11/freebsd-12.1)

e0uiprwp  于 2021-06-29  发布在  Java
关注(0)|答案(0)|浏览(281)

我正在尝试调试为什么javamail客户机不能成功地连接到邮件服务器来转发消息。我安装了sslpoke来查看ssl连接的情况,因为javamail客户机嵌入了一个重要的web应用程序(idempiere)。
这似乎与用于建立连接的java密钥库有关。但我不知道这有什么问题。
本地密钥库的内容包括:

JAVA_VERSION="11" keytool -list -v -keystore /opt/idempiere/idempiere-server/jettyhome/etc/keystore
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: accounting-2
Creation date: Dec 14, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: DC=ca, DC=harte-lyne, C=CA, ST=Ontario, L=Hamilton, O=Harte & Lyne Limited, OU=Networked Data Services, CN=accounting.harte-lyne.ca
Issuer: DC=ca, DC=harte-lyne, C=CA, ST=Ontario, L=Hamilton, O=Harte & Lyne Limited, OU=Networked Data Services, CN=CA_HLL_ISSUER_2016
Serial number: 20160054
Valid from: Fri Jul 31 20:00:00 EDT 2020 until: Sun Aug 31 19:59:59 EDT 2025
Certificate fingerprints:
     SHA1: 20:C4:82:9B:55:08:6C:6B:6D:C3:85:7C:52:5A:87:27:11:48:E9:B6
     SHA256: 98:26:68:02:9D:80:BD:34:B6:FD:93:A1:77:90:C1:5F:1D:75:1C:A7:1D:1B:BF:17:D6:B0:D7:83:78:2E:4E:23
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

# 1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false

0000: 16 35 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  .5http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 41 5F 48 4C 4C  e-lyne.ca/CA_HLL
0020: 5F 49 53 53 55 45 52 5F   32 30 31 36 2F 63 72 6C  _ISSUER_2016/crl
0030: 2D 76 31 2E 63 72 6C                               -v1.crl

# 2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/ca.crt
]
]

# 3: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [
KeyIdentifier [
0000: FD C6 20 77 C5 AA E8 34   43 99 C4 3D 5B 65 9A 3C  .. w...4C..=[e.<
0010: 2D 14 8E AF                                        -...
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [    02]
]

# 4: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/crl-v2.crl]
]]

# 5: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.3.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1B 68 74 74 70 3A 2F   2F 63 61 2E 68 61 72 74  ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63   61 2F 43 50 53           e-lyne.ca/CPS

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 34 1A 32 4C 69 6D 69   74 65 64 20 4C 69 61 62  04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73   65 65 20 68 74 74 70 3A  ility, see http:
0020: 2F 2F 63 61 2E 68 61 72   74 65 2D 6C 79 6E 65 2E  //ca.harte-lyne.
0030: 63 61 2F 43 50 53                                  ca/CPS

]]  ]
]

# 6: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [
  serverAuth
  clientAuth
  emailProtection
]

# 7: ObjectId: 2.5.29.18 Criticality=false

IssuerAlternativeName [
  RFC822Name: certificates@harte-lyne.ca
  URIName: http://ca.harte-lyne.ca
]

# 8: ObjectId: 2.5.29.15 Criticality=false

KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
]

# 9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false

NetscapeCertType [
   SSL client
   SSL server
   S/MIME
]

# 10: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [
  RFC822Name: certificates@example.com
  DNSName: accounting.harte-lyne.ca
  DNSName: accounting
  DNSName: accounting.internal
  DNSName: accounting.harte-lyne.ca
  DNSName: accounting.internal.harte-lyne.ca
  DNSName: accounting-1
  DNSName: accounting-1.internal
  DNSName: accounting-1.harte-lyne.ca
  DNSName: accounting-1.internal.harte-lyne.ca
  DNSName: accounting-2
  DNSName: accounting-2.internal
  DNSName: accounting-2.harte-lyne.ca
  DNSName: accounting-2.internal.harte-lyne.ca
  DNSName: ledgersmb
  DNSName: ledgersmb.internal
  DNSName: ledgersmb.harte-lyne.ca
  DNSName: ledgersmb.internal.harte-lyne.ca
  DNSName: localhost
  DNSName: localhost.harte-lyne.ca
  IPAddress: 216.185.71.87
  IPAddress: 192.168.216.87
  IPAddress: 192.168.216.88
  IPAddress: 216.185.71.87
  IPAddress: 216.185.71.88
  IPAddress: 127.0.87.1
  IPAddress: 127.0.88.1
  IPAddress: 127.0.0.1
]

# 11: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [
KeyIdentifier [
0000: 23 12 19 8F 6E CB 1D 21   C2 7F 59 03 C6 69 B6 FB  #...n..!..Y..i..
0010: 41 99 B5 89                                        A...
]
]

*******************************************
*******************************************

这是从包含以下内容的pkcs12文件创建的:

openssl pkcs12 -in accounting-2.p12 | grep subject
Enter Import Password:
subject=CN = accounting.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
subject=CN = CA_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
subject=CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

使用:

JAVA_VERSION="11" keytool -importkeystore  -srckeystore accounting-2.p12  -destkeystore accounting-2.keystore -srcstoretype pkcs12 -alias accounting-2

cp -p accounting-2.keystore /opt/idempiere/idempiere-server/jettyhome/etc/keystore

我连接到的服务使用ca\ U issuer\ 2016颁发的证书,并引用包含该颁发者及其根证书的ca\ U捆绑包。
但是,当我使用sslpoke连接到此服务器以测试密钥库的有效性时,我得到以下结果:

JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore  SSLPoke 192.168.216.32 465
javax.net.ssl|DEBUG|01|main|2020-12-18 09:42:33.441 EST|SSLCipher.java:438|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|01|main|2020-12-18 09:42:33.607 EST|SSLCipher.java:1840|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01|main|2020-12-18 09:42:33.611 EST|SSLCipher.java:1994|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|WARNING|01|main|2020-12-18 09:42:33.660 EST|SSLSocketImpl.java:1550|handling exception (
"throwable" : {
  java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

结果发现 java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 此错误是由于密钥库受密码保护而未提供密码造成的。
提供密码后,错误会发生变化:
export pw=keystore\u密码

JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore  -Djavax.net.ssl.trustStorePassword=$PW  -Djavax.net.ssl.keyStorePassword=$PW SSLPoke google.ca 443
JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore  -Djavax.net.ssl.trustStorePassword=$PW  -Djavax.net.ssl.keyStorePassword=$PW SSLPoke google.ca 443javax.net.ssl|DEBUG|01|main|2020-12-18 10:13:45.561 EST|SSLCipher.java:438|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|ERROR|01|main|2020-12-18 10:13:45.904 EST|TransportContext.java:318|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我不知道怎么解释这个。这个消息是否意味着我正在使用的密钥库中缺少google证书链?或者这是否意味着本地密钥库不包含本地主机的证书?
如果我将目标更改为一个服务,该服务的证书由与客户端相同的颁发者和根ca颁发,则会出现相同的错误:

JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore  -Djavax.net.ssl.trustStorePassword=$PW  -Djavax.net.ssl.keyStorePassword=$PW SSLPoke webmail.harte-lyne.ca 443
javax.net.ssl|DEBUG|01|main|2020-12-18 10:18:23.532 EST|SSLCipher.java:438|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|ERROR|01|main|2020-12-18 10:18:23.889 EST|TransportContext.java:318|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

在keystore中需要为工作连接提供什么?我使用openssl s\ U客户端和我们自己的证书连接到我们的内部服务没有问题。
进一步的测试有些改变。我决定将中间证书和根证书手动添加到密钥库的副本中。然后,错误发生了变化:
java\u version=“11”keytool-import-trustcacerts-file/usr/local/etc/pki/tls/certs/ca\u hll\u issuer\u 2016.crt-别名'hartelyneissuer2016[hll]'-密钥库/root/ca\u certs\u accounting-2.keystore输入密钥库密码:
所有者:dc=ca,dc=harte lyne,c=ca,st=ontario,l=hamilton,o=harte&lyne limited,ou=networked data services,cn=ca\U issuer\U 2016。信任此证书[否]:是证书已添加到密钥库
ava\u version=“11”密钥工具-导入-信任证书-文件/usr/local/etc/pki/tls/certs/ca\u hll\u root\u 2016.crt-别名'hartelyneroot2016[hll]'-密钥库/root/ca\u certs\u accounting-2.keystore输入密钥库密码:
所有者:l=hamilton,dc=ca,dc=harte lyne,c=ca,ou=networked data services,o=harte&lyne limited,st=ontario,cn=ca\hll\U root\U 2016。信任此证书[否]:是证书已添加到密钥库
现在sslpoke给出了以下错误:

JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/root/ca_certs_accounting-2.keystore  -Djavax.net.ssl.trustStorePassword=$PW  -Djavax.net.ssl.keyStorePassword=$PW SSLPoke webmail.harte-lyne.ca 443
javax.net.ssl|DEBUG|01|main|2020-12-18 10:33:08.306 EST|SSLCipher.java:438|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|ERROR|01|main|2020-12-18 10:33:08.626 EST|TransportContext.java:318|Fatal (CERTIFICATE_UNKNOWN): PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors (
"throwable" : {

根据java上的ssl异常:path不与前面错误的任何信任锚点链接, unable to find valid certification path to requested target ,这是因为keytool一次只导入一个证书,而与pkcs12文件中提供的证书链的长度无关。因此,添加缺少的中间证书和根证书将消除该问题,并导致 Path does not chain with any of the trust anchors 错误。
现在的问题是:如何建立私有ca根证书作为java可以接受的信任锚?
我之前已经将根证书和中间证书添加到java\u home中的cacerts文件的副本中:

keytool -keystore  /usr/local/openjdk11/lib/security/cacerts -storepass changeit -list | grep hll
hartelyneissuer2016 [hll], Dec 14, 2020, trustedCertEntry, 
hartelyneroot2016 [hll], Dec 14, 2020, trustedCertEntry,

但这并没有,也仍然没有,移除 Path does not chain with any of the trust anchors 错误。为什么不?

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题