SSLHandshakeException:证书链为空

时间:2019-07-17 21:35:19

标签: java ssl

我正在尝试在Java客户端服务器应用程序中建立SSL连接。我已经为JKS密钥库提供了完整的证书链,但是服务器中仍然出现以下异常:

upcoming handshake states: server finished[20]
*** Certificate chain
<Empty>
***
fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-5, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
MyThread
, SEND TLSv1.2 ALERT:  
fatal, 
description = bad_certificate
MyThread, WRITE: TLSv1.2 Alert, length = 2
MyThread, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
Stack Trace
javax.net.ssl.SSLHandshakeException: null cert chain
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) ~[?:1.8.0_211]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_211]
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) ~[?:1.8.0_211]
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) ~[?:1.8.0_211]
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[?:1.8.0_211]
    ... 4 more
Caused by: javax.net.ssl.SSLHandshakeException: null cert chain
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_211]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647) ~[?:1.8.0_211]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) ~[?:1.8.0_211]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306) ~[?:1.8.0_211]
    at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1939) ~[?:1.8.0_211]
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:1.8.0_211]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_211]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_211]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_211]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_211]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_211]
    ... 2 more

不是由于缺少证书引起的。在调试的早期,我们看到以下证书,这些证书的顺序与SSL正确(最具体的优先,从根到最后):

upcoming handshake states: server finished[20]
chain [0] = [
[
  Version: V3
  Subject: CN=ABC
  ...
  Issuer: CN=DEF
  ...
]
chain [1] = [
[
  Version: V3
  Subject: CN=DEF
  ...
  Issuer: CN=GHI
  ...
]
chain [2] = [
[
  Version: V3
  Subject: CN=GHI
  ...
  Issuer: CN=GHI
  ...
]

那么有人可以告诉我为什么会这样吗?可能是客户拒绝了证书吗?

注意:密钥和证书是由另一方提供的;我不能只产生自己的。

2 个答案:

答案 0 :(得分:0)

问题是不是服务器的证书链。服务器拒绝连接,因为它希望客户端进行身份验证。我认为我们可以这样说是因为堆栈跟踪包含ServerHandshaker.clientCertificate()

仅当您调用SSLEngine.setNeedClientAuth()时,Java的SSL引擎才需要客户端身份验证。

答案 1 :(得分:0)

当服务器的信任库不包含CA时,出现上述异常。服务器没有在其CertificateRequest中包含CA,因此客户端别无选择,只能返回一个空列表。我已从LetsEncrypt certbot将fullchain.pem导入到信任库中,但这似乎不包括letsencryptauthorityx3.pem。
通过从https://letsencrypt.org/certificates/下载letsencryptauthorityx3.pem解决 keytool -import -v -trustcacerts -alias letsencryptauthorityx3 -file letsencryptauthorityx3.pem -keystore truststore.ks

相关问题
最新问题