猿问

Jetty 升级到 9.4.19.v20190610 后,传入的客户端请求中未出现 X509 证书

Jetty 升级到后,我没有在传入的客户端请求中获得 X509 证书

9.4.19.v20190610

certifcates = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

这里的证书是空的。虽然他们是 Jetty 版本

9.4.11.v20180605

我的客户端程序:

private static String loginWithCertificate(String aEndPointURL) {


    String line = "";

    try {

        final String CERT_ALIAS = "employee1";

        String CERT_PASSWORD = "changeit";


        KeyStore identityKeyStore = KeyStore.getInstance("jks");

        FileInputStream identityKeyStoreFile = new FileInputStream(new File(ResourceUtils.getFile("./stores/client1.jks").getAbsolutePath()));

        identityKeyStore.load(identityKeyStoreFile, CERT_PASSWORD.toCharArray());

        KeyStore trustKeyStore = KeyStore.getInstance("jks");

        FileInputStream trustKeyStoreFile = new FileInputStream(new File(ResourceUtils.getFile("./stores/truststore1.jks").getAbsolutePath()));

        trustKeyStore.load(trustKeyStoreFile, CERT_PASSWORD.toCharArray());




        SSLContext sslContext = SSLContexts.custom()

                // load identity keystore

                .loadKeyMaterial(identityKeyStore, CERT_PASSWORD.toCharArray(), new PrivateKeyStrategy() {

                    @Override

                    public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {

                        return CERT_ALIAS;

                    }

                })

                // load trust keystore

                .loadTrustMaterial(trustKeyStore, null).build();


        SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,

                new String[] { "TLSv1.2", "TLSv1.1", "TLSv1"  }, null, SSLConnectionSocketFactory.STRICT_HOSTNAME_VERIFIER);

        CloseableHttpClient client = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();

        }

}


明月笑刀无情
浏览 157回答 1
1回答

紫衣仙女

仔细查看您的服务器端 SslContextFactory 使用情况,并着眼于您实际使用的内容(剥离以仅显示 SslContextFactory 使用情况)SslContextFactory sslContextFactory = new SslContextFactory();sslContextFactory.setKeyStoreResource(Resource.newResource(urlKeyStore));sslContextFactory.setKeyStorePassword(credential);sslContextFactory.setExcludeCipherSuites(&nbsp; &nbsp; &nbsp; &nbsp; "SSL_RSA_WITH_DES_CBC_SHA",&nbsp; &nbsp; &nbsp; &nbsp; "SSL_DHE_RSA_WITH_DES_CBC_SHA",&nbsp; &nbsp; &nbsp; &nbsp; "SSL_DHE_DSS_WITH_DES_CBC_SHA",&nbsp; &nbsp; &nbsp; &nbsp; "SSL_RSA_EXPORT_WITH_RC4_40_MD5",&nbsp; &nbsp; &nbsp; &nbsp; "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",&nbsp; &nbsp; &nbsp; &nbsp; "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",&nbsp; &nbsp; &nbsp; &nbsp; "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");sslContextFactory.setExcludeProtocols("");有几件事很突出。首先,既然你是服务端,那你就应该使用服务端版本...SslContextFactory sslContextFactory = new SslContextFactory.Server();接下来,您的使用.setExcludedCipherSuites()不完整并引入了漏洞。删除(或注释掉)整行。使用 SslContextFactory 为您提供的默认值。通过该行,可以为 TLS/SSL 使用无证书和无加密配置。另外,你的使用setExcludedProtocols("")不好。它正在设置要排除的单个空白协议。这很糟糕,因为您将自己暴露于各种 SSL 漏洞(更不用说 TLS 漏洞了)也删除(或注释掉)整行。使用 SslContextFactory 为您提供的默认值。通过该行,可以为 TLS/SSL 使用无协议(这意味着无加密)配置。上述 2 个配置会产生大量警告日志,您应该努力拥有一个没有警告的配置。对于上述两个问题,您可能会从连接中使用的密码套件的名称中了解到一些信息。String cipherSuiteName =&nbsp;&nbsp; &nbsp; (String) HttpServletRequest.getAttribute("javax.servlet.request.cipher_suite");您甚至可以获得javax.net.ssl.SSLSession连接中使用的。SslSession sslSession =&nbsp;&nbsp; &nbsp; (SslSession) HttpServletRequest.getAttribute(&nbsp; &nbsp; &nbsp; &nbsp; "org.eclipse.jetty.servlet.request.ssl_session");System.out.println("protocol is " + sslSession.getProtocol());System.out.println("cipher suite is " + sslSession.getCipherSuite());System.out.println("peer certs is " + sslSession.getPeerCertificates());最后,您的代码没有任何迹象表明您甚至想要来自该配置的客户端证书。你是否忘记了其中一个...sslContextFactory.setNeedClientAuth(true);sslContextFactory.setWantClientAuth(true);还是您真的不需要客户证书?
0
随时随地看视频慕课网APP

相关分类

Java
我要回答