带证书的webservice调用由于套接字读取错误而失败

Question

我使用连接到运行在服务器上的REST webservice。客户端必须发送证书以进行验证，并将服务器证书添加到客户端的信任存储中。我用选项-Djavax.net.ssl.keyStore，-Djavax.net.ssl.trustStore来指定。

但是我得到了错误，有什么线索吗？我不确定SSL握手是否成功，但在日志中似乎存在ServerHelloDone和Found Certificate。

码

HttpClient client = HttpClientBuilder.create().build();
HttpGet request = new HttpGet("https://testmachine.com/retrieve/path");

// add request header
request.addHeader(Constants.HTTP_HEADER_ACCEPT, Constants.MEDIA_TYPE_JSON);

// request to SERVER
HttpResponse response = client.execute(request);

日志

[write] MD5 and SHA1 hashes:  len = 16
0000: 14 ........g...oJ..v...
Padded plaintext before ENCRYPTION:  len = 32
0000: 14.......
0010: 5A.......
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
%% Invalidated:  [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
Padded plaintext before ENCRYPTION:  len = 18
0000: 02 .....@.y..A.
0010: 31 8F                                              1.
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
Apr 18, 2016 1:52:17 PM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (java.net.SocketException) caught when processing request to {s}->https://testmachine.com:443: Software caused connection abort: recv failed
Apr 18, 2016 1:52:17 PM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {s}->https://testmachine.com:443
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1

Answer 1

看起来keystore不是从日志中读取的。我认为这是因为我在keystore中的证书是".p12“格式，并且有自己的密码。因此，我必须显式地加载keystore和truststore，并构建SSLContext以使其工作。

需要注意的一点是，privateKeyPassword必须提供certificate密码(而不是保护密钥条目的keystore密码)。

 .loadKeyMaterial(keyStore, privateKeyPassword.toCharArray())   

下面是代码的一些部分，它解释了这一点。

    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    FileInputStream keyStream = new FileInputStream(keystoreFile);
    try {
        keyStore.load(keyStream, keystorePassword.toCharArray());
    } catch (Exception ex) {
        System.err.println("Failed to load keystore: " + ex.toString());
        return;
    } finally {
        try {
            keyStream.close();
        } catch (Exception ignore) {
        }
    }

    // load keystore and truststore
    SSLContext sslcontext = SSLContexts.custom()
            .loadTrustMaterial(truststoreFile, truststorePassword.toCharArray(),
                    new TrustSelfSignedStrategy())
                    .loadKeyMaterial(keyStore, privateKeyPassword.toCharArray())        
                    .build();

    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
            sslcontext,
            new String[] { "TLSv1" },
            null,
            SSLConnectionSocketFactory.getDefaultHostnameVerifier());

    CloseableHttpClient httpclient = HttpClients.custom()
            .setSSLSocketFactory(sslsf)
            .build();