用于自签名证书的Eclipse JRE8高山容器

Question

TL;DR:在通过映像eclipse-temurin:8-jre-alpine在Docker容器中安装了我的CA之后，在访问带有CA签名的证书的URL时，我仍然会得到javax.net.ssl.SSLHandshakeException: Received致命警报: handshake_failure。

目前，我正在尝试将我的一个应用程序从基本映像openjdk:8-jre-alpine (最近一次更新是三年前并仍然运行Java 1.8.0_212)升级到eclipse-temurin:8-jre-alpine (使用1.8.0_332)。

我正在使用自签名的证书，用于与此应用程序通信的其他应用程序。因此，在当前的设置中，我将CA证书复制到/usr/local/share/ca-certificates并调用update-ca-certificates。

在eclipse-temurin:8-jre-alpine中，我必须执行更多的步骤:默认情况下，包ca-certificates不是安装的。此外，包java-cacerts不再安装(当然，当ca-certificates不安装时，这是有意义的)。因此，在我的Dockerfile中，我安装了这两个文件，并将由java-cacerts创建的java-cacerts文件链接到Java目录：

apk add -U ca-certificates java-cacerts && ln -sf /etc/ssl/certs/java/cacerts $JAVA_HOME/lib/security/

之后，我将CA证书复制到/usr/local/share/ca-certificates/并调用update-ca-certificates。当我查看/etc/ssl/certs/时，我在那里看到了到我的证书的链接。并且文件/etc/ssl/certs/java/cacerts也被更新(至少修改日期改变了)。

现在，使用CA签名的证书访问任何应用程序都可以使用wget。但仍然无法从Java应用程序中获得成功。

如果我对图像eclipse-temurin:11-jre-alpine做同样的事情，它也可以在Java中工作。

任何帮助都是非常感谢的！

我是怎么测试的

从图像eclipse-temurin:8-jre-alpine启动容器

docker run --rm -it --name temurin_8alpine_test --entrypoint /bin/sh eclipse-temurin:8-jre-alpine

1. 在容器

中安装ca-certificates和java-cacerts

apk add -U ca-certificates java-cacerts && ln -sf /etc/ssl/certs/java/cacerts $JAVA_HOME/lib/security/

1. 将证书复制到正在运行的容器

docker cp /path/to/my/CA-certificate.pem temurin_8alpine_test:/usr/local/share/ca-certificates/

1. 更新证书存储在容器

中

update-ca-certificates

这警告ca证书.CRL不包含确切的一个证书或CRL:跳过，这是好的(https://github.com/gliderlabs/docker-alpine/issues/30)

用wget进行

1. 试验

/ # wget https://my.internal.app
Connecting to my.internal.app (1.2.3.4:443)
saving to 'index.html'
index.html           100% |**********************************************************|  1087  0:00:00 ETA
'index.html' saved

SSLPoke下载、编译和上传

wget -q https://confluence.atlassian.com/download/attachments/117455/SSLPoke.java -O /tmp/SSLPoke.java
# make sure to use Java 8 compiler or use --target 8
javac /tmp/SSLPoke.java -d /tmp/
docker cp /tmp/SSLPoke.class temurin_8alpine_test:/

SSLPoke来自https://matthewdavis111.com/java/poke-ssl-test-java-certs/

集装箱

中的SSLPoke测试

/ # java SSLPoke google.com 443
Successfully connected
/ # java SSLPoke my.internal.app 443
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:818)
        at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
        at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1180)
        at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1152)
        at SSLPoke.main(SSLPoke.java:23)
/ #

Answer 1

经过更深入的挖掘和@JockX的一些帮助，我发现了实际的问题: Java8 Temurin不支持我的内部应用程序所需要的任何SSL密码套件。

@JockX的示例https://jockx.net也是如此，我将使用该站点作为示例：

站点支持的所有密码都使用椭圆曲线。

user@nb [~]
-> % nmap --script ssl-enum-ciphers -p 443 jockx.net
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-16 17:32 CEST
Nmap scan report for jockx.net (172.67.206.34)
Host is up (0.022s latency).
Other addresses for jockx.net (not scanned): 104.21.37.83 2606:4700:3034::ac43:ce22 2606:4700:3034::6815:2553

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 3.09 seconds
user@nb [~]
-> %

当您查看在一个具有映像eclipse-temurin:8-jre-alpine的容器中运行的Java的受支持的密码套件时，您会得到以下信息：

/ # java SSLCipherSuites
Supported Cipheruites:
* TLS_AES_256_GCM_SHA384
* TLS_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_256_GCM_SHA384
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA256
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV
/ #

我用Java 8编译了以下短脚本并将其复制到容器中：

import javax.net.ssl.SSLSocketFactory;

public class SSLCipherSuites {
    public static void main(String[] args) {
        SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
        String[] cipherSuites = sslsocketfactory.getSupportedCipherSuites();
        System.out.println("Supported CipherSuites:");
        for (String cipherSuite : cipherSuites) {
                System.out.println("* " + cipherSuite);
        }
    }
}

如果在运行图像eclipse-temurin:11-jre-alpine的容器中执行相同的操作，则会得到以下结果：

/ # java SSLCipherSuites
Supported CipherSuites:
* TLS_AES_256_GCM_SHA384
* TLS_AES_128_GCM_SHA256
* TLS_CHACHA20_POLY1305_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_256_GCM_SHA384
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA256
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV
/ #

https://www.google.com支持更多的密码，因此可以从eclipse-temurin:8-jre-alpine访问它。

user@nb [~]
-> % nmap --script ssl-enum-ciphers -p 443 google.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-16 17:47 CEST
Nmap scan report for google.com (216.58.212.174)
Host is up (0.024s latency).
Other addresses for google.com (not scanned): 2a00:1450:4001:802::200e
rDNS record for 216.58.212.174: ams15s22-in-f174.1e100.net

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds
user@nb [~]
-> %

多谢你们的支持!

Answer 2

忘记与ca证书相关的包，直接更新驱动容器的JRE的cacerts文件。使用keytool，它是您正在使用的图像的一部分：

/opt/java/openjdk/bin/keytool -import -trustcacerts -keystore /opt/java/openjdk/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file /my-ca-cert.crt

根据要添加的ca证书文件的格式，您可能需要将其转换为keytool支持的格式。例如，具有如下行的PEM文件：

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

可以用openssl转换

openssl x509 -in my-cert.pem -text -out my-ca-cert.crt

如果要在容器内执行，则需要处理的包是openssl。

apk add openssl