Chr*_*ner 2 java ssl spring-boot lets-encrypt
使用很棒的库 acme4j,我创建了 3 个文件。
我遇到的问题是,当我将它们转换为 keystore.p12 时,我无法让 Spring Boot 使用它。我使用以下命令创建了 keystore.p12 文件:
openssl pkcs12 -export -out keystore.p12 -inkey domain.key -in domain-chain.crt
配置是这样设置的
server:
port: 9443
ssl:
key-store: keystore.p12
key-password: secret
key-store-type: PKCS12
但是,如果我尝试击中终点,我就会javax.net.ssl.SSLHandshakeException: no cipher suites in common被抛出。
这似乎是一个相对常见的问题,一个建议是按照https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html启用调试
所以,这样做并再次击中终点我可以看到
javax.net.ssl|DEBUG|2B|reactor-http-epoll-2|2019-05-03 07:47:10.917 NZST|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS11
javax.net.ssl|DEBUG|2B|reactor-http-epoll-2|2019-05-03 07:47:10.917 NZST|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|2B|reactor-http-epoll-2|2019-05-03 07:47:10.917 NZST|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS11
javax.net.ssl|DEBUG|2B|reactor-http-epoll-2|2019-05-03 07:47:10.918 NZST|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLS10
javax.net.ssl|DEBUG|2B|reactor-http-epoll-2|2019-05-03 07:47:10.918 NZST|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLS10
javax.net.ssl|DEBUG|2B|reactor-http-epoll-2|2019-05-03 07:47:10.918 NZST|HandshakeContext.java:294|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS10
而且我确信答案在 ClientHello 响应中的某个地方,但我无法理解如何理解问题或如何解决它
javax.net.ssl|DEBUG|2B|reactor-http-epoll-2|2019-05-03 07:47:10.934 NZST|ClientHello.java:806|Consuming ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "C5 25 B0 63 79 3A D5 FB 76 1C 7B DF B5 E9 74 2A 5F FF 2E 1B 7B F0 21 66 5B 33 9C 64 3F 52 40 2A",
"session id" : "",
"cipher suites" : "[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_DH_DSS_WITH_AES_256_GCM_SHA384(0x00A5), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DH_RSA_WITH_AES_256_GCM_SHA384(0x00A1), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DH_RSA_WITH_AES_256_CBC_SHA256(0x0069), TLS_DH_DSS_WITH_AES_256_CBC_SHA256(0x0068), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DH_RSA_WITH_AES_256_CBC_SHA(0x0037), TLS_DH_DSS_WITH_AES_256_CBC_SHA(0x0036), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_DH_DSS_WITH_AES_128_GCM_SHA256(0x00A4), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_DH_RSA_WITH_AES_128_GCM_SHA256(0x00A0), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_DH_RSA_WITH_AES_128_CBC_SHA256(0x003F), TLS_DH_DSS_WITH_AES_128_CBC_SHA256(0x003E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_DH_RSA_WITH_AES_128_CBC_SHA(0x0031), TLS_DH_DSS_WITH_AES_128_CBC_SHA(0x0030), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=example.com
},
"ec_point_formats (11)": {
"formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
},
"supported_groups (10)": {
"versions": [secp256r1, secp521r1, UNDEFINED-NAMED-GROUP(28), UNDEFINED-NAMED-GROUP(27), secp384r1, UNDEFINED-NAMED-GROUP(26), secp256k1, sect571r1, sect571k1, sect409k1, sect409r1, sect283k1, sect283r1]
},
"unknown extension (35)": {
},
"signature_algorithms (13)": {
"signature schemes": [rsa_pkcs1_sha512, dsa_sha512, ecdsa_secp512r1_sha512, rsa_pkcs1_sha384, dsa_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha256, dsa_sha256, ecdsa_secp256r1_sha256, rsa_sha224, dsa_sha224, ecdsa_sha224, rsa_pkcs1_sha1, dsa_sha1, ecdsa_sha1]
},
"unknown extension (13,172)": {
}
]
}
)
我是否需要做一些比我已经做的更多的事情?我正在运行OpenJDK Runtime Environment Zulu11.31+11-CA并使用2.1.3.RELEASE带有 WebFlux 的Spring Boot ,因此如果这有所不同,请在 Netty 上运行
干杯
更新:
感谢有用的评论,我尝试按照建议使用 openssl s_client ,结果看起来根本没有加载证书?
CONNECTED(00000003)
140175956235392:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1536:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 338 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
我不熟悉您使用的配置,但我会尝试使用key-store-password: secret除key-password: secret(你已经有了)。
Java 密钥库格式(通常)允许使用两种密码:一种用于存储,一种用于密钥本身。
对于您生成的 p12 文件,它们应该是相同的。是否需要指定两者取决于加载此配置的工具(例如,如果未指定密钥,某些库将使用密钥库密码)。
如果 store 和 key 没有解锁,证书就不会被使用,所以它会尝试使用一个匿名密码套件,这个密码套件不是由客户端公布的,也可能在服务器上默认被禁用。
| 归档时间: |
|
| 查看次数: |
1332 次 |
| 最近记录: |