我已经查看了类似的问题,但似乎没有任何内容与我正在做的或建议的修复工作相匹配。
我有一个从Java(JDK 1.8.0_101)配置的Jetty 9.4.0服务器,它不接受来自Chrome或我自己的Java客户端的SSL连接。从openssl s_client连接起作用。
Jetty端报告的错误是“javax.net.ssl.SSLHandshakeException:没有共同的密码套件”。 Chrome报告“客户端和服务器不支持常见的SSL协议版本或密码套件。”
我正在使用内部CA来创建证书。 CA证书已作为受信任添加到Chrome。 Jetty服务器端使用包含私钥,服务器证书和CA可信证书的内存中JKS。
Jetty服务器和Chrome / openssl在同一系统上运行(Windows 10)。
当CHROME连接时从JETTY / JAVA DEBUG输出:
Session ID: {}
Cipher Suites: [Unknown 0xba:0xba, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_56026, data:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 23130, unknown curve 29, java.security.spec.ECParameterSpec@b25af0c, java.security.spec.ECParameterSpec@4ac6a6d}
Unsupported extension type_64250, data: 00
***
%% Initialized: [Session-11, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
qtp93314457-157, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-11, SSL_NULL_WITH_NULL_NULL]
qtp93314457-157, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
qtp93314457-157, WRITE: TLSv1.2 Alert, length = 2
qtp93314457-157, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-157, called closeOutbound()
qtp93314457-157, closeOutboundInternal()
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
qtp93314457-151, READ: TLSv1 Handshake, length = 206
*** ClientHello, TLSv1.2
RandomCookie: GMT: -2087203376 Using SSLEngineImpl.
bytes = { 70, 173, 91, 213, 98, 98, 217, 46, 252, 233, 43, 114, 31, 19, 183, 40, 228, 28, 173, 130, 85, 182, 183, 173, 4, 212, 40, 245 }
Session ID: {}
Cipher Suites: [Unknown 0x8a:0x8a, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_51914, data:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 39578, unknown curve 29, java.security.spec.ECParameterSpec@638b01ff, java.security.spec.ECParameterSpec@3dbba4da}
Unsupported extension type_56026, data: 00
***
%% Initialized: [Session-12, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
matching alias: myPrivateKey for CN=dim.magnicomp.com
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
qtp93314457-151, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
%% Invalidated: [Session-12, SSL_NULL_WITH_NULL_NULL]
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
qtp93314457-151, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
qtp93314457-151, WRITE: TLSv1.2 Alert, length = 2
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
qtp93314457-151, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-151, called closeOutbound()
qtp93314457-151, closeOutboundInternal()
qtp93314457-160, READ: TLSv1 Handshake, length = 212
*** ClientHello, TLSv1.2
RandomCookie: GMT: -316909219 bytes = { 57, 49, 102, 214, 160, 20, 226, 56, 251, 203, 38, 163, 9, 6, 194, 243, 5, 216, 212, 3, 4, 190, 51, 224, 44, 154, 92, 64 }
Session ID: {}
Cipher Suites: [Unknown 0xea:0xea, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_23130, data:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 6682, unknown curve 29, java.security.spec.ECParameterSpec@e90285a, java.security.spec.ECParameterSpec@51bbd50e}
Unsupported extension type_19018, data: 00
***
%% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
qtp93314457-160, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-13, SSL_NULL_WITH_NULL_NULL]
qtp93314457-160, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
qtp93314457-160, WRITE: TLSv1.2 Alert, length = 2
qtp93314457-160, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-160, called closeOutbound()
qtp93314457-160, closeOutboundInternal()
这是我的码头代码:
private Server createServer() {
Server server = new Server();
server.setStopAtShutdown(true);
if (log.getDebugLevel() >= 1)
server.setDumpAfterStart(true);
ServerConnector httpConnector = createHttpConnector(server);
ServerConnector httpsConnector = createHttpsConnector(server);
server.addConnector(httpConnector);
server.addConnector(httpsConnector);
... snip ...
}
private ServerConnector createHttpsConnector(Server server) {
HttpConfiguration httpConfig = new HttpConfiguration(getBasicHttpConfiguration());
httpConfig.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = createSslContextFactory();
SslConnectionFactory connectionFactory = new SslConnectionFactory(sslContextFactory, HTTP_VERSION);
ServerConnector connector = new ServerConnector(server, connectionFactory, new HttpConnectionFactory(httpConfig));
connector.setPort(getHttpsPort());
connector.setIdleTimeout(getHttpIdleTimeoutSeconds());
return connector;
}
private SslContextFactory createSslContextFactory() {
KeyStore keyStore = createKeyStore();
KeyStore trustStore = createTrustStore();
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setTrustStore(trustStore);
sslContextFactory.setExcludeCipherSuites(excludeCiphers);
sslContextFactory.setExcludeProtocols(excludeProtocols);
return sslContextFactory;
}
private HttpConfiguration getBasicHttpConfiguration() {
if (basicHttpConfig == null) {
basicHttpConfig = new HttpConfiguration();
basicHttpConfig.setSecureScheme("https");
basicHttpConfig.setSecurePort(getHttpsPort());
}
return basicHttpConfig;
}
public KeyStore createKeyStore(...) {
X509Certificate xcert = ...
List<X509Certificate> chain = new ArrayList<>();
chain.add(xcert);
chain.addAll(caCerts);
PrivateKey privateKey = ... ;
String keyAlias = "myPrivateKey for " + xcert.getSubjectX500Principal().getName();
String certAlias = "myCertificate for " + xcert.getSubjectX500Principal().getName();
KeyStore ks = KeyStore.getInstance(KEYSTORE_TYPE);
ks.load(null, null);
ks.setCertificateEntry(certAlias, xcert);
ks.setKeyEntry(keyAlias, privateKey, null, xchain.toArray(new X509Certificate [] {}));
return ks;
}
public KeyStore createTrustStore() {
KeyStore ks = null;
try {
ks = KeyStore.getInstance("JKS");
ks.load(null, null);
} catch (NoSuchAlgorithmException | CertificateException | IOException | KeyStoreException e) {
throw new OperationFailedException(e);
}
int count = 0;
for (CertificateAuthority ca : list) {
boolean isTrusted = (ca.getTrusted() != null) ? ca.getTrusted() : false;
if (isTrusted == false)
continue;
X509Certificate xcert = CertificateConverter.convertToX509Certificate(ca.getCertificate());
String alias = xcert.getSubjectDN().getName();
TrustedCertificateEntry entry = new TrustedCertificateEntry(xcert);
try {
ks.setEntry(alias, entry, null);
++count;
} catch (KeyStoreException e) {
throw new OperationFailedException(e);
}
}
if (count == 0)
throw new OperationFailedException("No Trusted Certificate Authorities found");
return ks;
}
当Jetty服务器启动时,它确实显示它包含在密码:
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=34)
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=48)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA', ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'SSL_DHE_DSS_WITH_DES_CBC_SHA', ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
... snip ...
与Jetty的上述Include Ciphers输出以及ClientHello显示的内容(来自Chrome)肯定有多个共同密码。
我可以使用openssl成功连接到Jetty服务器:
openssl s_client -CAfile ca-bundle.crt -connect dim.magnicomp.com:443
CONNECTED(00000003)
depth=2 CN = MagniComp Root CA
verify return:1
depth=1 DC = com, DC = magnicomp, CN = MagniComp Issuing CA3
verify return:1
depth=0 CN = dim.magnicomp.com
verify return:1
---
Certificate chain
0 s:/CN=dim.magnicomp.com
i:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
1 s:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
i:/CN=MagniComp Root CA
2 s:/CN=MagniComp Root CA
i:/CN=MagniComp Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHLDCCBRSgAwIBAgITSwAAHrdVt+0m8ilX2QABAAAetzANBgkqhkiG9w0BAQsF
... snip ...
+yePwA+yZbwCJmfm6H/tHw==
-----END CERTIFICATE-----
subject=/CN=dim.magnicomp.com
issuer=/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5896 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 585C70B03124705067B91809B759000159C3537719D2D49CDA95FA34A8A0A838
Session-ID-ctx:
Master-Key: 869543E852F7C7FB0C8849CFE673FDB5C89EA7F8BA118215E00781F80390ADD6DA71B747F8DAA8F5E610FE9EF2F0ADFD
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1482453168
Timeout : 300 (sec)
Verify return code: 0 (ok)
这是我正在使用的服务器证书:
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=magnicomp, CN=MagniComp Issuing CA3
Validity
Not Before: Dec 22 22:09:32 2016 GMT
Not After : Dec 22 22:09:32 2017 GMT
Subject: CN=dim.magnicomp.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a1:95:ef:ff:bf:c8:a2:fb:4e:3a:81:b5:4d:36:
03:21:55:3e:fb:35:93:14:b0:4e:93:16:2c:13:fd:
dd:7e:b4:4d:5a:32:04:28:9a:51:93:23:01:e4:80:
37:e9:4e:9b:9e:ca:ba:8d:96:5e:2b:78:2d:f9:3f:
bd:7e:cf:70:32:75:9b:e8:c7:1d:42:d4:ee:8e:2d:
e0:b8:2f:93:02:2b:a4:72:ac:99:8c:6d:05:f9:6b:
18:88:47:52:06:02:71:a9:9d:fe:87:71:d3:4f:28:
84:9b:55:2a:cd:af:37:77:94:a9:cc:6f:26:fe:88:
6b:c0:b5:b2:c6:59:c0:94:dd:af:3a:50:d7:7b:da:
2f:e4:98:b0:8a:b7:56:a7:ed:13:fd:7f:b3:39:14:
76:12:f4:39:0d:b4:ac:31:f3:2b:c6:12:3a:44:ef:
5b:b8:0d:03:0d:e4:f4:06:05:38:46:66:a7:07:9b:
ec:83:af:bc:48:46:d0:32:e7:96:13:96:6a:c6:d9:
49:71:c0:49:3c:04:9b:1e:20:ab:2f:06:af:6f:43:
ff:5a:30:55:35:3b:96:6b:51:61:cf:95:5b:58:c3:
37:e4:bf:05:09:d0:3b:57:82:86:40:bf:7e:bf:d8:
41:be:27:1c:f5:36:a7:b1:63:98:ea:cb:ff:32:99:
60:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:dim.magnicomp.com, DNS:dim
X509v3 Subject Key Identifier:
8D:8D:4E:99:AB:6A:15:32:B8:EA:C0:61:52:9D:3B:BE:A9:2E:C9:13
X509v3 Authority Key Identifier:
keyid:22:D9:24:A4:0C:3C:E9:63:82:D2:22:F6:87:C0:03:A2:2F:97:ED:80
X509v3 CRL Distribution Points:
Full Name:
URI:http://CDP.magnicomp.com/PKI/MagniComp%20Issuing%20CA3.crl
URI:ldap:///CN=MagniComp%20Issuing%20CA3,CN=ca3,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=magnicomp,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:http://CDP.magnicomp.com/PKI/ca3.magnicomp.com_MagniComp%20Issuing%20CA3(1).crt
CA Issuers - URI:ldap:///CN=MagniComp%20Issuing%20CA3,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=magnicomp,DC=com?cACertificate?base?objectClass=certificationAuthority
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0..&+.....7.....X...........b...d^...q......d...
1.3.6.1.4.1.311.21.10:
0.0
..+.......
Signature Algorithm: sha256WithRSAEncryption
... snip ...
答案 0 :(得分:5)
我终于弄明白了。对于证书和密钥条目,KeyStore别名必须是“jetty”。我使用自定义名称来更轻松地识别密钥库中的条目。
RANT:当它无法在KeyStore中找到证书/密钥时,为什么Jetty或底层Java SSL代码报告“没有共同的密码”?这完全是钝的,几乎没有机会帮助开发人员找出问题所在!
答案 1 :(得分:1)
https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html https://www.eclipse.org/jetty/documentation/current/jetty-ssl-distribution.html
除了码头的官方文件外,别无其他。按照上面的说明进行操作后,再在start.ini中添加以下几行,即可使其正常工作。
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=password
jetty.sslContext.keyManagerPassword=password
jetty.sslContext.trustStorePassword=password