个人中心
gpt4 book ai didi

javax.net.ssl.SSLHandshakeException : Invalid CertificateVerify signature

转载 作者:行者123 更新时间:2023-12-04 22:37:26 31 4
gpt4 key购买 nike

我有一个 Java 8 客户端/服务器应用程序,它在使用 ClientAuth 证书时未能通过 TLS 协商:

javax.net.ssl.SSLHandshakeException: Invalid CertificateVerify signature
该应用程序使用嵌入式 jetty 实例为在同一进程中运行的 Vaadin 应用程序提供 REST API。
当应用程序发出不需要 ClientAuth 响应的 REST 请求时,该请求就可以了。
正如这里的其他一些帖子所提到的,我尝试了 -Djdk.tls.disabledAlgorithms=RSSA-PSS 并且没有效果。
eclipse openjdk 8u282、8u302、8u322 存在问题。
下面的完整调试,为简洁起见进行了编辑: 
javax.net.ssl|FINE|34|IDLE session T52|2022-03-23 10:28:17.772 PDT|CertificateMessage.java:372|Consuming client Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "65 00 00 0E 6C ED 9A D7 F1 D4 70 A2 56 00 01 00 00 0E 6C",
    "signature algorithm": "SHA384withRSA",
    "issuer"             : "CN=Acme Issuing CA1, DC=corp, DC=acme, DC=com",
    "not before"         : "2022-03-17 11:02:03.000 PDT",
    "not  after"         : "2023-03-17 11:02:03.000 PDT",
    "subject"            : "CN=mikevdev.corp.acme.com",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          clientAuth
          serverAuth
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: mikevdev.corp.acme.com
        ]
      },
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "56 00 00 00 06 10 D8 F4 6B 40 ED F7 89 00 00 00 00 00 06",
    "signature algorithm": "SHA384withRSA",
    "issuer"             : "CN=Acme Root CA",
    "not before"         : "2020-08-17 13:30:35.000 PDT",
    "not  after"         : "2030-08-17 13:40:35.000 PDT",
    "subject"            : "CN=Acme Issuing CA1, DC=corp, DC=acme, DC=com",
    "subject public key" : "RSA",
    "extensions"         : [
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "18 54 B2 02 37 98 9E BA 45 02 66 B3 B8 B6 9D C8",
    "signature algorithm": "SHA384withRSA",
    "issuer"             : "CN=Acme Root CA",
    "not before"         : "2020-08-14 13:10:21.000 PDT",
    "not  after"         : "2040-08-14 13:20:20.000 PDT",
    "subject"            : "CN=Acme Root CA",
    "subject public key" : "RSA",
    "extensions"         : [
    ]}
]
)
javax.net.ssl|FINE|34|IDLE session T52|2022-03-23 10:28:17.777 PDT|ECDHClientKeyExchange.java:486|Consuming ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
  "ecdh public": {
}
)
javax.net.ssl|FINE|21|qtp1622160793-33|2022-03-23 10:28:17.779 PDT|CertificateVerify.java:763|Produced CertificateVerify handshake message (
"CertificateVerify": {
  "signature algorithm": rsa_pss_rsae_sha256
  "signature": {
    0000: 2B D7 85 1C 75 B0 53 7E   F0 AC 74 9A 60 DA 61 EF  +...u.S...t.`.a
  }
}
)
javax.net.ssl|FINE|21|qtp1622160793-33|2022-03-23 10:28:17.779 PDT|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|FINE|21|qtp1622160793-33|2022-03-23 10:28:17.780 PDT|Finished.java:393|Produced client Finished handshake message (
"Finished": {
  "verify data": {
    0000: A3 22 70 01 CB 3F 71 8A   97 F3 35 7C
  }'}
)
javax.net.ssl|SEVERE|31|qtp1622160793-49|2022-03-23 10:28:17.780 PDT|TransportContext.java:316|Fatal (HANDSHAKE_FAILURE): Invalid CertificateVerify signature (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Invalid CertificateVerify signature
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
        at sun.security.ssl.CertificateVerify$T12CertificateVerifyMessage.<init>(CertificateVerify.java:672)
        at sun.security.ssl.CertificateVerify$T12CertificateVerifyConsumer.consume(CertificateVerify.java:802)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639)
        at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:345)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
        at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
        at java.lang.Thread.run(Thread.java:748)}

最佳答案

我尝试重现您的问题。但是,我获得了成功的 TLS 协商

关于javax.net.ssl.SSLHandshakeException : Invalid CertificateVerify signature,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/71594229/

31 4 0
文章推荐: java - 使用 TLS 连接到 MariaDB 的 Tomcat 抛出 javax.naming.NamingException;命令行连接正常工作
文章推荐: github - 无法建立 SSL 连接,在配置 Github Self-Hosted Runner 时查看内部​​异常
文章推荐: c# - 在 ASP.Net 中定义自己的 TlsCipherSuite
文章推荐: ssl - 如果仅在测试系统中使用,发布 fullchain.pem、privkey.pem 和 dhparams.pem 是否安全?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com