Spring Boot - 自签名 mTLS - 必要的证书答案

【问题标题】：Spring Boot - self-signed mTLS - necessary certificateSpring Boot - 自签名 mTLS - 必要的证书
【发布时间】：2020-07-11 22:52:40
【问题描述】：

我在 Spring Boot 应用程序中的 mTLS 配置有问题。

问题：当由于client-auth: need选项而强制要求证书时，如何使用自签名证书授权请求

到目前为止已完成的步骤：

我使用以下命令创建一个自签名证书：

keytool -genkeypair -alias xx-test -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 150 -storepass xxxxxxxxxxxx

然后在 application.yml 我有使用这个新创建的密钥库的配置：

server:
  ssl:
    enable: true
    key-alias: xx-test
    key-password: xxxxxxxxxxxx
    key-store-password: xxxxxxxxxxxx
    key-store-type: pkcs12
    key-store: classpath:keystore.p12

    client-auth: need # Can be also want/need
    trust-store: classpath:keystore.p12
    trust-store-type: pkcs12
    trust-store-password: xxxxxxxxxxxx

当我有client-auth: want 而不是need chrome 浏览器通知我证书无效但我可以读取端点。在 Spring Boot 中消息是 javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown。

当我将设置更改为 client-auth: need chrome cast ERR_BAD_SSL_CLIENT_AUTH_CERT 和 Spring boot cast

Closing SSLConduit after exception on handshake
javax.net.ssl.SSLHandshakeException: Empty client certificate chain
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:258) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1176) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1163) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247) ~[?:?]
    at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192) ~[?:?]
    at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1107) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
    at java.lang.Thread.run(Thread.java:830) ~[?:?]

自签名证书也放入 Windows 中的Trusted Root Certification Authorities。

带有-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake选项，错误描述更详细：


javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|SSLExtensions.java:189|Consumed extension: supported_versions
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|ClientHello.java:838|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|SSLExtensions.java:189|Consumed extension: psk_key_exchange_modes
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|PreSharedKeyExtension.java:840|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.340 CEST|ServerNameExtension.java:327|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: server_name
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:170|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: status_request
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: supported_groups
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:160|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:170|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|AlpnExtension.java:277|Ignore server unenabled extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:189|Consumed extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:160|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:160|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:160|Ignore unsupported extension: session_ticket
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|SSLExtensions.java:170|Ignore unavailable extension: cookie
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.341 CEST|KeyShareExtension.java:340|Ignore unsupported named group: UNDEFINED-NAMED-GROUP(60138)
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:189|Consumed extension: key_share
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:160|Ignore unsupported extension: renegotiation_info
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:204|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.342 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:221|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:204|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:204|Ignore unavailable extension: cookie
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: psk_key_exchange_modes
javax.net.ssl|WARNING|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:212|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|SSLExtensions.java:204|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.343 CEST|ServerHello.java:733|use cipher suite TLS_AES_256_GCM_SHA384
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.345 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.345 CEST|ServerHello.java:587|Produced ServerHello handshake message (
"ServerHello": {.....}

javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.346 CEST|SSLCipher.java:1867|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|SSLCipher.java:2021|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|ALL|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|ServerNameExtension.java:537|No expected server name indication response
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: server_name
javax.net.ssl|ALL|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|MaxFragExtension.java:469|Ignore unavailable max_fragment_length extension
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.347 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.348 CEST|AlpnExtension.java:365|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.348 CEST|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.348 CEST|EncryptedExtensions.java:137|Produced EncryptedExtensions message ("EncryptedExtensions": [
  "supported_groups (10)": {
    "versions": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
  }
]
)
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.356 CEST|CertificateRequest.java:882|Produced CertificateRequest message (....)
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.368 CEST|CertificateVerify.java:1113|Produced server CertificateVerify handshake message (
"CertificateVerify": {....}
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.369 CEST|Finished.java:777|Produced server Finished handshake message (
"Finished": {.....}



2020-07-13 19:37:02 DEBUG [XNIO-1 I/O-6] request - UT005013: An IOException occurred
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:?]
    at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:291) ~[?:?]
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:184) ~[?:?]
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:729) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:684) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:499) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:475) ~[?:?]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634) ~[?:?]
    at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:773) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:898) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:665) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:68) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1172) [undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:561) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
2020-07-13 19:37:02 DEBUG [XNIO-1 I/O-5] request - UT005013: An IOException occurred
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:?]
    at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:291) ~[?:?]
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:184) ~[?:?]
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:729) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:684) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:499) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:475) ~[?:?]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:634) ~[?:?]
    at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:773) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:898) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:665) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:68) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1172) [undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:561) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
2020-07-13 19:37:02 DEBUG [XNIO-1 I/O-4] request - UT005013: An IOException occurred
java.nio.channels.ClosedChannelException: null
    at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:892) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:665) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:68) ~[undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1172) [undertow-core-2.0.30.Final.jar:2.0.30.Final]
    at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:561) [xnio-nio-3.3.8.Final.jar:3.3.8.Final]
javax.net.ssl|DEBUG|2C|XNIO-1 task-4|2020-07-13 19:37:02.370 CEST|SSLCipher.java:2021|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|17|XNIO-1 I/O-3|2020-07-13 19:37:02.372 CEST|ChangeCipherSpec.java:246|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|2D|XNIO-1 task-5|2020-07-13 19:37:02.382 CEST|CertificateMessage.java:1160|Consuming client Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
]
}
)

但它并没有说明我太多

【问题讨论】：

您能否在使用以下 vm 参数启动 spring-boot 应用程序时提供完整的握手日志：-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake 并使用客户端执行请求。顺便问一下，您的客户端是否有一个证书（密钥对），它将发送给客户端并且您的客户端是否信任您的服务器？
嗨@Hakan54 - 我在描述中添加了一些额外的日志。似乎问题出在客户端证书上，因为它说Consuming client Certificate handshake message，然后抛出错误但是，我不知道如何改进它。因为它是一个 REST API，所以我称之为端点。此外，在 Windows certmgr 中，我安装了为信任库提供的证书
感谢您提供额外的日志，看起来它在 Produced CertificateRequest message 和 Produced server CertificateVerify handshake message 步骤之后就失败了。可能是客户端根本没有发送客户端证书，因为它没有正确加载或出于其他原因。你能尝试做一个 curl 请求吗，在这里看一个自定义密钥库和信任库的例子：gist.github.com/Hakky54/049299f0874fd4b870257c6458e0dcbd我不太确定你是否在 windows 上有 curl
或者如果 curl 不是一个选项，请尝试使用邮递员，例如：learning.postman.com/docs/sending-requests/certificates

标签： java spring-boot ssl ssl-certificate mutual-authentication

【解决方案1】：

解决方案：

最后，我遇到了一个小问题，即链中的中间证书不正确。

此外，我决定创建自定义服务器配置，其实现类似于此：

@Component
public class UndertowConfiguration implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
    ...
    @Override
    public void customize(UndertowServletWebServerFactory factory) {
        factory.addBuilderCustomizers((Undertow.Builder builder) -> {
            try {
                SSLContext sslContext = SSLContext.getInstance("TLS");
                sslContext.init(keyStoreManager.createKeyStore(),
                        trustStoreManager.createTrustStoreManager(),
                        new SecureRandom());
                builder.addHttpsListener(serverPortConfiguration.getSecurePort(), "0.0.0.0", sslContext)
                        .setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUIRED);
            } catch (NoSuchAlgorithmException | KeyStoreException | IOException | CertificateException | UnrecoverableKeyException | KeyManagementException e) {
                e.printStackTrace();
            }
        });
    }

以及用于将请求投射到另一台服务器的特定 webClient：

@Bean
public WebClient webClient() throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
            SslContext sslContext = SslContextBuilder.forClient()
                    .keyManager(keyStoreManager.createKeyStore())
                    .trustManager(trustStoreManager.createTrustStoreManager())
                    .build();
            httpClient = HttpClient.create()
                .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
        }

        return WebClient.builder()
                .clientConnector(new ReactorClientHttpConnector(httpClient))
                .build();
    }

当自定义 sslContext 应用于这两者时，它开始工作。然而，证书是一件很难调试的事情。

我希望这篇文章能帮助解决这个问题的人。 -Djavax.net.debug=all 还有助于调试和理解证书的真正问题。

【讨论】：