TLS连接失败是由于keystore文件中的PrivateKeyEntry配置错误所导致。(tls connection was established)(tls handshake error)

访客 2023年07月13日 14:13 129 0

该银行客户的cluster中同时安装了Spectrum Symphony和Spectrum Conductor，且处于multihomed模式。这种安装和配置是被支持的，详细信息可参考IBM文档。

出于安全要求，他们在tier 2和tier 3启用了TLS，详情参考IBM文档。结果是，在tier 3一切顺利，访问网页没有问题；但是在tier 2却遇到了问题，报错如下。

Failed to retrieve the Spark applications. The connection was refused. Please ensure that the required IBM Spectrum Conductor services (ascd and REST) are running or that SSL is properly configured.

因此，我们可以按照以下步骤来测试证书的配置。

使用以下命令连接到目标服务器并指定证书文件路径： ``` openssl s_client -CAfile /path/to/target/keystore/file -connect target_FQDN:target_port ```

根据tier 3的测试结果，我们得到以下结论：连接状态为已连接，证书链和证书均能够正常返回，没有任何问题。

$openssl s_client -CAfile /opt/sym/certificates/truststore.pem -connect bens3-a1.svr.us.jpm.net:8643CONNECTED(00000003)depth=2 DC = NET, DC = JPMCHASE, DC = EXCHAD, CN = JPMCROOTCAverify return:1depth=1 DC = net, DC = jpmchase, DC = exchad, CN = PSIN0P551verify return:1depth=0 C = US, ST = NJ, L = Jersey City, O = JPMorg, OU = Compute Backbone, CN = bens3-a1.svr.us.jpm.netverify return:1---Certificate chain0 s:/C=US/ST=NJ/L=Jersey City/O=JPMorg /OU=Compute Backbone/CN=bens3-a1.svr.us.jpm.neti:/DC=net/DC=jpmchase/DC=exchad/CN=PSIN0P5511 s:/DC=net/DC=jpmchase/DC=exchad/CN=PSIN0P551i:/DC=NET/DC=JPMCHASE/DC=EXCHAD/CN=JPMCROOTCA---Server certificate-----BEGIN CERTIFICATE-----MIIHszCCBZugAwIBAgITRQAC1Y89tfV7k9/q/gABAALVjzANBgkqhkiG9w0BAQsFADBbMRMwEQYKCZImiZPyLGQBGRYDbmV0MRgwFgYKCZImiZPyLGQBGRYIanBtY2hhc2UxFjAUBgoJkiaJk/IsZAEZFgZleGNoYWQxEjAQBgNVBAMTCVBTSU4wUDU1MTAeFw0xOTEwMDIxMjU0MDZaFw0yMTEwMDExMjU0MDZaMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTkoxFDASBgNVBAcTC0plcnNleSBDaXR5MRcwFQYDVQQKEw5KUE1vcmdhbiBDaGFzZTEZMBcGA1UECxMQQ29tcHV0ZSBCYWNrYm9uZTEnMCUGA1UEAxMeY2JiZW5zMy1hMS5zdnIudXMuanBtY2hhc2UubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/khQh8MHdTkTuKa7eO7Qigx9UuqRlZ+lMQImtZxhiEQg9vpEhZk193G9IRuV8lVHbV6fMe6WYCuSGP0V+ZF1OVe5XtmFnWNNW5FS8WyApk3hcSeWeeI6QDArMutidpya30a21UUv+ZxoOdnEDwAvMjoWBS6caJPiRnKQ77TXl+JHHVv2Q6SDCSQiwuLxRZzD+c637bJXvvw0Tt1YKwcijp0DBwGmZotdvONulEJNvtMJ7Pn8bhgWoVC7UkM1TY6M4xikJgFHh+AlT0+Z+tYfGMbu7aPUBjO61f2Qq9KSouTn6di8ule0c9hntat+JS1bDHz9Czd0IcmIfNpGeS8cwIDAQABo4IDOzCCAzcwKQYDVR0RBCIwIIIeY2JiZW5zMy1hMS5zdnIudXMuanBtY2hhc2UubmV0MB0GA1UdDgQWBBTi/DxO6VfcEMq8ZqpNiDDpPeaQ7jAfBgNVHSMEGDAWgBQy3mGo4/el4t5HICuq......cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWV4Y2hhZCxEQz1qcG1jaGFzZSxEQz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIIBLgYIKwYBBQUHAQEEggEgMIIBHDA5BggrBgEFBQcwAoYtaHR0cDovL2FkY3MuanBtY2hhc2UubmV0L2NybC9QU0lOMFA1NTEoMSkuY3J0MCkGCCsGAQUFBzABhh1odHRwOi8vYWRjcy5qcG1jaGFzZS5uZXQvb2NzcDCBswYIKwYBBQUHMAKGgaZsZGFwOi8vL0NOPVBTSU4wUDU1MSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1leGNoYWQsREM9anBtY2hhc2UsREM9bmV0P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA4GA1UdDwEB/wQEAwIFoDA8BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiBg5o1g/PQQIKBkwyC3ZYCk506RIOUsA+Etq87AgFkAgEKMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4ICAQASNIP+nc1/TAYpIzY45C+c69pFlv0QupDqovOs9uPz/4oiGfwLaXmVVYmmUZIdlH8QaR4v/AYGkbYnej9BAHX7/NynevTT908vVjFMb0GNkGC+KgCOaEeLv5fR9/x2xoVFOyztjysHnDjvi1A5VcyTqRiZynwOzrMZjtLS/jtI/65K7yDTYQDLATuUWmi3xcl0QyV11bxgDeU6ggOu1w/SyiFPPng9mWEAUfE8yIWiXTrEZlKo00tV8L5x6vizq4sBQTxbuOuDJbqTCJKkZUv+GQuvWuwcPcFixRZboWVOaZ6v9i3HOv1Yd7mCjkT67rC2lzqPgxpZAD2ew9/LTmtTQYRc7iWUUBPb9PRIIuf8sLp/9Lt06loVGe5saFvxG/ooGSfe2JwLvQUIg9HKhZNFaIvLdu6V/dXqDLzYdEfhF7KuM2TzwIRETSahMadk6+z17OUlzu87aWPVBr7YRmBtupBC1J1QaFH6tbmh5+56gAmSSvNt5l6yVGgZB0ooklTJYwkc9lH7NYzunzksaXPbVvjJEDUl+e6wz2XIripgZRZfnOiGHrNPjuPuUGP2gPFfm7NViGUoOY11GzTzU2l2xFzSMlngvIwRsq1waInp1NDkr0ue08l27NnwBurqmiXfP9KQsu7gpaj8RAXiq8afQpReCHV9Ra3XOj+YAovtzA==-----END CERTIFICATE-----subject=/C=US/ST=NJ/L=Jersey City/O=JPMorg/OU=Compute Backbone/CN=bens3-a1.svr.us.jpm.netissuer=/DC=net/DC=jpmchase/DC=exchad/CN=PSIN0P551---No client certificate CA names sentPeer signing digest: SHA512Server Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 4767 bytes and written 415 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:Protocol : TLSv1.2Cipher  : ECDHE-RSA-AES256-GCM-SHA384Session-ID: 5DF8DBBCAA37AC5D809C6831174368C0545E3E06A0E8BE2F6450F03C96DCA198Session-ID-ctx:Master-Key: 582ABE9363DE36147A845750A7199639CF8CC88D7C3C50EE3B3C7941EE9713F120DF8558504F41CECB6838C5B6E32C47Key-Arg  : NoneKrb5 Principal: NonePSK identity: NonePSK identity hint: NoneStart Time: 1576590268Timeout  : 300 (sec)Verify return code: 0 (ok)---

针对tier 2，测试的结果如下，得到sslv3 alert handshake failure的错误，无法返回server端的certificate chain和certificate。这更一步说明tier 3的证书配置有问题。

[[email protected] ibm]# openssl s_client -CAfile /opt/sym/certificates/truststore.pem -connect bens3-ca001.svr.us.jpm.net:6091 CONNECTED(00000003) 139871883896720:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: ---no peer certificate available--- ---No client certificate CA names sent--- ---SSL handshake has read 7 bytes and written 289 bytes--- New, (NONE), C

请执行以下命令来查看您的密钥库文件：keytool -list -keystore your_keystore_file

以下是客户提供的keytool -list命令的部分结果。

[[email protected] egoadmin]#‌ keytool -list -keystore psk2-eng2-tier2and3.jks Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: - rootca, Dec 6, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 1A:58:C1:67:02:09:45:31:0F:25:E9: 90:B9:94:CD:59:C8:F2:A5 - psk2-eng2-tier3, Dec 18, 2019, trustedCertEntry, Certificate fingerprint (SHA1): 38;18;DB;6C;CE:C6;45;EF;99:B9; A5:A9:A3:F:E7.11.82:D8.BC.C6 - psk2-eng2-tier2, Dec 18,201

因此，为了解决这个问题，客户需要重新制作证书以生成keystore文件。一旦完成这一步骤，问题就会消失。新的keystore文件包含了PrivateKeyEntry和trustedCertEntry两部分内容。

[[email protected] egoadmin]#‌ keytool -list -keystore psk2-eng2-tier2and3.jksEnter keystore password:Keystore type: jksKeystore provider: SUNYour keystore contains 4 entriesrootca, Dec 6, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 1A:58:C1:67:02:09:45:31:0F:25:E9:90:B9:94:CD:59:C8:F2:6B:A5psk-eng2-tier3, Dec 18, 2019, PrivateKeyEntry,Certificate fingerprint (SHA1): 98:A8:DB:6C:CE:C6:35:EF:99:B9:D5:A9:2A:74:E9:71:18:E8:B9:C6psk-eng2-tier2, Dec 18, 2019, PrivateKeyEntry,Certificate fingerprint (SHA1): F2:30:EF:32:B2:43:DE:76:82:40:48:C9:FA:38:C5:6A:E0:74:92:8Cintermediate, Dec 6, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 35:1E:74:B2:98:01:21:1C:5E:16:58:95:B6:34:20:B4:F7:9C:26:FD

标签：证书问题文件

本文地址： https://shangjia.one/post/232.html