尝试实现客户端密钥认证(使用自签名的 CA)。
代码如下:
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("client.p12"), "changeit".toCharArray())
SSLContext sslcontext = SSLContexts.custom()
.loadTrustMaterial(null, new TrustSelfSignedStrategy()) //DONT DO THAT, IT'S JUST TO SIMPLIFY THIS EXAMPLE. USE REAL TrustStore WITH REAL SERVER CERTIFICATE IMPORTED. DONT TRUST SELF SIGNED
.loadKeyMaterial(keyStore, "changeit".toCharArray())
.build();
socketFactory = new SSLConnectionSocketFactory(
sslcontext,
new String[] {"TLSv1.2", "TLSv1.1"},
null,
new NoopHostnameVerifier()
);
HttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(socketFactory)
.build();
使用-Djavax.net.debug=all
,我可以看到它正确选择了我的证书,我看到了签名、证书请求和ECDHClientKeyExchange等内容,一切看起来都很好。
但是无论如何,我仍然从Nginx获得以下响应(状态码为400):
<head><title>400 The SSL certificate error</title></head>
请注意,对于不正确的证书/密钥,nginx通常会丢弃会话,而不在明文响应中提供任何详细信息。
这个
client.p12
可以通过命令行工作,例如:$ curl -ivk --cert client.p12:changeit https://192.168.1.1
* Rebuilt URL to: https://192.168.1.1/
* Trying 192.168.1.1...
* Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* Client certificate: client-es.certs.my
* TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* Server certificate: server.certs.my
* Server certificate: ca.my
> GET / HTTP/1.1
> Host: 192.168.1.1
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
所以这个密钥肯定是有效的。但为什么它在Java中不起作用?我在Java SSL配置中是否有遗漏?
client.p12
加载。我也尝试将其导入到密钥库中,但这并没有改变任何东西。 - Igor Artamonov