握手失败发生在 Java 中的 Finished 部分,但在使用 curl 时却没有发生。

huangapple
未分类评论42阅读模式
英文:

Handshake failure in Finished section with java but not with curl

问题

I'm trying to implement mutual authentication client side with java.
我正在尝试在Java客户端实现双向身份验证。

I've generated identity keystore with chain of my client certificate and private key.
我已经生成了带有客户端证书和私钥链的身份密钥库。

I've generated trust keystores with server certificate.
我已经生成了带有服务器证书的信任密钥库。

All handshake sessions seem to be ok, but at Finished section I receive an error.
所有握手会话似乎都没问题,但在“Finished”部分我收到了一个错误。

I tried with java 8 and java 11 with the same result, but with curl, instead, all is ok.
我尝试了Java 8和Java 11,结果相同,但是用curl却一切正常。

Service is on https://vps.integrazioneweb.com:8890/oauth/token
服务位于https://vps.integrazioneweb.com:8890/oauth/token。

Here's the debug information about ssl.
以下是关于SSL的调试信息。

Could you help me to understand problem ?
你能帮我理解问题吗?

[handshake debug info][2]
[握手调试信息][2]

i used also openssl s_client and also return error:
我还使用了openssl s_client,也返回了错误:

but, instead, curl work fine:
但是,相反,curl工作正常:


<details>
<summary>英文:</summary>

I&#39;m trying to implement mutual authentication client side with java. 
I&#39;ve generated identity keystore with chain of my client certificate and private key.
I&#39;ve generated trust keystores with server certificate. 
All handshake sessions seem to be ok, but at Finished section I receive an error. I tried with java 8 and java 11 with the same result, but with curl, instead, all is ok.

...
*** Finished
verify_data: { 228, 83, 92, 58, 53, 18, 245, 6, 218, 90, 45, 85 }

update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C E4 53 5C 3A 35 12 F5 06 DA 5A 2D 55 .....S:5....Z-U
Padded plaintext before ENCRYPTION: len = 16
0000: 14 00 00 0C E4 53 5C 3A 35 12 F5 06 DA 5A 2D 55 .....S:5....Z-U
Thread-1, WRITE: TLSv1.2 Handshake, length = 40
[Raw write]: length = 45
0000: 16 03 03 00 28 00 00 00 00 00 00 00 00 BF F7 75 ....(..........u
0010: 39 43 10 6F 28 84 04 A2 E8 25 F4 70 F1 3E 77 7C 9C.o(....%.p.>w.
0020: 73 75 28 75 22 30 BE CA 1A 64 53 1B 12 su(u"0...dS..
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
Thread-1, READ: TLSv1.2 Alert, length = 2
Thread-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_GCM_SHA256]
Thread-1, called closeSocket()
Thread-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure



Service is on https://vps.integrazioneweb.com:8890/oauth/token


Here&#39;s the debug information about ssl.  Could you help me to understand problem ?

[handshake debug info][2] 


  [1]: https://vps.integrazioneweb.com:8890/oauth/token
  [2]: https://controlc.com/329df7b2


i used also openssl s_client and also return error:

>>> ??? [length 0005]
14 03 03 00 01
>>> TLS 1.2 ChangeCipherSpec [length 0001]
01
write to 0x270a6f0 [0x2719770] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
>>> ??? [length 0005]
16 03 03 00 28
>>> TLS 1.2 Handshake [length 0010], Finished
14 00 00 0c a4 a4 2c 75 7f ba b7 be 92 74 d3 06
write to 0x270a6f0 [0x2719770] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 66 2e 8c-30 e1 c5 6e fe b4 dc 5b ....(f..0..n...[
0010 - ca fd 1d 73 ca e2 eb 37-96 fc 89 47 6c 1d 07 aa ...s...7...Gl...
0020 - 12 62 81 96 5b 7f 8d 8b-4f 1b 7d 97 3c .b..[...O.}.<
read from 0x270a6f0 [0x270fcd3] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02 .....
<<< ??? [length 0005]
15 03 03 00 02
read from 0x270a6f0 [0x270fcd8] (2 bytes => 2 (0x2))
0000 - 02 28 .(
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
140663681992592:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140663681992592:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:


but, instead, curl work fine:
  • SOCKS5 communication to vps.integrazioneweb.com:8890
  • SOCKS5 request granted.
  • Connected to proxy (xx.xx.xx.xx) port xxxx (#0)
  • schannel: SSL/TLS connection with vps.integrazioneweb.com port 8890 (step 1/3)
  • schannel: checking server certificate revocation
  • schannel: sending initial handshake data: sending 188 bytes...
  • schannel: sent initial handshake data: sent 188 bytes
  • schannel: SSL/TLS connection with vps.integrazioneweb.com port 8890 (step 2/3)
  • schannel: failed to receive handshake, need more data
  • schannel: SSL/TLS connection with vps.integrazioneweb.com port 8890 (step 2/3)
  • schannel: encrypted data got 1283
  • schannel: encrypted data buffer: offset 1283 length 4096
  • schannel: a client certificate has been requested
  • schannel: SSL/TLS connection with vps.integrazioneweb.com port 8890 (step 2/3)
  • schannel: encrypted data buffer: offset 1283 length 4096
  • schannel: sending next handshake data: sending 325 bytes...
  • schannel: SSL/TLS connection with vps.integrazioneweb.com port 8890 (step 2/3)
  • schannel: encrypted data got 258
  • schannel: encrypted data buffer: offset 258 length 4096
  • schannel: SSL/TLS handshake complete
  • schannel: SSL/TLS connection with vps.integrazioneweb.com port 8890 (step 3/3)
  • schannel: stored credential handle in session cache
  • Server auth using Basic with user 'enrico.musella@st.com'
    > POST /oauth/token HTTP/1.1
    > Host: vps.integrazioneweb.com:8890
    > Authorization: Basic xxxxx
    > User-Agent: curl/7.55.1
    > Accept: /
    > Content-Length: 61
    > Content-Type: application/x-www-form-urlencoded
    >
  • upload completely sent off: 61 out of 61 bytes
  • schannel: client wants to read 102400 bytes
  • schannel: encdata_buffer resized 103424
  • schannel: encrypted data buffer: offset 0 length 103424
  • schannel: encrypted data got 1528
  • schannel: encrypted data buffer: offset 1528 length 103424
  • schannel: decrypted data length: 1228
  • schannel: decrypted data added: 1228
  • schannel: decrypted data cached: offset 1228 length 102400
  • schannel: encrypted data length: 271
  • schannel: encrypted data cached: offset 271 length 103424
  • schannel: decrypted data length: 33
  • schannel: decrypted data added: 33
  • schannel: decrypted data cached: offset 1261 length 102400
  • schannel: encrypted data length: 209
  • schannel: encrypted data cached: offset 209 length 103424
  • schannel: decrypted data length: 31
  • schannel: decrypted data added: 31
  • schannel: decrypted data cached: offset 1292 length 102400
  • schannel: encrypted data length: 149
  • schannel: encrypted data cached: offset 149 length 103424
  • schannel: decrypted data length: 51
  • schannel: decrypted data added: 51
  • schannel: decrypted data cached: offset 1343 length 102400
  • schannel: encrypted data length: 69
  • schannel: encrypted data cached: offset 69 length 103424
  • schannel: decrypted data length: 6
  • schannel: decrypted data added: 6
  • schannel: decrypted data cached: offset 1349 length 102400
  • schannel: encrypted data length: 34
  • schannel: encrypted data cached: offset 34 length 103424
  • schannel: decrypted data length: 5
  • schannel: decrypted data added: 5
  • schannel: decrypted data cached: offset 1354 length 102400
  • schannel: encrypted data buffer: offset 0 length 103424
  • schannel: decrypted data buffer: offset 1354 length 102400
  • schannel: schannel_recv cleanup
  • schannel: decrypted data returned 1354
  • schannel: decrypted data buffer: offset 0 length 102400
    < HTTP/1.1 200
    < Pragma: no-cache
    ...




</details>


# 答案1
**得分**: 0

我通过其他步骤解决了重新生成密钥集和证书的问题,但我还需要知道第一个案例中出了什么问题。

在第一个案例(有问题的情况下),我使用以下命令生成CA文件:

    openssl genrsa -out ca.private 3072
    openssl req -new -x509 -days 365 -key ca.private -out ca.crt

生成客户端文件时,我使用了以下命令:

    openssl genrsa -out client.private 3072
    openssl req -new -key client.private -out client.csr
    openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.private -CAcreateserial -out client.crt

而在第二个案例(无问题的情况下),我使用以下命令生成CA文件:

    openssl req -newkey rsa:2048 -new -x509 -sha256 -days 365 -out ca.crt -keyout ca.key -nodes

生成客户端文件时,我使用了以下命令:

    openssl req -newkey rsa:2048 -new -sha256 -out client.csr -keyout client.key -nodes
    openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256

<details>
<summary>英文:</summary>

i solved problem regenerating my keyset and certificate using other steps, but i also need to know where is the problem in first case.

In first case (with problem) to generate ca files i used:

    openssl genrsa -out ca.private 3072
    openssl req -new -x509 -days 365 -key ca.private -out ca.crt

to generate client files i used:

    openssl genrsa -out client.private 3072
    openssl req -new -key client.private -out client.csr
    openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.private -CAcreateserial -out client.crt

Instead in second case (without problem) to generate ca files i used:

    openssl req -newkey rsa:2048 -new -x509 -sha256 -days 365 -out ca.crt -keyout ca.key -nodes

to generate client files i used:

    openssl req -newkey rsa:2048 -new -sha256 -out client.csr -keyout client.key -nodes
    openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256




</details>

huangapple
  • 本文由 发表于 2020年4月9日 23:05:29
  • 转载请务必保留本文链接:https://java.coder-hub.com/61124250.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定