【发布时间】:2018-11-17 05:38:36
【问题描述】:
我目前正在测试两个独立系统之间的连接性。当我尝试通过我们的软件进行网络服务调用时,我注意到日志中反复出现 401 错误:
Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '401: Unauthorized' when communicating with https://testsystem.endpoint/webservice
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1530)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1490)
根据我所拥有的read on SO,401 告诉您您尚未成功登录或验证您尝试连接的任何服务器。我已经通知那些控制目标端点的人,并且我被告知我不需要登录并且“一切都通过证书进行了身份验证”。据我了解,SSL/TLS 证书当然可以作为一种身份验证方式,如果您在证书中声称是 X 并且您的证书已由受信任的 CA 签名,那么您很可能是 X。但是,我认为这与输入有效或无效的登录凭据不同(我认为这更接近 401 错误的原因)。
我尝试使用我的公钥对以及目标端点证书的根证书来卷曲端点。我可以看到似乎有两个单独的 SSL 握手,我相信是 SSL renegotiation。我可以清楚地看到再次出现 401 错误:
$ curl -vv --cert cert.pem --cacert root.pem https://testsystem.endpoint/webservice
* About to connect() to testsystem.endpoint/webserivce port 443 (#0)
* Trying TEST.IP.ADDRESS.FAKE... connected
* Connected to testsystem.endpoint/webserivce (TEST.IP.ADDRESS.FAKE) port 443 (#0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
* CAfile: root.pem
CApath: none
* SSLv2, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
* subject: /OU=Domain Control Validated/CN=TEST.CN.FAKE
* start date: 2015-07-07 22:44:38 GMT
* expire date: 2016-07-19 16:55:05 GMT
* subjectAltName: testsystem.endpoint/webserivce matched
* issuer: /C=US/ST=fake/L=fake/O=Company.com, Inc./OU=http://certs.company.com/repository//CN=Company Secure Certificate Authority
* SSL certificate verify ok.
> GET /webservice HTTP/1.1
> User-Agent: curl/7.16.2 (x86_64-unknown-linux-gnu) libcurl/7.16.2 OpenSSL/0.9.8b zlib/1.2.3
> Host: testsystem.endpoint/webserivce
> Accept: */*
>
* SSLv3, TLS handshake, Hello request (0):
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
< HTTP/1.1 401 Unauthorized
< Content-Type: text/html
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Sat, 05 Sep 2015 00:16:21 GMT
我认为我的问题不一定与 SSL/TLS 握手有关:我已经为另一端建立了完整的证书链(这在我端是受信任的),我可以看到第一个 SSL/ TLS 握手似乎有效。我想我的问题是:为什么当我使用我认为是有效的密钥对时,另一端会向我发送 401?
【问题讨论】:
标签: http authentication ssl https