堆棧內存溢出
  簡體   English   中英

肥皂適配器的SSL握手失敗

[英]SSL handshake failure with soap adapter

 原文  2017-10-25 04:06:31       java/ ssl/ soap/ jetty

問題描述

我們有一個第三方應用程序,該應用程序使用Jetty 6.1構建了一個肥皂適配器。 該應用程序通過SOAP適配器,通過SSL從.Net應用程序獲取入站請求。

最近,SSL證書已過期,安全團隊已將新證書添加到信任庫。

問題在於Jetty獲取所有證書的列表,但僅使用第一個(過期)證書,並且握手失敗。

以下是一些日志片段。 很少有行被標記為xxxxxxxxx以隱藏文本。

這顯示了3個別名,第一個別名於2017年10月8日到期。 

JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.2
JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.2
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
matching alias: 44240-xxxx-xxxxx-xxxxxx-org
matching alias: 111824-xxxx-xxxxx-xxxxxx-org
matching alias: 109491-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias 44240-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true

**%% Negotiating:  [Session-1, SSL_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1491745993 bytes = { 73, 37, 191, 131, 31, 235, 131, 242, 96, 119, 124, 73, 57, 221, 38, 112, 19, 216, 144, 221, 184, 25, 181, 210, 229, 39, 62, 50 }
Session ID:  {89, 234, 61, 201, 31, 215, 166, 2, 132, 100, 188, 234, 63, 57, 167, 114, 199, 190, 119, 228, 154, 176, 153, 236, 115, 222, 35, 98, 53, 182, 88, 140}
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
***
Cipher suite:  SSL_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=xxxx-xxxxx-xxxxxx.org, OU=TreSOAP Server Test-PROD Primary, O=XXXX-XXXXX - internal dmz, L=Saint Louis, ST=Missouri, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  IBMPKCS11Impl RSA Public Key: 
 Token: false
 Private: false
 Label: IBMPKCS1162112826090763885165327
 Modifiable: true
 KeyType: 0
 ID: 
 Start Date: Wed Dec 31 17:59:59 CST 1969
 End Date: Wed Dec 31 17:59:59 CST 1969
 Derive: false
 Local: false
 Subject: 
 Encrypt: true
 Verify: true
 VerifyRecover: true
 Wrap: true
 modulus: 26606850225087850589932908027067524318268268224826270839465320725092268136382373728617246685378243753417909514269416692823470338958771068354701078301334195882971493513282715502700026787422539437203244486983379743077668035555448903482759728453372918271687510462097996374206565621965829077017536736170426765991639165149047482746818974654077122772442139310513169191565788646178636478714837968871155118100289147723685748486274263964655017819372517057114974155848311538134591086912352063631149931407513232621741060410510212626457131410022996185588768438731050436344397255226489472133617477053078911021189068729861786067773
 modulus bits: 2048
 public exponent: 65537
  Validity: [From: Wed Oct 09 12:59:36 CDT 2013,
               To: Sun Oct 08 12:49:19 CDT 2017]
  Issuer: CN=MC Internal Zone Applications sub CA, OU=Global Information Security, O=XXXX, DC=xxxx, DC=com
  SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: cf 53 c3 63 61 83 f7 cd  4c 99 6a af 72 16 63 ee  .S.ca...L.j.r.c.
0010: 63 48 23 2c                                        cH..
]

[CN=Internal Zone Applications root CA, OU=Global Information Security, O=XXXX XXXX, DC=xxxx, DC=com]
SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxx]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[3]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
    1.3.6.1.5.5.7.3.1   1.3.6.1.5.5.7.3.2]

[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[5]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8b 74 8c b4 9e 21 d6 dd  86 f0 51 5f 77 c0 21 52  .t........Q.w..R
0010: 78 ab a8 2a                                        x...
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

]
***
*** ServerHelloDone
301601274@qtp-1542806517-9, WRITE: TLSv1 Handshake, length = 1443
301601274@qtp-1542806517-9, READ: TLSv1 Alert, length = 2
301601274@qtp-1542806517-9, RECV TLSv1 ALERT:  fatal, handshake_failure
301601274@qtp-1542806517-9, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
301601274@qtp-1542806517-9, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure**

需要專家的幫助,以解決可能的問題。

1 個解決方案

解決方案1
 0  2017-12-13 08:59:34

問題出在SslSelectChannelConnector上,該SslSelectChannelConnector在應用程序中被覆蓋以支持HSM,但是,碼頭版本已更新,並且為支持新版本的碼頭所做的更改未納入Overridden類中。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 ssl手搖失敗肥皂 肥皂SSL握手 Java 8 SSL握手失敗 Java SSL握手失敗 SSL握手失敗Java SSL握手失敗 SSL握手失敗錯誤 Websphere SSL握手失敗 SSL握手失敗-HttpClient 4.1.2 SSL握手故障Websphere 2個服務器中的1個
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM