使用 HttpComponents 的基于客户端证书的身份验证

Question

我遇到了一个关于使用 apaches httpcomponents 进行基于证书的身份验证的问题。每次我启动请求时，我都会收到响应代码 403。如果我打开 ssl 加密和身份验证，则可以成功建立连接。

我假设证书没问题，因为它们已经在不同的环境中工作了。

以下代码显示了我如何启动请求。

HttpClient httpClient = null;
try
{

    HttpParams httpParameters = new BasicHttpParams();

    KeyStore rootca = KeyStore.getInstance(KeyStore.getDefaultType());
    rootca.load(new FileInputStream("server.jks"), "bara".toCharArray());

    KeyStore mycert = KeyStore.getInstance("JKS");
    mycert.load(new FileInputStream("client.jks"), "bara".toCharArray());

    SSLSocketFactory sockfact = new SSLSocketFactory(mycert, "bara", rootca);
    sockfact.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); 
    SchemeRegistry registry = new SchemeRegistry();
    registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
    registry.register(new Scheme("https", sockfact, 443));
    httpClient = new DefaultHttpClient(new ThreadSafeClientConnManager(httpParameters, registry), httpParameters);

    HttpGet get = new HttpGet("https://mycomputer.mynetwork/test");
    HttpResponse response = httpClient.execute(get);

    System.out.println(response.getStatusLine());

}

没有例外或更多信息。我通过下载源代码来调试代码。即使那样我也无法定位错误。仅引发以下异常，但我看不到原因。 “对等方重置连接：套接字写入错误”

我会感谢每一个想法。

亲切的问候。

更新：编辑日志记录首选项后，我得到以下异常：

reset by peer: socket write error>javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1325)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1337)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:44)
    at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:131)
    at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:138)
    at org.apache.http.impl.conn.LoggingSessionOutputBuffer.flush(LoggingSessionOutputBuffer.java:95)
    at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:271)
    at org.apache.http.impl.SocketHttpClientConnection.close(SocketHttpClientConnection.java:246)
    at org.apache.http.impl.conn.DefaultClientConnection.close(DefaultClientConnection.java:164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.close(AbstractPooledConnAdapter.java:152)
    at org.apache.http.protocol.HttpRequestExecutor.closeConnection(HttpRequestExecutor.java:142)
    at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:129)
    at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:647)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:464)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
    at Client.main(Client.java:54)
Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1692)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1656)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1601)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:93)
    at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:131)
    at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:138)
    at org.apache.http.impl.conn.LoggingSessionOutputBuffer.flush(LoggingSessionOutputBuffer.java:95)
    at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:271)
    at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:276)
    at org.apache.http.impl.conn.AbstractClientConnAdapter.flush(AbstractClientConnAdapter.java:194)
    at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:258)
    at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123)
    ... 6 more
Caused by: java.net.SocketException: Connection reset by peer: socket write error
    at java.net.SocketOutputStream.socketWrite0(Native Method)
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
    at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
    at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:297)
    at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:286)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:748)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:736)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:88)
    ... 14 more

Answer 1

在 SSL/TLS 的上下文中，服务器关闭的连接意味着连接握手阶段出现问题。可能是客户端证书未被接受或客户端和服务器的可用密码套件不兼容。

要找出问题所在，您必须查看网络流量，例如使用 Wireshark。它允许您查看发送的每个数据包。

此外，我将使用 s_client 模式使用 OpenSSL 测试证书 - 只是为了确保它不是您的客户端证书的一般问题。