Java SSL握手异常
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3775483/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSL HandShake exception
提问by ganuke
I use SSL connection to connect web client to server. It works without any problem for a long time. But from yesterday it gives following error can anyone tell me the reason.
我使用 SSL 连接将 Web 客户端连接到服务器。它工作很长时间没有任何问题。但是从昨天开始,它给出了以下错误,谁能告诉我原因。
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1172)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:65)
at net.schubart.fixme.internal.MessageInput.readExactly(MessageInput.java:166)
at net.schubart.fixme.internal.MessageInput.readMessage(MessageInput.java:78)
at cc.aot.itsWeb.ClientWriterThread.run(ClientWriterThread.java:241)
at java.lang.Thread.run(Thread.java:619)
clientWriter.ready
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1586)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:865)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:621)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.OutputStream.write(OutputStream.java:58)
at net.schubart.fixme.internal.Message.write(Message.java:267)
at net.schubart.fixme.internal.MessageOutput.writeMessage(MessageOutput.java:53)
回答by Steven
Check the the cert is valid, you can do this with your browser.
检查证书是否有效,您可以使用浏览器执行此操作。
回答by David Grant
The certificate presented by the server is not trusted. This may be due to the certificate being expired, or the trust manager not being able to establish a chain of trust to any of the certificates in your trust store.
服务器提供的证书不受信任。这可能是由于证书已过期,或者信任管理器无法建立信任存储区中任何证书的信任链。
回答by sealz
You can check the certificate via the browser.
您可以通过浏览器检查证书。
In Internet Explorer
在 Internet Explorer 中
Right Click >> Properties >> Certificates
Once in the Certificates Window you can view the entire certificate tree as well.
进入证书窗口后,您还可以查看整个证书树。
If you have an invalid certificate you may want to look into a solution using the keytoolcommand.
如果您的证书无效,您可能需要使用该keytool命令查看解决方案。
回答by fancy
回答by Rusty Umt
I think you have to add keystore in jre1.6 cacert. Then deploy again your server .By the way you can use to add keystorePORTECLEprogram . it is very useful.
我认为您必须在jre1.6 cacert. 然后再次部署您的服务器。顺便说一下,您可以使用添加keystorePORTECLE程序。这是非常有用的。
回答by user3430832
I have spent more than 12 hours on this issue. After creating a self-signed certificate it is required to export that certificate to the cacertfile. In my case it was located in /usr/lib/java/jre/lib/security/cacert. You can export the certificate by using the keytool(you probably have to have root access):
我在这个问题上花了超过 12 个小时。创建自签名证书后,需要将该证书导出到cacert文件中。就我而言,它位于/usr/lib/java/jre/lib/security/cacert. 您可以使用keytool(您可能必须具有 root 访问权限)导出证书:
$ sudo keytool -exportcert -alias keyStoreAlias -keystore \
keyStoreKeys.keys -file /usr/local/java/jre/lib/security/cacerts
回答by Ryan D
I would first check to see if the cert in question has expired. Have run into this many times when working with vendors. They can update their certs without letting us know.
我会首先检查有问题的证书是否已过期。在与供应商合作时遇到过很多次。他们可以在不通知我们的情况下更新他们的证书。
回答by Joshua Michael Waggoner
The problem you're having is with the certificates. Here is a list of things you might need to be familiar with before working with a secure SSL program. There must be a truststore, keystore, and the certs have to be added. To add the key to your cacerts file, as in step 6, the computer might ask you for a password that you don't know. It is "changeit" mostt likely
您遇到的问题是证书。在使用安全 SSL 程序之前,您可能需要熟悉以下内容列表。必须有信任库、密钥库,并且必须添加证书。要将密钥添加到您的 cacerts 文件中,如步骤 6 中所述,计算机可能会要求您输入您不知道的密码。最有可能是“changeit”
1) To create a new keystore and self-signed certificate with corresponding public/private keys:
1) 使用相应的公钥/私钥创建新的密钥库和自签名证书:
keytool -genkeypair -alias "username" -keyalg RSA -validity 7 -keystore keystore
2) To Examine the keystore:
2) 检查密钥库:
keytool -list -v -keystore keystore
3) Export and examine the self-signed certificate:
3) 导出并检查自签名证书:
keytool -export -alias "username" -keystore keystore -rfc -file "username".cer
4) Import the certificate into a new truststore:
4) 将证书导入新的信任库:
keytool -import -alias "username" -file "username".cer -keystore truststore
5) Examine the truststore:
5)检查信任库:
keytool -list -v -keystore truststore
6) Add to keystore (this is what your looking for):
6)添加到密钥库(这是您要找的):
sudo keytool -import -file "username".cer -alias "username" -keystore "path-to-keystore"
On some systems this is found in
在某些系统上,这可以在
/usr/lib/jvm/<java version folder>/jre/lib/security/cacerts
and on other systems it is something like
在其他系统上它就像
/etc/ssl/certs/java/cacerts
Check out this project on Git-Hub if you need more clarification: https://github.com/rabbitfighter81/JSSLInfoCollectionServerAnd here is a shell script that helps with keys. https://github.com/rabbitfighter81/SSLKeytool
如果您需要更多说明,请查看 Git-Hub 上的这个项目:https: //github.com/rabbitfighter81/JSSLInfoCollectionServer这是一个帮助处理密钥的 shell 脚本。 https://github.com/rabbitfighter81/SSLKeytool
回答by Mikematic
This 'certificate_unknown' is a very misleading error message. This is the same error message thrown when a certificate has expired even if it is in the truststore. I suggest checking the expiration date of the certificate before you waste your time on anything else.
这个“certificate_unknown”是一个非常具有误导性的错误消息。这与证书过期时抛出的错误消息相同,即使它在信任库中也是如此。我建议您在将时间浪费在其他任何事情上之前检查证书的到期日期。
回答by Zds
When I received this error, the problem was that the server certificate was using signature algorithm SHA1withRSA and Android 8.0 client. Switching to server certificate based on SHA256withRSA fixed the issue.
当我收到此错误时,问题是服务器证书使用签名算法 SHA1withRSA 和 Android 8.0 客户端。切换到基于 SHA256withRSA 的服务器证书解决了该问题。
