问题
I am trying to configure the Tomcat6 with self-signed certificates with clientAuth=true & then to call the Tomcat server on client side using HttpClient 4.1.x.
I followed the instruction provided in the http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/ & it is working fine as expected when I am testing from the browser or from the openssl client (I ran the command "openssl s_client -cert client.crt -key client.key -CAfile ca.crt -connect localhost:8443").
The problem I am facing is with the HttpClient. I wrote the following code to create HttpClient
private DefaultHttpClient creatHttpClient(KeyStore keyStore,
char[] keyStorePassword, KeyStore trustStore, char[] trustStorePassword) {
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore); // This contains CA certs
TrustManager[] tm = trustManagerFactory.getTrustManagers();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyStorePassword); // This contain client private key
KeyManager[] km = keyManagerFactory.getKeyManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(km, tm, new SecureRandom());
SSLSocketFactory sslSocketFactory = new SSLSocketFactory(sslContext,
SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
HttpParams params = new BasicHttpParams();
HttpConnectionParams.setConnectionTimeout(params, 10000);
HttpConnectionParams.setSoTimeout(params, 30000);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https",
443, sslSocketFactory));
ClientConnectionManager clientConnectionManager =
new ThreadSafeClientConnManager(schemeRegistry);
final DefaultHttpClient httpClient = new DefaultHttpClient(
clientConnectionManager, params);
return httpClient;
} catch(Exception e) {
throw e;
}
}
For this, I received
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
I enabled the debug
static
{ System.setProperty("javax.net.debug", "ssl,handshake,trustmanager"); }
I received the following debug logs
main, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
main, SEND TLSv1 ALERT: fatal, description = internal_error
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, IOException in getSession(): javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
What could be possibly going wrong in this case? I don't want to ignore the ssl certificates error rather want to authenticate properly.
回答1:
I solved my own problem. The issue was that I was loading keystore & trust store using
InputStream ksin = this.getClass().getResourceAsStream("client.jks");
InputStream tsin = this.getClass().getResourceAsStream("cacerts.jks");
& was using these lines in the Junit tests & it was not able to find .jks files.
I figured out this by putting the following
if(0 == keyStore.size()) { throw new RuntimeException("Keystore is empty"); }
if(0 == trustStore.size()) { throw new RuntimeException("Truststore is empty"); }
after keystore & truststore initialization.
So, I changed the lines to
InputStream ksin = Thread.currentThread().getContextClassLoader().getResourceAsStream("client.jks");
InputStream tsin = Thread.currentThread().getContextClassLoader().getResourceAsStream("cacerts.jks");
& everything worked fine.
来源:https://stackoverflow.com/questions/15164831/httpclient-4-1-x-error-for-self-signed-certificate-javax-net-ssl-sslpeerunverif