Spring 引导 - 自签名 mTLS - 必要的证书

Question

I have a problem with mTLS configuration in Spring Boot application.我在 Spring 引导应用程序中的 mTLS 配置有问题。

Question: How to authorize the request with self-signed certificate when the certificate is mandatory due to client-auth: need option问题：由于client-auth: need选项

Steps done until now:到目前为止完成的步骤：

I create one self-signed certificate using the command:我使用以下命令创建一个自签名证书：

keytool -genkeypair -alias xx-test -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 150 -storepass xxxxxxxxxxxx

then in application.yml i have configuration which use this newly-created keystore:然后在 application.yml 我有使用这个新创建的密钥库的配置：

server:
  ssl:
    enable: true
    key-alias: xx-test
    key-password: xxxxxxxxxxxx
    key-store-password: xxxxxxxxxxxx
    key-store-type: pkcs12
    key-store: classpath:keystore.p12

    client-auth: need # Can be also want/need
    trust-store: classpath:keystore.p12
    trust-store-type: pkcs12
    trust-store-password: xxxxxxxxxxxx

when I have client-auth: want instead of need chrome browser inform me certificate is invalid but i can read the endpoint.当我有client-auth: want而不是need chrome 浏览器通知我证书无效但我可以读取端点。 In Spring Boot message is javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown .在 Spring 启动消息是javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown 。

When I change setting to client-auth: need chrome cast ERR_BAD_SSL_CLIENT_AUTH_CERT and Spring boot cast当我将设置更改为client-auth: need chrome cast ERR_BAD_SSL_CLIENT_AUTH_CERT和 Spring 引导转换

Closing SSLConduit after exception on handshake
javax.net.ssl.SSLHandshakeException: Empty client certificate chain
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:258) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1176) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1163) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247) ~[?:?]
    at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192) ~[?:?]
    at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1107) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
    at java.lang.Thread.run(Thread.java:830) ~[?:?]

self-signed cert is also put into Trusted Root Certification Authorities in Windows.自签名证书也被放入 Windows 中的Trusted Root Certification Authorities 。

with -Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake option, error is described in more detailed way:使用-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake选项，错误描述更详细：


javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|SSLExtensions.java:189|Consumed extension: supported_versions
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|ClientHello.java:838|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|SSLExtensions.java:189|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|PreSharedKeyExtension.java:840|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|ServerNameExtension.java:327|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: server_name
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:170|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: status_request
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: supported_groups
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:160|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:170|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|AlpnExtension.java:277|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:160|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:160|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:160|Ignore unsupported extension: session_ticket
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:170|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|KeyShareExtension.java:340|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(60138)
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:189|Consumed extension: key_share
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:160|Ignore unsupported extension: renegotiation_info
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:204|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:221|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:204|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:204|Ignore unavailable extension: cookie
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: psk_key_exchange_modes
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:204|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|ServerHello.java:733|use cipher suite TLS_AES_256_GCM_SHA384
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.345 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.345 CEST|ServerHello.java:587|Produced ServerHello handshake message (
"ServerHello": {.....}

javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.346 CEST|SSLCipher.java:1867|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|SSLCipher.java:2021|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|ALL|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|ServerNameExtension.java:537|No expected server name indication response
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: server_name
javax.net.ssl|ALL|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|MaxFragExtension.java:469|Ignore unavailable max_fragment_length extension
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.348 CEST|AlpnExtension.java:365|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.348 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.348 CEST|EncryptedExtensions.java:137|Produced EncryptedExtensions message ("EncryptedExtensions": [
  "supported_groups (10)": {
    "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
  }
]
)
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.356 CEST|CertificateRequest.java:882|Produced CertificateRequest message (....)
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.368 CEST|CertificateVerify.java:1113|Produced server CertificateVerify handshake message (
"CertificateVerify": {....}
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.369 CEST|Finished.java:777|Produced server Finished handshake message (
"Finished": {.....}



2020-07-13 19:37:02 DEBUG [XNIO-1 I/O-6] request - UT005013: An IOException occurred
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:?]
    at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:291) ~[?:?]
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:184) ~[?:?]
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:729) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:684) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:499) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:475) ~[?:?]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634) ~[?:?]
    at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:773) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:898) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:665) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:68) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1172) [undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:561) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
2020-07-13 19:37:02 DEBUG [XNIO-1 I/O-5] request - UT005013: An IOException occurred
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:?]
    at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:291) ~[?:?]
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:184) ~[?:?]
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:729) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:684) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:499) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:475) ~[?:?]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634) ~[?:?]
    at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:773) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:898) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:665) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:68) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1172) [undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:561) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
2020-07-13 19:37:02 DEBUG [XNIO-1 I/O-4] request - UT005013: An IOException occurred
java.nio.channels.ClosedChannelException: null
    at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:892) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:665) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:68) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1172) [undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:561) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.370 CEST|SSLCipher.java:2021|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|17|XNIO-1 I/O-3|2020-07-13 19:37:02.372 CEST|ChangeCipherSpec.java:246|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|2D|XNIO-1 task-5|2020-07-13 19:37:02.382 CEST|CertificateMessage.java:1160|Consuming client Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
]
}
)

However it doesn't says me too much然而它并没有说我太多

Answer 1

Solution:解决方案：

Finally, I had a little problem with not correct intermediate certificate in the chain.最后，我遇到了一个小问题，即链中的中间证书不正确。

Additionally, I decided to create custom server configuration which had implementation similar to this one:此外，我决定创建自定义服务器配置，其实现类似于以下配置：

@Component
public class UndertowConfiguration implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
    ...
    @Override
    public void customize(UndertowServletWebServerFactory factory) {
        factory.addBuilderCustomizers((Undertow.Builder builder) -> {
            try {
                SSLContext sslContext = SSLContext.getInstance("TLS");
                sslContext.init(keyStoreManager.createKeyStore(),
                        trustStoreManager.createTrustStoreManager(),
                        new SecureRandom());
                builder.addHttpsListener(serverPortConfiguration.getSecurePort(), "0.0.0.0", sslContext)
                        .setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
            } catch (NoSuchAlgorithmException | KeyStoreException | IOException | CertificateException | UnrecoverableKeyException | KeyManagementException e) {
                e.printStackTrace();
            }
        });
    }

and specific webClient for casting request to another server as:和特定的 webClient 用于将请求投射到另一台服务器：

@Bean
public WebClient webClient() throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
            SslContext sslContext = SslContextBuilder.forClient()
                    .keyManager(keyStoreManager.createKeyStore())
                    .trustManager(trustStoreManager.createTrustStoreManager())
                    .build();
            httpClient = HttpClient.create()
                .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
        }

        return WebClient.builder()
                .clientConnector(new ReactorClientHttpConnector(httpClient))
                .build();
    }

When custom sslContext was applied to the both of those it starts to work.当自定义 sslContext 应用于这两者时，它开始工作。 However, certificates are a really difficult thing to debug.然而，证书是一件很难调试的事情。

I hope this post will help someone with this problem.我希望这篇文章能帮助解决这个问题的人。 Also -Djavax.net.debug=all helps with debugging and understanding what is a real problem with certificates with a significant way.此外-Djavax.net.debug=all有助于调试和理解证书的真正问题是什么。

Spring 引导 - 自签名 mTLS - 必要的证书

问题描述

1 个解决方案

解决方案1
0 已采纳 2020-07-24 12:37:59

Spring 引导 - 自签名 mTLS - 必要的证书

问题描述

1 个解决方案

解决方案1 0 已采纳 2020-07-24 12:37:59

解决方案1
0 已采纳 2020-07-24 12:37:59