【发布时间】:2014-11-12 10:56:52
【问题描述】:
我在 JavaRMI 应用程序中 SSL 握手的最开始遇到了一些问题。
我的应用程序在标准 RMI 套接字上运行良好,但如果我按照本指南将默认套接字更改为 SSL 套接字,它不会完成握手:https://blogs.oracle.com/lmalventosa/entry/using_the_ssl_tls_based
所以,我将 Activatable Server 的构造函数从
public MyActivatableServer(ActivationID id, MarshalledObject<MyType> obj)
throws RemoteException
{
// Some code ...
// int port = ...
// Other code ...
Activatable.exportObject(this, id, port);
}
到
public MyActivatableServer(ActivationID id, MarshalledObject<MyType> obj)
throws RemoteException
{
// Some code ...
// int port = ...
// Other code ...
Activatable.exportObject(this, id, port, new SslRMIClientSocketFactory(),
new SslRMIServerSocketFactory());
}
然后我按照本指南创建了一个 Keystore 和一个 Truststore:http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore
此时在服务器端我有这些文件:
- keystore(带密码:“password”);
- truststore(密码:“trustword”);
- user.cer(自签名证书)。
我在客户端复制了 trustore 和 user.cer。
最后我将这些属性添加到启动 Activatable Server 的 JVM 中:
- -Djavax.net.ssl.keyStore=keystore
- -Djavax.net.ssl.keyStorePassword=密码
在我添加的客户端 JVM 上:
- -Djavax.net.ssl.trustStore=truststore
- -Djavax.net.ssl.trustStorePassword=trustword
- -Djavax.net.debug=ssl
这是 ssl 调试的完整输出:http://pastebin.com/sxbLhTnF
我不明白为什么客户端会在“ClientHello”之后收到警报:
*** ClientHello, TLSv1
RandomCookie: GMT: 1410959810 bytes = { 20, 172, 181, 158, 246, 172, 183, 30, 232, 42, 80, 36, 77, 5, 67, 56, 30, 191, 170, 142, 14, 2, 113, 241, 183, 154, 213, 24 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 149
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
【问题讨论】:
-
您是如何“将这些属性添加到启动 Activatable Server 的 JVM”的?
-
显然是错误的JVM :) 感谢您的帮助!!!
-
您必须在安装程序的 ActivationGroup 中定义它们。