ServerHello 握手消息不包含密钥交换。

huangapple go评论65阅读模式
英文:

ServerHello Handshake message doesn't contain key exchange

问题

我正在使用Java开发一个微服务,需要向我们环境中的某个前端服务器发送HTTPS GET请求。我们正在使用自签名的证书,并将其放入微服务的信任存储中。

我正在使用Apache的CloseableHttpClient,它已配置了该信任存储和所有必要的配置。
然而,在尝试发送GET请求时,我遇到了一个异常:“PKIX路径构建失败”和“无法找到请求目标的有效认证路径”。(我已经搜索过该错误并已经看到了相关的解决方案,但它们与我的问题无关,请继续阅读)

我尝试使用-Djavax.net.debug=all的调试标志运行它,我注意到在“Consuming ServerHello握手消息”的描述中没有密钥交换属性和详细信息。

问题可能与客户端无关,因为当向不同的终端发送HTTP GET请求时,它可以正常工作,并且我确实看到预期的密钥交换...

感谢您的帮助。

英文:

I'm working on a microservice in Java, that has to send an HTTPS GET request to some Frontend server in our environment. The certificate that we are using is self-signed and is in the trust store of the microservice.

I'm using CloseableHttpClient of Apache that is configured with that trust store and all the necessary configurations.
However, when trying to send the GET request I get an exception of: "PKIX path building failed” and “unable to find valid certification path to requested target”. (I've search that error and already saw related solutions but they are not relevant to my problem, please continue reading)

I tried to run it with the debug flag of -Djavax.net.debug=all and I've noticed that in the description of "Consuming ServerHello handshake message" there's no key exchange attribute and details.

The problem is probably not related to the client, because when sending HTTP GET requests to a different endpoint it works, and I do see the key exchange as expected...

I appreciate your help.

答案1

得分: 1

> "PKIX path building failed” 和 “unable to find valid certification path to requested target”。

这些消息意味着客户端无法验证服务器的证书,因为本地找不到受信任的CA。至少在TLS 1.2之前,客户端在收到服务器证书之前不会启动密钥交换。这意味着如果在此阶段证书验证失败,将不会尝试进行密钥交换。

> 问题可能与客户端无关,因为当向不同的端点发送HTTP GET请求时,它可以正常工作,并且我确实看到预期的密钥交换…

问题可能与客户端或服务器有关。可能是服务器只提供了自签名证书,由不受信任的CA颁发的证书,或者没有发送必要的中间证书来构建信任链。还可能是客户端根本不信任服务器使用的特定CA,而客户端却信任不同服务器使用的不同CA。

为了解决这个问题,首先需要通过查看服务器发送的证书,并将其与客户端设置中预期的根CA进行比较,来确定问题的原因。然后要么修复客户端或服务器设置。

英文:

> "PKIX path building failed” and “unable to find valid certification path to requested target”.

These messages mean that the client is unable to validate the servers certificate since no trusted CA is found locally. At least until TLS 1.2 the client does not start the key exchange until the server certificate is received. This means that if certificate validation fails at this stage no key exchange will be attempted.

> The problem is probably not related to the client, because when sending HTTP GET requests to a different endpoint it works, and I do see the key exchange as expected...

The problem can be related to the client or to the server. It might be that the server only provides a self-signed certificate, a certificate issued by an untrusted CA or does not send the necessary intermediate certificates to build the trust chain. It can also be though that the client simply does not trust the specific CA used by the server will the client trusts the different CA used by a different server.

To solve the issue one thus needs to figure out first what the cause of the problem is by looking at the certificates send by the server and comparing these to the expected root CA in the client setup. Then either fix the client or server setup.

huangapple
  • 本文由 发表于 2020年10月2日 04:35:45
  • 转载请务必保留本文链接:https://go.coder-hub.com/64162816.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定