Java - 使用客户端证书身份验证时取消Ssl流

Question

I cannot figure this one out.

I have a unit test that performs a connection to my service using a client certificate authentication.

// generate a valid client cert and store it in a keystore
String keystorePassword = "xxx";
InputStream pkcs12 = UnitTests.generatePkcs12ForUser(user, keystorePassword, 3600);
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(pkcs12, keystorePassword.toCharArray());


String url = getBaseServerUrl();

// prepare a ssl context that has the keystore with client cert and key
SSLContext sslContext = SSLContexts.custom()
                                   .loadKeyMaterial(ks, keystorePassword.toCharArray())
                                   // trust all SSL certs
                                   .loadTrustMaterial((X509Certificate[] chain, String authType) -> true)
                                   .build();

// validate any hostname, and don't follow 3XX responses
HttpClient httpClient = HttpClients.custom()
                                   .setSSLContext(sslContext)
                                   .setSSLHostnameVerifier((a,b) -> true)
                                   .disableRedirectHandling()
                                   .build();

// this fails catastrophically
HttpResponse response = httpClient.execute(new HttpGet(url));

I'm using Java 8 and my server is behind a reverse proxy that uses Nginx.

My unit test fails with an exception like this:

javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1002)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
[...]
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at sun.security.ssl.InputRecord.read(InputRecord.java:505)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
    ... 43 more

And I can see in the Nginx error.log the following line:

2018/05/18 15:34:12 [crit] 42#42: *327 SSL_do_handshake() failed (SSL: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:443

I have SCOURGED the internet to find the reason for this error, and I feel like I have exhausted all recourse.

Non exhaustive list of things I have tried:

• Force java to use TlsV1.1 with -Dhttps.protocols=Tlsv1.1 -> still fails
• Tried to specify the "key strategy" for the loadTrustMaterial to always use my own key -> still fails
• Used a Jersey client with the same set of Ssl /Keystore params -> still fails
• Tried all JDK versions of 1.8: OpenJDK, Oracle, and Oracle with Crypto Extensions (JCE)
• Searching the nginx error seems to imply that the passed cert wasn't correct, so I...
• ...dumped the key and cert into a couple of PEM files while in debugger and curl ed the same address -> it works ?!
• Wiresharked the connection and examined the TLS negotiation. Compared it with a working sample (the simple curl -k <url> above which works flawlessly):
  • Saw something about ALPN but enabling it in Java doesn't fix the exception.
  • Saw different crypto algorithms announced but nothing stands out

Do you guys have any idea? I'm starting to get crazy. I have a hunch that I'm not setting my connection correctly, but I can't see where.

Answer 1

For those that didn't read the comments: I figured it out: I was using the subjectAltName as a storage for something that isn't an alternative name.

It seems that Java is not happy with this and refuses the connection.