Java 邮件 (TLS) : Erratic failure to validate certification path-6ren

Java 邮件 (TLS) : Erratic failure to validate certification path

转载作者：太空宇宙更新时间：2023-11-03 13:37:21

尝试使用 JavaMail 库验证 TLS 连接时，我随机收到以下验证错误:

javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
   javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我在 Linux 机器上运行，使用 jdk1.7.0 并使用最新的 jdk 的 cacerts 文件(撰写本文时为 1.8.0_73)，我已导入 smtp 服务器证书。

smtp 服务器是一个 exchange 服务器，具有明文 TLS 验证。

我说随机是因为有时连接成功，但有时它会提示无法识别证书验证路径并失败，似乎没有给定的模式。

通常重试连接就可以了，虽然重试的次数并不一致，有时不需要，有时需要2或3次，有时需要20次以上。

为了消除任何外部影响，我编写了一个简单的邮件发送应用程序，我用它来调查这个问题(我们的应用程序运行在 Tomcat 部署上)，所以我可以确定问题出在其中之一:

JDK
JavaMail 库
网络连接

我的问题是是否有人知道此行为背后可能存在的任何限制/错误/问题？

目前重试连接作为一种解决方法就足够了，但我们的项目需要将其作为永久解决方案，这是不受欢迎的，因为许多消息是异步发送的，并且在连接失败的情况下，用户将得不到失败的反馈。

编辑:一些更多信息

服务器证书是通过openssl获取的，即这个命令:

openssl s_client -connect exchange.***.com:25 -starttls smtp 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.pem

请注意，如果没有 starttls 参数，该命令将无法运行(需要一段时间才能弄清楚，因为大多数在线资源，包括此处的 SO，都不会包括该步骤)。原始 openssl 命令的(清理)输出如下:

depth=0 CN = smtpserver-ch-01
verify error:num=20:unable to get local issuer certificate

verify return:1
depth=0 CN = smtpserver-ch-01
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=smtpserver-ch-01
   i:/CN=smtpserver-ch-01
---
Server certificate
-----BEGIN CERTIFICATE-----
  *** CERTIFICATE DATA
-----END CERTIFICATE-----
subject=/CN=smtpserver-ch-01
issuer=/CN=smtpserver-ch-01
---
No client certificate CA names sent
---
SSL handshake has read *** bytes and written *** bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: ***
    Session-ID-ctx: 
    Master-Key: ***
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: ***
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 XSHADOW

下面是 javax.net.debug=ssl 输出的大量打印:(希望发布这些大量文本转储是一种好的形式)

Sending message to test@server.com; Attempt attempt 0 of 20...
keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: certs/cacerts_1.8.0_73
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:

   ** Standard certificates **

adding as trusted cert:
  Subject: CN=smtpserver-ch-01
  Issuer:  CN=smtpserver-ch-01
  Algorithm: RSA; Serial number: **********************************
  Valid from ddd MMM DD 00:00:00 CEST 2013 until ddd MMM DD 00:00:00 CEST 2018

adding as trusted cert:

   ** The rest of the standard certificates **

trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: XXX bytes = { XXX, ··· XXX }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension server_name, server_name: [host_name: exchange.***.com]
***
main, WRITE: TLSv1 Handshake, length = **
main, READ: TLSv1 Handshake, length = ***
*** ServerHello, TLSv1
RandomCookie:  GMT: XXX bytes = { XXX, ··· XXX }
Session ID:  {XX, ··· XXX}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=smtpserver-ch-02
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, xxx bits
  modulus: ***
  public exponent: ***
  Validity: [From: ddd MMM DD 00:00:00 CEST 2013,
               To: ddd MMM DD 00:00:00 CEST 2018]
  Issuer: CN=smtpserver-ch-02
  SerialNumber: [    xxx ]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: smtpserver-ch-02
  DNSName: smtpserver-ch-02.domain.com
]

]
  Algorithm: [SHA1withRSA]
  Signature:

  *** SIGNATURE HEX DUMP ***

]
***
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Failed attempt: javax.mail.MessagingException: Can't send command to SMTP host


Sending message to test@server.com; Attempt attempt 1 of 20...
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: XXX bytes = { XXX, ··· XXX }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension server_name, server_name: [host_name: exchange.***.com]
***
main, WRITE: TLSv1 Handshake, length = **
main, READ: TLSv1 Handshake, length = **
*** ServerHello, TLSv1
RandomCookie:  GMT: XXX bytes = { XXX, ··· XXX }
Session ID:  {XXX, ··· XXX}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=smtpserver-ch-02
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: ***
  public exponent: ***
  Validity: [From: ddd MMM DD 00:00:00 CEST 2013,
               To: ddd MMM DD 00:00:00 CEST 2018]
  Issuer: CN=smtpserver-ch-02
  SerialNumber: [    xxx]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: smtpserver-ch-02
  DNSName: smtpserver-ch-02.domain.com
]

]
  Algorithm: [SHA1withRSA]
  Signature:

  *** SIGNATURE HEX DUMP ***
]
***
%% Invalidated:  [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Failed attempt: javax.mail.MessagingException: Can't send command to SMTP host


Sending message to test@server.com; Attempt attempt 2 of 20...
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: XXX bytes = { XXX, ··· XXX }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension server_name, server_name: [host_name: exchange.***.com]
***
main, WRITE: TLSv1 Handshake, length = **
main, READ: TLSv1 Handshake, length = **
*** ServerHello, TLSv1
RandomCookie:  GMT: *** bytes = { XXX, ··· XXX }
Session ID:  {XXX, ··· XXX}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-3, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=smtpserver-ch-01
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: ***
  public exponent: ***
  Validity: [From: ddd MMM DD 00:00:00 CEST 2013,
               To: ddd MMM DD 00:00:00 CEST 2018]
  Issuer: CN=smtpserver-ch-01
  SerialNumber: [    XXX]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: smtpserver-ch-01
  DNSName: smtpserver-ch-01.domain.com
]

]
  Algorithm: [SHA1withRSA]
  Signature:

  *** SIGNATURE HEX DUMP ***

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=smtpserver-ch-01
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: ***
  public exponent: ***
  Validity: [From: ddd MMM DD 00:00:00 CEST 2013,
               To: ddd MMM DD 00:00:00 CEST 2018]
  Issuer: CN=smtpserver-ch-01
  SerialNumber: [    XXX]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: smtpserver-ch-01
  DNSName: smtpserver-ch-01.domain.com
]

]
  Algorithm: [SHA1withRSA]
  Signature:

    *** SIGNATURE HEX DUMP ***

]
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = ***
SESSION KEYGEN:
PreMaster Secret:
  *** HEX DUMP
CONNECTION KEYGEN:
Client Nonce:
  *** HEX DUMP
Server Nonce:
  *** HEX DUMP
Master Secret:
  *** HEX DUMP
Client MAC write Secret:
  *** HEX DUMP
Server MAC write Secret:
  *** HEX DUMP
Client write key:
  *** HEX DUMP
Server write key:
  *** HEX DUMP
Client write IV:
  *** HEX DUMP
Server write IV:
  *** HEX DUMP
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { XXX, ··· XXX }
***
main, WRITE: TLSv1 Handshake, length = **
main, READ: TLSv1 Change Cipher Spec, length = **
main, READ: TLSv1 Handshake, length = **
*** Finished
verify_data:  { XXX, ··· XXX }
***
%% Cached client session: [Session-3, TLS_RSA_WITH_AES_128_CBC_SHA]
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = ****
main, READ: TLSv1 Application Data, length = ***
main, WRITE: TLSv1 Application Data, length = **
main, WRITE: TLSv1 Application Data, length = **
main, READ: TLSv1 Application Data, length = **
main, called close()
main, called closeInternal(true)
main, SEND TLSv1 ALERT:  warning, description = close_notify
main, WRITE: TLSv1 Alert, length = **
main, called closeSocket(selfInitiated)
Message sent!

之前的日志显示两次连接尝试失败，第三次成功。

编辑 20160315: 正如下面的评论者所提到的，exchange.*.com 主机似乎正在重定向到不同的主机，每个主机都有自己的证书，因为在出示带有 CN=smtpserver-ch-02 的证书时连接失败，而在出示带有 CN=smtpserver-ch-01 的证书时连接成功。

如果是这种情况，那么解决方案可能是多次运行 openssl 命令以检索两个证书并将它们添加到信任库。

编辑(已解决):上述解决方案有效，我多次启动 openssl 命令，比较结果数据，直到我分离出我需要的两个唯一证书。

将它们导入信任库后，一切正常。

最佳答案

您似乎从两个不同的服务器获得了两个不同的证书，因此您必须将它们都添加到您的信任库中。或者您可以设置 mail.smtp.ssl.trust property .

关于Java 邮件 (TLS) : Erratic failure to validate certification path，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/35705129/

文章推荐： ssl - 插件注册工具是否无法识别 SSL 证书？

文章推荐： c# - 区分附加到同一事件处理程序的多个对象

文章推荐： c# - 为什么操作 UI 控件需要在创建它的线程内完成？

ios - 苹果分发证书 : "Request a Certificate from a Certificate Authority" what is the certificate authority?
我们想在应用商店中发布一个应用。为我们构建它的第 3 方需要我们通过苹果开发门户创建的证书和配置文件。根据文档，创建证书的方法是使用 mac 的钥匙串(keychain)应用程序，然后选择“从证书颁发
java - 为什么我会收到已知和受信任证书的 "No issuer certificate for certificate in certification path found"错误？
我正在尝试使用 Java Http 客户端连接到服务器以进行 Web 服务调用。如果我用下面的代码打开网络调试.. System.setProperty("javax.net.debug", "all
混帐 - "SSL certificate issue: self signed certificate in certificate chain"
我在尝试推送我的更改时才开始收到此错误。我不知道我的系统发生了什么变化，并且在这方面不应该有任何自签名证书。 Git 已卸载并重新安装。 Git 似乎使用了正确的包: http.sslcainfo=C
php - curl 错误 : SSL certificate error: self signed certificate in certificate chain
除非我设置以下内容，否则我会收到上述错误: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); 这是不安全的，违背了 SSL 的目的。我已经从 http
docker - 如何修复 "SSL certificate problem: self signed certificate in certificate chain"错误？
我有一个基于 Linux 的 Docker 容器，如果我这样做: curl https://google.com ...然后我得到一个错误: curl: (60) SSL certificate pr
git - 如何解决[curl : (60) SSL certificate problem: self signed certificate in certificate chain]
我想在我的 Linux 计算机上安装 nvm。(我的 Debian 版本是 10，Git 版本是 2.27。OPENSSL 版本是 1.1.1d 2019 年 9 月 10 日) 我阅读了这份文件 h
php - Composer curl 错误 60 : SSL certificate problem: self signed certificate in certificate chain
我正在使用 Symfony 5，我需要使用 composer 安装 'knplabs/knp-snappy-bundle' 但我有这个消息: [Composer\Downloader\Transpor
ssl - VSTS : unable to access SSL certificate problem: (url) self signed certificate in certificate chain
我已经通过 VSTS 部署我的应用程序一段时间了，然后突然出现此错误: 无法访问 SSL 证书问题:(url) 证书链中的自签名证书。为什么突然发生这种情况，我该如何解决？更新:我注意到我有一个新
certificate - 异常 : The client certificate is not provided
我正在尝试使用安全性配置 WCF 服务。我生成了 2 个存储在 LocalComputer\Personal Certificates 中的证书(用于服务器和客户端)。我的配置是: 服务器:
Azure函数: Cannot find certificate with this thumbprint in the certificate
我正在创建连接到的 Azure 函数来执行 PnP 命令。我已经创建了 docs 中提到的证书。我总是收到Cannot findcertificate with this指纹在证书存储中。Except
php - 调用 API 时出现 cURL 错误。 cURL 错误编号 :[60] SSL certificate prob: self signed certificate in certificate chain
美好的一天，我是服务器设置的新手。我目前正在使用 laravel 5.4 来集成我的 quickbooks app在我的实时服务器上 http://qb.dagnum.com/connect但我继续收
android - 无法访问 'https://github.com/user name/projectName.git/' : SSL certificate problem: self signed certificate in certificate chain
我正在尝试从 Github 克隆一个项目但我无法克隆它，因为我有这个错误无法访问:SSL 证书问题:证书链中的自签名证书我可以从我的网络访问并且我有证书。我的Android Studio有什么问
amazon-web-services - AWS CLI - [SSL : CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl. c:1056)
我正在尝试使用 AWS-CLI 检索 aws elasticbeanstalk 详细信息，但出现以下错误。错误信息: C:\abdul>aws elasticbeanstalk describe-e
security - "signing a certificate with another certificate"是什么意思？
我实际上正在阅读有关证书和证书链的内容。我了解证书是由实体的私钥签名的一段数据，只能使用给定实体(例如根 CA)的公钥解密。但是，我在几个地方看到“证书签署另一个证书”(例如:Microsoft I
certificate - 如何以非交互方式运行 "dpkg-reconfigure ca-certificates"？
我想默认“接受”新证书。我尝试了以下方法。 $ dpkg-reconfigure -f noninteractive ca-certificates 它运行，但没有添加 CA。如果不行，直接修改/e
aws-certificate-manager - 如何检索在AWS Certificate Manager上生成的证书的私钥？
有人通过AWS Certificate Manager为他们的域名购买了通配符证书，我需要将其转移到Heroku，以获取使用域名子域名的应用程序。无论是通过AWS控制台还是通过其CLI，我都找不到如
selenium - 错误 : self signed certificate in certificate chain
我可以通过重新启动我的 Windows 7 来运行 selenium 服务器。但是，如果我终止服务器并再次启动它，我将收到此错误。有时执行 webdriver-manager update--igno
security - 如何修复 "this certificate cannot be verified up to a trusted certification authority"
我在 IE9 中遇到安全证书问题。然后我去我得到的特定地址 There is a problem with this website's security certificate. 如何避免出现此窗
安卓 :What is the difference between app signing certificate and upload certificate?
应用签名证书和上传证书有什么区别？我在将 Google Play 游戏与我的应用程序集成时遇到了问题(我将此作为另一个问题发布)，我注意到用于在 Google API 控制台上自动生成的客户端 ID
Heroku 登录错误 : self signed certificate in certificate chain
我正在尝试在 Mac 上使用 Heroku CLI。当我尝试使用 Heroku login 登录 Heroku 并提供我的凭据时，出现以下错误: Error: self signed certifi

太空宇宙

个人简介

我是一名优秀的程序员,十分优秀！

作者热门文章

滴滴打车优惠券免费领取

全站热门文章

首页

博学

6Ren·AI

商城

Java 邮件 (TLS) : Erratic failure to validate certification path