[解決済み] SSL ハンドシェイクが javax.net.ssl.SSLException で終了: readHandshakeRecord
2022-02-02 17:40:32
質問
私たちは、クライアントサーバー認証を行おうとしています。クライアントとサーバーは、同じCAとIntermidiate CAによって署名された2つのマシン証明書を持っています。javax.net.debug=ssl:handshake でハンドシェイクを開始しようとすると、さまざまな証明書をプリントアウトした後のログが表示されます。使用したプロトコルはTLS v.1.2、JavaはOpenJDK 11です。
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [VARIOUS CAs]
}
)
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.905 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.906 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for EC
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for RSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|X509Authentication.java:213|No X.509 cert selected for DSA
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.907 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.908 CEST|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.913 CEST|ECDHClientKeyExchange.java:396|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 04 11 88 67 1F E4 73 35 2B 1A 81 23 BF D7 40 57 ...g..s5+..#..@W
.....AND MORE k
},
}
)
javax.net.ssl|DEBUG|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.921 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|ERROR|37|http-nio-127.0.0.1-8080-exec-9|2021-08-17 10:20:31.925 CEST|TransportContext.java:318|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLException: readHandshakeRecord
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1320)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
更新:JKSで正しいアルゴリズムの証明書を見つけることができないようです。 一致しない証明書を確認するための他の方法はありますか?
更新2: フルデバッグマスク
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "31 18 43 1E A8 0B 29 B4 5A F0 F2 A3 C1 2D 0A 35 AA A4 93 79 5A 5E 38 88 48 ED 1E AF 76 A0 4A E6",
"session id" : "10 17 F6 A9 A3 E9 E1 4E 80 5E A0 95 7C 7B 53 03 17 59 84 98 55 71 A9 4F 13 68 C2 24 3A E6 CD 09",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=clienthostname.dmz.test-group.net
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: 79 10 30 AA 4A 56 70 8B 51 26 11 78 9
..AND MORE
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.830 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS13 handshake, length = 409
12:42:58.868 CEST|SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 3968
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.873 CEST|SSLSocketInputRecord.java:247|READ: TLSv1.2 handshake, length = 3968
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.874 CEST|ServerHello.java:872|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "61 1C E4 32 61 9B 53 5D B7 CF 38 FC DC 1A 01 86 42 67 0B 44 64 05 CF CB 88 01 A1 D7 45 6A 30 50",
"session id" : "61 1C E4 32 64 3A 16 64 2B 53 63 A5 68 C6 6B 1A 25 8F 9B 11 04 5D 42 A4 3B 0E 12 6E 57 57 15 C6",
"cipher suite" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
}
]
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|ServerHello.java:968|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLExtensions.java:163|Ignore unsupported extension: pre_shared_key
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.875 CEST|SSLSessionImpl.java:210|Session initialized: Session(1629283378875|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.876 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.878 CEST|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "12 2F 77 E8 55 D7 E6 2A 5C 5A BC 82 98 CD 5F 94",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate System CA, O=TEST Group",
"not before" : "2019-02-06 11:52:50.000 CET",
"not after" : "2022-02-06 11:52:50.000 CET",
"subject" : "CN=prestest.sis.dom, OU=b2c, O=TEST Group AG, L=Dallas, ST=Dallas, C=COM",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 E2 82 6A BA CD 96 8E 7C
..AND MORE
]
},
{
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
},
{
ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
timeStamping
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: [email protected]
]
},
{
ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: prestest.sis.dom
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1F B0 29 8F 09 13 12 A2
..AND MORE
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 15:23:27.000 CEST",
"not after" : "2027-10-19 15:23:27.000 CEST",
"subject" : "CN=TEST Corporate System CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D0 69 0E 0C 2A B6 1F 4C D4 B1 B4 7C 59 3A
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: [email protected]
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: [email protected]
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 E2 82 6A BA CD 96 8E 7C CE 36 F9 2E A9 DC
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "13 B8 D6 3B 49 E6 08 EA 59 E9 E8 3E 59 5E 06 E3",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 14:12:46.000 CEST",
"not after" : "2027-10-20 14:12:46.000 CEST",
"subject" : "CN=TEST Corporate Root CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: [email protected]
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D0 69 0E 0C 2A B6 1F 4C D4 B1 B4 7C 59 3A
..AND MORE
]
]
}
]}
]
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.879 CEST|X509TrustManagerImpl.java:238|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "17 13 7A 67 BC 5C EB ED 59 E9 F8 CF A0 D9 90 59",
"signature algorithm": "SHA256withRSA",
"issuer" : "CN=TEST Corporate Root CA, O=TEST Group",
"not before" : "2017-10-20 15:23:27.000 CEST",
"not after" : "2027-10-19 15:23:27.000 CEST",
"subject" : "CN=TEST Corporate System CA, O=TEST Group",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D0 69
..AND MORE
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
CN=TEST Corporate Root CA, O=TEST Group
RFC822Name: [email protected]
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=TEST Corporate System CA, O=TEST Group
RFC822Name: [email protected]
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 E2 8
]
]
}
]}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|ECDHServerKeyExchange.java:505|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
"parameters": {
"named group": "secp256r1"
"ecdh public": {
0000: 04 25
..AND MORE
},
},
"digital signature": {
"signature algorithm": "rsa_pkcs1_sha256"
"signature": {
0000: 13 FA 5
..AND MORE
},
}
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:672|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [ecdsa_secp521r1_sha512, rsa_pkcs1_sha512, ecdsa_secp384r1_sha384, rsa_pkcs1_sha384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
"certificate authorities": [CN=TEST Corporate Root CA, O=TEST Group, CN=TEST System CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=TEST Corporate Root CA, OU=Corporate Function IT, O=TEST Group AG, C=COM, CN=Test Service ID CA 1024 Class 1, C=COM, OU=Class 1 (Service Certificates), OU=CA Services, O=Test Services AG]
}
)
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.881 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.882 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha224
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for EC
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for RSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|X509Authentication.java:244|No X.509 cert selected for DSA
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:765|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|WARNING|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateRequest.java:775|No available authentication scheme
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.883 CEST|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 7
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.884 CEST|SSLSocketOutputRecord.java:255|Raw write (
0000: 16 03 03 00 07 0B 00 00 03 00 00 00 ............
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|ECDHClientKeyExchange.java:400|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 04 88 CE
..AND MORE .
},
}
)
javax.net.ssl|DEBUG|24|http-nio-127.0.0.1-8080-exec-2|2021-08-18 12:42:58.885 CEST|SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 70
更新3: keystoreが読み込まれないようです、カスタムコードからは読み込まれるように修正されます。
解決方法は?
問題は、Axisクライアントがサーバーを呼び出すことにありました。 Axisは、設定を client-config.wsdd 製品ライブラリから am-client.jar が、以下のプロパティをデフォルトとして設定していました。
<parameter name="axis.socketSecureFactory" value="com.rsa.webservice.transport.IMSSecureSocketFactory" />
は IMSSecureSocketFactory は、鍵ストア (javax.net.ssl.keyStore) のシステムからのプロパティを読み込んでいません。 そのため、X509Authenticationは、エントリのないKeyManagerから読み取ることになり、証明書がマッチングしない結果となりました。
AxisPropertiesに以下のプロパティを追加することで解決しました。
AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.JSSESocketFactory");
これが誰かの役に立てばいいのですが、デバッグは本当に大変でした。
関連
-
[解決済み】リンクリストの負の値の数でnegativeCntrを代入する
-
[解決済み】popBackStack()とreplace()の操作はどう違うのですか?
-
[解決済み] Hide Utility Class Constructor : ユーティリティクラスはパブリックまたはデフォルトコンストラクタを持つべきではありません。
-
[解決済み] JavaでSSLピアが正しくシャットダウンされない
-
[解決済み] "java.nio.charset.MalformedInputException" を避けるために、すべての包括的なCharset。入力の長さ= 1"?
-
[解決済み】フォルダに書き込もうとすると「java.nio.file.AccessDeniedException」が発生する件
-
[解決済み] Mavenを使用して、依存関係を持つ実行可能なJARを作成するにはどうすればよいですか?
-
[解決済み] OpenSSLを使用して自己署名入りSSL証明書を生成する方法を教えてください。
-
[解決済み] node.jsのhttps.requestで無効な自己署名入りssl証明書を無視する?
-
[解決済み】ファイアウォール越しにHTTPSでGitHubにアクセスしようとすると、SSL証明書が拒否される。
最新
-
nginxです。[emerg] 0.0.0.0:80 への bind() に失敗しました (98: アドレスは既に使用中です)
-
htmlページでギリシャ文字を使うには
-
ピュアhtml+cssでの要素読み込み効果
-
純粋なhtml + cssで五輪を実現するサンプルコード
-
ナビゲーションバー・ドロップダウンメニューのHTML+CSSサンプルコード
-
タイピング効果を実現するピュアhtml+css
-
htmlの選択ボックスのプレースホルダー作成に関する質問
-
html css3 伸縮しない 画像表示効果
-
トップナビゲーションバーメニュー作成用HTML+CSS
-
html+css 実装 サイバーパンク風ボタン
おすすめ
-
[解決済み】リンクリストの負の値の数でnegativeCntrを代入する
-
[解決済み】imageio.IIOException: 入力ファイルが読み込めない
-
[解決済み】エラー。Selection does not contain a main type
-
[解決済み】エラー「No enclosing instance of type Foo is accessible」の原因と修正方法について教えてください。
-
[解決済み】不正な反射的アクセスとは?
-
[解決済み] 解決済み】Javaが「型をインスタンス化できない」というエラーを返す [重複] [重複]
-
[解決済み】デフォルトのキーストアファイルが存在しない?
-
[解決済み】スレッド "main "での例外 java.util.NoSuchElementException
-
[解決済み】Javaメソッドスタブ
-
[解決済み】Javaのswitch文。定数式が必要だが、定数である