[英]SSL connection failing with no Certificate Request from the server, connecting to Nginx on AWS from a local Websphere AS running on Java 6
我很難通過客戶端身份驗證連接到服務。 該服務(“SecureService”)位於 AWS 上。 客戶端位於我 Mac 上的 Linux VM 上。 SecureService 上的 Nginx 對我在端口 443 上訪問的資源強制執行客戶端身份驗證。我可以使用概念證明 Java 獨立應用程序 (openjdk 1.8.0_60) 或其他客戶端從同一 VM 連接到同一 SecureService 獲得成功響應(wget、openssl),但不是來自 Websphere AS 上托管的相同 Java 代碼(誠然依賴於較舊的庫和 IBM J9 VM,構建 2.6,JRE 1.6.0)。 但是,當將 SecureService 主機名重新映射到 /etc/hosts 中的 127.0.0.1 時,Websphere AS 上的相同 java 代碼成功連接到需要來自同一證書頒發機構的客戶端身份驗證的本地 openSSL 服務器。 失敗連接中來自 SecureServer 的響應報告“400 No required SSL certificate was sent”...“400 Bad Request”,但 tcpdump 數據包捕獲顯示它沒有發送證書請求,而在所有其他情況下都是如此。 這令人費解,讓我認為 ClientHello 消息中有一些服務器不喜歡的東西,盡管成功和失敗連接中的 ClientHello 消息非常相似。
還有一個很奇怪的細節是 tcpdump 從未在失敗的通信中捕獲從我的客戶端到服務器的第一個 TCP SYN 數據包,而它會捕獲其余的(來自服務器的 SYN + ACK,然后是來自客戶端的 ACK)和所有數據包( SYN、SYN + ACK、ACK)在所有其他通信中。
所有通信的所有部分都使用 TLSv1.2。
連接失敗:
(client <--> server) <-- SYN, ACK --> ACK --> Client Hello <-- ACK <-- Server Hello, Certificate, Server Hello Done --> ACK --> Client Key Exchange <-- ACK --> Change Cypher Spec <-- ACK --> Encrypted Handshake Message <-- ACK <-- Change Cypher Spec, Encrypted Handshake Message --> Application Data ...
從概念驗證 Java 應用程序成功連接:(客戶端 <--> 服務器)
--> SYN <-- SYN, ACK --> ACK --> Client Hello <-- ACK <-- Server Hello <-- Certificate <-- Certificate Request, Server Hello Done --> ACK --> ACK --> [TCP segment of a reassembled PDU] --> Certificate, Client Key Exchange <-- ACK --> Certificate Verify --> Change Cypher Spec --> Hello Request, Hello Request <-- ACK <-- Change Cypher Spec, Encrypted Handshake Message --> Application Data ...
從 Websphere AS 到本地 openSSL 的成功連接:(客戶端 <--> 服務器)
--> SYN <-- SYN, ACK --> ACK --> Client Hello <-- ACK <-- Server Hello, Certificate, Certificate Request, Server Hello Done --> ACK --> Certificate, Client Key Exchange <-- ACK --> Certificate Verify --> Change Cypher Spec --> Encrypted Handshake Message <-- ACK <-- Change Cypher Spec, Encrypted Handshake Message --> Application Data ...
失敗的客戶你好:
Frame 3: 332 bytes on wire (2656 bits), 332 bytes captured (2656 bits) Encapsulation type: Linux cooked-mode capture (25) Arrival Time: Feb 25, 2016 13:29:15.353437000 GMT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1456406955.353437000 seconds [Time delta from previous captured frame: 0.004839000 seconds] [Time delta from previous displayed frame: 0.004839000 seconds] [Time since reference or first frame: 0.004868000 seconds] Frame Number: 3 Frame Length: 332 bytes (2656 bits) Capture Length: 332 bytes (2656 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: sll:ethertype:ip:tcp:ssl] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Linux cooked capture Packet type: Sent by us (4) Link-layer address type: 1 Link-layer address length: 6 Source: CadmusCo_67:0a:c1 (08:00:27:67:0a:c1) Protocol: IPv4 (0x0800) Internet Protocol Version 4, Src: (OMITTED FOR SECURITY REASONS), Dst: (OMITTED FOR SECURITY REASONS) 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 316 Identification: 0xf29d (62109) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0xc7f8 [validation disabled] [Good: False] [Bad: False] Source: (OMITTED FOR SECURITY REASONS) Destination: (OMITTED FOR SECURITY REASONS) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 51512 (51512), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 276 Source Port: 51512 Destination Port: 443 [Stream index: 0] [TCP Segment Len: 276] Sequence number: 1 (relative sequence number) [Next sequence number: 277 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header Length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: *******AP***] Window size value: 14600 [Calculated window size: 14600] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x8054 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 [SEQ/ACK analysis] [Bytes in flight: 276] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 271 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 267 Version: TLS 1.2 (0x0303) Random GMT Unix Time: Feb 25, 2016 13:29:15.000000000 GMT Random Bytes: 2ca99e72b66289fcd3f11bf2dc3ef464709b197e6dd6cdd5... Session ID Length: 32 Session ID: 28eef056a41440e760eaa9e3358a9cd56d8823fa130e9100... Cipher Suites Length: 128 Cipher Suites (64 suites) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066) Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff) Cipher Suite: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001) Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002) Cipher Suite: TLS_RSA_WITH_NULL_SHA256 (0x003b) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 66 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 24 Elliptic Curves Length: 22 Elliptic curves (11 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp192r1 (0x0013) Elliptic curve: secp224r1 (0x0015) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Elliptic curve: secp160k1 (0x000f) Elliptic curve: secp160r1 (0x0010) Elliptic curve: secp160r2 (0x0011) Elliptic curve: secp192k1 (0x0012) Elliptic curve: secp224k1 (0x0014) Elliptic curve: secp256k1 (0x0016) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 28 Signature Hash Algorithms Length: 26 Signature Hash Algorithms (13 algorithms) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0303 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0301 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0402 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0101 Signature Hash Algorithm Hash: MD5 (1) Signature Hash Algorithm Signature: RSA (1)
從概念驗證到 SecureServer 的成功 Client Hello:
Frame 62: 306 bytes on wire (2448 bits), 306 bytes captured (2448 bits) on interface 0 Interface id: 0 (en0) Encapsulation type: Ethernet (1) Arrival Time: Feb 24, 2016 17:20:21.803009000 GMT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1456334421.803009000 seconds [Time delta from previous captured frame: 0.119948000 seconds] [Time delta from previous displayed frame: 0.119948000 seconds] [Time since reference or first frame: 17.897514000 seconds] Frame Number: 62 Frame Length: 306 bytes (2448 bits) Capture Length: 306 bytes (2448 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:ssl] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Apple_bc:c7:11 (a4:5e:60:bc:c7:11), Dst: CiscoInc_76:28:80 (a4:4c:11:76:28:80) Destination: CiscoInc_76:28:80 (a4:4c:11:76:28:80) Address: CiscoInc_76:28:80 (a4:4c:11:76:28:80) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Apple_bc:c7:11 (a4:5e:60:bc:c7:11) Address: Apple_bc:c7:11 (a4:5e:60:bc:c7:11) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: (OMITTED FOR SECURITY REASONS), Dst: (OMITTED FOR SECURITY REASONS) 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 292 Identification: 0xa8b7 (43191) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0x279c [validation disabled] [Good: False] [Bad: False] Source: (OMITTED FOR SECURITY REASONS) Destination: (OMITTED FOR SECURITY REASONS) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: 62197 (62197), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 240 Source Port: 62197 Destination Port: 443 [Stream index: 9] [TCP Segment Len: 240] Sequence number: 1 (relative sequence number) [Next sequence number: 241 (relative sequence number)] Acknowledgment number: 1 (relative ack number) Header Length: 32 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: *******AP***] Window size value: 4122 [Calculated window size: 131904] [Window size scaling factor: 32] Checksum: 0xc3c5 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Urgent pointer: 0 Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 928661973, TSecr 546145009 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 928661973 Timestamp echo reply: 546145009 [SEQ/ACK analysis] [iRTT: 0.016102000 seconds] [Bytes in flight: 240] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 235 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 231 Version: TLS 1.2 (0x0303) Random GMT Unix Time: Feb 24, 2016 17:20:21.000000000 GMT Random Bytes: fbb67137e8cde6609cb570685f6c9b5a62eefbc12973b545... Session ID Length: 0 Cipher Suites Length: 58 Cipher Suites (29 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 132 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 52 Elliptic Curves Length: 50 Elliptic curves (25 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: sect163k1 (0x0001) Elliptic curve: sect163r2 (0x0003) Elliptic curve: secp192r1 (0x0013) Elliptic curve: secp224r1 (0x0015) Elliptic curve: sect233k1 (0x0006) Elliptic curve: sect233r1 (0x0007) Elliptic curve: sect283k1 (0x0009) Elliptic curve: sect283r1 (0x000a) Elliptic curve: secp384r1 (0x0018) Elliptic curve: sect409k1 (0x000b) Elliptic curve: sect409r1 (0x000c) Elliptic curve: secp521r1 (0x0019) Elliptic curve: sect571k1 (0x000d) Elliptic curve: sect571r1 (0x000e) Elliptic curve: secp160k1 (0x000f) Elliptic curve: secp160r1 (0x0010) Elliptic curve: secp160r2 (0x0011) Elliptic curve: sect163r1 (0x0002) Elliptic curve: secp192k1 (0x0012) Elliptic curve: sect193r1 (0x0004) Elliptic curve: sect193r2 (0x0005) Elliptic curve: secp224k1 (0x0014) Elliptic curve: sect239k1 (0x0008) Elliptic curve: secp256k1 (0x0016) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 26 Signature Hash Algorithms Length: 24 Signature Hash Algorithms (12 algorithms) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0303 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0301 Signature Hash Algorithm Hash: SHA224 (3) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0101 Signature Hash Algorithm Hash: MD5 (1) Signature Hash Algorithm Signature: RSA (1) Extension: server_name Type: server_name (0x0000) Length: 36 Server Name Indication extension Server Name list length: 34 Server Name Type: host_name (0) Server Name length: 31 Server Name: (OMITTED FOR SECURITY REASONS - IT CORRESPONDS TO THE DESTINATION HOSTNAME)
Tcpdump 命令行:
sudo tcpdump -s 0 -n "port 443" -w /Repo/security/capture.cap -i any
有沒有人知道可能出了什么問題? 我目前沒有管理權限,甚至沒有登錄服務器的帳戶。
已解決 - 我發現 Nginx 服務器需要在 Client Hello 中指定“server_name”擴展名。 實際上,以下 openssl 命令會提示服務器發出證書請求...
/usr/local/Cellar/openssl/1.0.2e/bin/openssl s_client -cert client_identity.crt -key client_identity.key -connect SecureServerHostName:443 -debug <post_request.txt -tls1_2 -servername SecureServerHostName
...雖然省略“-servername”選項沒有。
我將如何強制 WebsphereAS 添加該擴展名是另一雙鞋。 也許通過更新 TLS 協議的實現,升級 Java 版本會有所幫助。
更新:是的,從1.6到1.7.1升級IBM JDK的工作,產生與服務器名稱指示客戶端Hello消息,提到這里(默認情況下的Java SE 7使服務器名稱指示(SNI)。)。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.