堆棧內存溢出
  簡體   English   中英

SSL 客戶端-服務器加密和認證

[英]SSL client-server encryption and authentication

 原文  2023-01-27 17:31:27       java/ authentication/ encryption/ ssl-certificate

問題描述

我需要一台客戶端和一台服務器在安全通道上相互通信。 客戶端是Java app,服務器是ucspi-ssl server,詳情請看這里: https://www.fehcom.de/i.net/ucspi-ssl/man/sslserver.1.html 我希望通信簡單,而不使用 http。

我想要達到的目標:

  1. 通信必須加密;
  2. 服務器必須對客戶端進行身份驗證。

這是我到目前為止所做的:

  1. 創建客戶端私鑰和客戶端自簽名證書:
openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-certificate.pem
  1. 將私鑰和證書都插入到客戶端密鑰庫中:
openssl pkcs12 -inkey client-key.pem -in client-certificate.pem -export -out client-certificate.p12
  1. 創建服務器私鑰和服務器自簽名證書:
openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -x509 -days 365 -out server-certificate.pem
  1. 將服務器證書添加到客戶端信任庫:
keytool -import -trustcacerts -file server-certificate.pem -keypass password -storepass password -keystore clienttruststore.jks
  1. 創建 DH 參數文件:
openssl dhparam -out /etc/ssl/dh2048.pem 2048

此時,如果我使用的是 Java SSL 服務器,我將指定包含服務器證書和私鑰的服務器密鑰庫以及填充了需要驗證的客戶端證書的服務器信任庫。 但是在 ucspi-ssl 服務器實現中沒有密鑰庫或信任庫的概念。 據我了解,需要設置給定的環境變量:

X509 證書和加密選項:

 -3 Read a null-terminated key password from file descriptor 3. -m (Mail.) Require valid client certificates, but don't check for matching FQDN. -z (Host.) Require valid client certificates and match FQDN (if given) against SAN/DN. -Z (Default.) Do not require client certificates.

SSL 環境變量讀取

 These variables define the run-time environment of sslserver and are used to specify X509 certificates and keyfile per connection. $SSL_USER=name The user, reading the certificates and keyfile. $SSL_GROUP=group The respective user group. $SSL_UID=uid The numerical UID of the $SSL_USER. $SSL_CHROOT=path Perform reading of certificates and keyfile in a $SSL_CHROOT jail. $CAFILE=path If set, overrides the compiled-in CA file name. The CA file contains the list of CAs used to verify the client certificate. Certificates in $CAFILE are processed when the server starts. $CADIR=path If set, overrides the compiled-in CA directory name. The CA directory contains certificates files used to verify the client certificate. This list augments the list from $CAFILE. Certificates in $CADIR are processed during certificate verification. $CERTFILE=path If set, overrides the compiled-in certificate file name. The server presents this certificate to clients. $CERTCHAINFILE=path If set, overrides the compiled-in certificate chainfile name. The server presents this list of certificats to clients. Note: Providing $CERTCHAINFILE has precedence over $CERTFILE. Certificates in this file needs to be 'ordered' starting from the uppermost root certificates and placing your host's it's certificate. $VERIFYDEPTH=n If set, overrides the compiled-in verification depth. Default: 1. $CCAFILE=path If set, overrides the compiled-in client CA file name for client certificate request. The client CA file contains the list of CAs sent to the client when requesting a client certificate. Note: Setting of $CCAFILE is required while using the option -z or -m. However, declaring $CCAFILE="-" disables (on a per- connection base) the client certificate request. $CCAVERIFY If set, sslserver requests a valid client certificate on a per- connection base, unlike the general option -z.

SSL 環境變量設置

 In case sslserver is called with the option -e, the following mod_ssl environment variables are provided: SSL_PROTOCOL The TLS protocol version (SSLv3, TLSv1, ...). SSL_SESSION_ID The hex-encoded SSL session id. SSL_CIPHER The cipher specification name. SSL_CIPHER_USEKEYSIZE Number of cipher bits (actually used). SSL_CIPHER_ALGKEYSIZE Number of cipher bits (possible). SSL_VERSION_INTERFACE The mod_ssl program version. SSL_VERSION_LIBRARY The OpenSSL program version. SSL_CLIENT_M_VERSION The version of the client certificate. SSL_CLIENT_M_SERIAL The serial of the client certificate. SSL_CLIENT_S_DN Subject DN in client's certificate. SSL_CLIENT_A_SIG Algorithm used for the signature of client's certificate. SSL_CLIENT_A_KEY Algorithm used for the public key of client's certificate. SSL_CLIENT_CERT PEM-encoded client certificate. SSL_CLIENT_CERT_CHAIN n PEM-encoded certificates in client certificate chain. SSL_CLIENT_VERIFY NONE, SUCCESS, GENEROUS or FAILED:reason. SSL_SERVER_M_SERIAL The serial of the server certificate. SSL_SERVER_S_DN Subject DN in server's certificate. SSL_SERVER_S_DN_x509 Component of server's Subject DN. SSL_SERVER_I_DN Issuer DN of server's certificate. SSL_SERVER_I_DN_x509 Component of server's Issuer DN. SSL_SERVER_V_START Validity of server's certificate (start time). SSL_SERVER_V_END Validity of server's certificate (end time). SSL_SERVER_A_SIG Algorithm used for the signature of server's certificate. SSL_SERVER_A_KEY Algorithm used for the public key of server's certificate. SSL_SERVER_CERT PEM-encoded server certificate.

如何通知 ucspi-ssl 服務器客戶端證書可以信任並執行客戶端身份驗證?

我嘗試使用以下命令運行服務器:

sslserver -v -m  localhost 12345 ./some_script.sh

設置了以下環境變量:

DHFILE=/etc/ssl/dh2048.pem
CERTFILE=server-certificate.pem
KEYFILE=server-key.pem

這是 java SSL 客戶端代碼:

try {
           // Client key store
           System.setProperty("https.protocols", "SSLv3");
           System.setProperty("javax.net.debug", "all");
           KeyStore keyStore = KeyStore.getInstance("PKCS12");
           String password = "password";
           InputStream inputStream = ClassLoader.getSystemClassLoader().getResourceAsStream("/home/centuri0n/reservations/ssl/client-certificate.p12");
           keyStore.load(inputStream, password.toCharArray());

           // Client trust store
           KeyStore trustStore = KeyStore.getInstance("JKS");
           String password2 = "password";
           TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
           InputStream inputStream1 = ClassLoader.getSystemClassLoader().getResourceAsStream("/home/centuri0n/reservations/ssl/clienttruststore.jks");
           trustStore.load(inputStream1, password2.toCharArray());
           trustManagerFactory.init(trustStore);
           X509TrustManager x509TrustManager = null;
           for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
               if (trustManager instanceof X509TrustManager) {
                   x509TrustManager = (X509TrustManager) trustManager;
                   break;
               }
           }

           if (x509TrustManager == null) throw new NullPointerException();

           // KeyManagerFactory ()
           KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
           keyManagerFactory.init(keyStore, password.toCharArray());
           X509KeyManager x509KeyManager = null;
           for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
               if (keyManager instanceof X509KeyManager) {
                   x509KeyManager = (X509KeyManager) keyManager;
                   break;
               }
           }
           if (x509KeyManager == null) throw new NullPointerException();

           // set up the SSL Context
           SSLContext sslContext = SSLContext.getInstance("TLS");
           sslContext.init(new KeyManager[]{x509KeyManager}, new TrustManager[]{x509TrustManager}, null);

           SSLSocketFactory socketFactory = sslContext.getSocketFactory();
           SSLSocket kkSocket = (SSLSocket) socketFactory.createSocket("127.0.0.1", 12345);
           kkSocket.setUseClientMode(false);
           kkSocket.setEnabledProtocols(new String[]{"TLSv1","TLSv1.1","TLSv1.2","TLSv1.3"});
           kkSocket.setEnabledCipherSuites(new String[]{"TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
           });

           PrintWriter out = new PrintWriter(kkSocket.getOutputStream(), true);
           BufferedReader in = new BufferedReader(
                   new InputStreamReader(kkSocket.getInputStream()));

           BufferedReader stdIn =
                   new BufferedReader(new InputStreamReader(System.in));
           String fromServer;
           String fromUser;

           while ((fromServer = in.readLine()) != null) {
               System.out.println("Server: " + fromServer);
               if (fromServer.equals("Bye."))
                   break;

               fromUser = stdIn.readLine();
               if (fromUser != null) {
                   System.out.println("Client: " + fromUser);
                   out.println(fromUser);
               }
           }
       }catch (IOException e){
           e.printStackTrace();
       } catch (UnrecoverableKeyException e) {
           throw new RuntimeException(e);
       } catch (CertificateException e) {
           throw new RuntimeException(e);
       } catch (KeyStoreException e) {
           throw new RuntimeException(e);
       } catch (NoSuchProviderException e) {
           throw new RuntimeException(e);
       } catch (KeyManagementException e) {
           throw new RuntimeException(e);
       }

當我啟動客戶端時,它會阻塞大約 10 秒,並顯示以下調試消息:

javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_RSA_WITH_NULL_SHA256
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.611 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_NULL_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.611 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_NULL_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.621 CET|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.622 CET|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.627 CET|SSLConfiguration.java:458|System property jdk.tls.client.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.641 CET|SSLConfiguration.java:458|System property jdk.tls.server.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLSv1.2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLSv1.2

然后,客戶端超時並退出:

javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.685 CET|SSLSocketInputRecord.java:481|Raw read: EOF
javax.net.ssl|ERROR|10|main|2023-01-27 18:21:07.687 CET|TransportContext.java:363|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
    at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1714)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1513)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
    at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:920)
    at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1011)
    at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
    at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
    at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
    at java.base/java.io.InputStreamReader.read(InputStreamReader.java:176)
    at java.base/java.io.BufferedReader.fill(BufferedReader.java:162)
    at java.base/java.io.BufferedReader.readLine(BufferedReader.java:329)
    at java.base/java.io.BufferedReader.readLine(BufferedReader.java:396)
    at org.example.App.main(App.java:75)
  Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483)
    at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
    at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
    ... 12 more}

)
javax.net.ssl|ALL|10|main|2023-01-27 18:21:07.687 CET|SSLSessionImpl.java:1221|Invalidated session:  Session(1674840041640|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketOutputRecord.java:71|WRITE: TLSv1.3 alert(handshake_failure), length = 2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketOutputRecord.java:85|Raw write (
  0000: 15 03 03 00 02 02 28                               ......(
)
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketImpl.java:1754|close the underlying socket
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketImpl.java:1780|close the SSL connection (passive)
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
    at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1714)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1513)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
    at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:920)
    at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1011)
    at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
    at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
    at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
    at java.base/java.io.InputStreamReader.read(InputStreamReader.java:176)
    at java.base/java.io.BufferedReader.fill(BufferedReader.java:162)
    at java.base/java.io.BufferedReader.readLine(BufferedReader.java:329)
    at java.base/java.io.BufferedReader.readLine(BufferedReader.java:396)
    at org.example.App.main(App.java:75)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483)
    at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
    at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
    ... 12 more

Process finished with exit code 0

1 個解決方案

解決方案1
 0  2023-01-28 20:23:23

這是經過格式化和清理的 Java 客戶端代碼,以及使雙方之間的 ssl 通信正常工作所需的 ucspi-ssl 服務器環境變量。

JAVA 客戶代碼:

        try {
    
            System.setProperty("javax.net.debug", "all");
    
            String keystore_path = "<keystore_path>";
            String keystore_password = "<keystore_password>";
    
            String truststore_path = "<truststore_path>";
            String truststore_password = "<truststore_password>";
    
            //Keystore
            KeyStore keystore = KeyStore.getInstance("PKCS12");
            keystore.load(new FileInputStream(keystore_path), keystore_password.toCharArray());
            KeyManagerFactory key_manager_factory = KeyManagerFactory.getInstance("SunX509");
            key_manager_factory.init(keystore, keystore_password.toCharArray());
    
            //Truststore
            KeyStore truststore = KeyStore.getInstance("PKCS12");
            truststore.load(new FileInputStream(truststore_path), truststore_password.toCharArray());
            TrustManagerFactory trust_manager_factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trust_manager_factory.init(truststore);
    
            //SSL Context
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(key_manager_factory.getKeyManagers(), trust_manager_factory.getTrustManagers(), null);
    
            //SSL Socket
            SSLSocketFactory socketFactory = sslContext.getSocketFactory();
            SSLSocket ssl_socket = (SSLSocket) socketFactory.createSocket("server_ip", 12345);
            ssl_socket.setUseClientMode(true);
            ssl_socket.setEnabledProtocols(new String[]{"TLSv1.3"});
            ssl_socket.setEnabledCipherSuites(new String[]{"TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}); //Cyphers supported by both client and ucspi-ssl server
    
    
            //In and out streams
            PrintWriter out = new PrintWriter(ssl_socket.getOutputStream(), true);
            BufferedReader in = new BufferedReader(new InputStreamReader(ssl_socket.getInputStream()));
    
    //You can now interact with the server using input and output streams
    
    
        } catch (IOException | KeyManagementException | KeyStoreException | UnrecoverableKeyException |
                 CertificateException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }

服務器環境變量:

  • KEYFILE=服務器密鑰.pem
  • CERTFILE=服務器證書.pem
  • CAFILE=客戶端證書.pem
  • CCAFILE=客戶端證書.pem
  • DHFILE=/etc/ssl/dh2048.pem

服務器通過啟動啟動:

sslserver -v -m localhost 12345 ./some_script.sh

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 客戶端已知的客戶端-服務器應用程序的加密和身份驗證 客戶端-服務器安全和身份驗證 Spring 啟動 SSL 客戶端-服務器通信 Eclipse Milo中的身份驗證客戶端 - 服務器 SSL客戶端身份驗證,但沒有服務器身份驗證? Java如何建立SSL連接客戶端服務器 Java客戶端服務器 SocketChannel客戶端-服務器 android中的客戶端服務器 SSL 身份驗證在 Java 作為服務器/客戶端 model
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM