WSO2 ei-2路SSL - handshake_failure

Question

我在建立双向SSL认证时遇到了问题。我需要从wso2访问HTTPS端点。服务提供商给了我一个pfx密钥存储库，其中包含我必须向服务器提供的证书和私钥。

我在windows计算机上安装了这个pfx密钥存储库，并试图从Chrome访问端点(端点在根上下文中有一个GET服务，返回hello消息)。当访问这个端点时，铬告诉我选择一个证书来提供给服务器.我选择好的那个，并回复你的问候信息.好吧，证书有效。

我也尝试使用curl，提供密钥、cacert和cert (使用openssl从pfx文件中提取)。一切都很好。

问题是当我尝试从wso2 ei服务访问这个端点时。我使用keytool将pfx文件导入默认密钥存储库(wso2carbon.jks)，遵循以下步骤：

1. 在jks中导入pfx 关键工具-importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS -srcstorepass -deststorepass wso2carbon
2. 导出jks公钥 关键工具-export -alias“-keystore wso2carbon.jks -file publickey.pem -storepass wso2carbon”
3. 导入默认客户端中的公钥-trustore.jks 关键工具-import -alias "“-file publickey.pem -keystore客户端-信任库. -storepass wso2carbon
4. 更新wso2carbon密钥库中别名的密码(必须与jks pwd相同) 关键工具-keypasswd -alias“-new wso2carbon -keystore wso2carbon.jks -keypass -storepass wso2carbon”
5. 将根和中间服务器证书添加到trustore中 keytool -import -v -trustcacerts -alias root -file root.cer -keystore客户端-信任库.root -storepass wso2carbon密钥工具-import -v -trustcacerts -alias

重新启动WSO2 EI然后尝试访问端点(握手失败！)

我激活了-Djavax.net.debug=ssl:handshake，在错误跟踪下面。似乎WSO2 EI找不到服务器询问的证书。

...
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 320
SESSION KEYGEN:
PreMaster Secret:
... no IV derived for this protocol
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Change Cipher Spec, length = 64
*** Finished
verify_data:  { 111, 185, 151, 74, 99, 156, 152, 185, 240, 222, 162, 116 }
***
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 80
PassThroughMessageProcessor-2, READ: TLSv1.2 Alert, length = 64
PassThroughMessageProcessor-2, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA256]
%% Invalidated:  [Session-2, TLS_RSA_WITH_AES_256_CBC_SHA256]
PassThroughMessageProcessor-2, called closeSocket()
PassThroughMessageProcessor-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
PassThroughMessageProcessor-2, called close()
PassThroughMessageProcessor-2, called closeInternal(true)

我尝试使用SOAP，引用先前创建的keystore，GET调用返回hello消息(握手成功)。

我还尝试使用使用那个keystore和ssl握手过程的代码片段java类。

System.setProperty("javax.net.ssl.keyStore", keystorePath);
        System.setProperty("javax.net.ssl.keyStorePassword", CERT_PASSWORD);
        System.setProperty("javax.net.ssl.keyStoreType", "JKS");
        URL myUrl;
        try {
            myUrl = new URL(endpoint);
            HttpsURLConnection conn = (HttpsURLConnection) myUrl.openConnection();
            InputStream is = conn.getInputStream();
            InputStreamReader isr = new InputStreamReader(is);
            BufferedReader br = new BufferedReader(isr);

            String inputLine;

            while ((inputLine = br.readLine()) != null) {
                System.out.println(inputLine);
            }

Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
matching alias: alias-cert

我很感谢你的帮助。谢谢。

你好，鲁迪

Answer 1

要解决这个问题，请查看axis2.xml文件上的配置，观察元素transportSender和name="https"，并插入customSSLProfiles的配置。

在本文档中，如何：

https://docs.wso2.com/display/EI660/HTTPS-NIO+Transport+