错误。
Am I missing something? 我想念什么吗?
I am running into the same issue. 我遇到了同样的问题。 I take it that the browser is not even prompting you to choose the cert?
我认为浏览器甚至没有提示您选择证书? Have you tried using curl to send the credentials and turned up
javax.net.debug=ssl,handshake
? 您是否尝试过使用curl发送凭据并打开
javax.net.debug=ssl,handshake
? You can then see the client and server responses in your jboss logs. 然后,您可以在jboss日志中查看客户端和服务器的响应。 Here is the curl command.
这是curl命令。
curl --cert ./cert.pem --key ./key.pem https://jbosshost:port -k -v
You will need to use openssl to convert your p12 to cert and key .pems 您将需要使用openssl将p12转换为cert和key .pems
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.