0
우리는 Jetty 6.1로 비누 어댑터를 빌드 한 타사 응용 프로그램을 보유하고 있습니다. 응용 프로그램은 .Net 응용 프로그램에서 SSL 어댑터를 통해 SOAP 어댑터를 통해 인바운드 요청을받습니다.비누 어댑터로 SSL 핸드 셰이크 오류가 발생했습니다.
최근에 SSL 인증서가 만료되었으며 보안 팀이 트러스트 스토어에 새 인증서를 추가했습니다.
문제는 Jetty가 모든 인증서 목록을 가져 오지만 처음 인증서 만 사용 (만료)되어 핸드 셰이크가 실패한다는 것입니다.
다음은 로그의 일부입니다. 텍스트를 숨기려면 xxxxxxxxx로 표시된 행이 거의 없습니다.
이 3 별칭을 보여주고는, 첫 번째 문제가 될 수있는 것을 알아 내기 위해 전문가의 도움이 필요 10월 8일 2017
JsseJCE: Using MessageDigest MD5 from provider IBMJCE version 1.2
JsseJCE: Using MessageDigest SHA from provider IBMJCE version 1.2
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
matching alias: 44240-xxxx-xxxxx-xxxxxx-org
matching alias: 111824-xxxx-xxxxx-xxxxxx-org
matching alias: 109491-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias 44240-xxxx-xxxxx-xxxxxx-org
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true
**%% Negotiating: [Session-1, SSL_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie: GMT: 1491745993 bytes = { 73, 37, 191, 131, 31, 235, 131, 242, 96, 119, 124, 73, 57, 221, 38, 112, 19, 216, 144, 221, 184, 25, 181, 210, 229, 39, 62, 50 }
Session ID: {89, 234, 61, 201, 31, 215, 166, 2, 132, 100, 188, 234, 63, 57, 167, 114, 199, 190, 119, 228, 154, 176, 153, 236, 115, 222, 35, 98, 53, 182, 88, 140}
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
***
Cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=xxxx-xxxxx-xxxxxx.org, OU=TreSOAP Server Test-PROD Primary, O=XXXX-XXXXX - internal dmz, L=Saint Louis, ST=Missouri, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMPKCS11Impl RSA Public Key:
Token: false
Private: false
Label: IBMPKCS1162112826090763885165327
Modifiable: true
KeyType: 0
ID:
Start Date: Wed Dec 31 17:59:59 CST 1969
End Date: Wed Dec 31 17:59:59 CST 1969
Derive: false
Local: false
Subject:
Encrypt: true
Verify: true
VerifyRecover: true
Wrap: true
modulus: 26606850225087850589932908027067524318268268224826270839465320725092268136382373728617246685378243753417909514269416692823470338958771068354701078301334195882971493513282715502700026787422539437203244486983379743077668035555448903482759728453372918271687510462097996374206565621965829077017536736170426765991639165149047482746818974654077122772442139310513169191565788646178636478714837968871155118100289147723685748486274263964655017819372517057114974155848311538134591086912352063631149931407513232621741060410510212626457131410022996185588768438731050436344397255226489472133617477053078911021189068729861786067773
modulus bits: 2048
public exponent: 65537
Validity: [From: Wed Oct 09 12:59:36 CDT 2013,
To: Sun Oct 08 12:49:19 CDT 2017]
Issuer: CN=MC Internal Zone Applications sub CA, OU=Global Information Security, O=XXXX, DC=xxxx, DC=com
SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: cf 53 c3 63 61 83 f7 cd 4c 99 6a af 72 16 63 ee .S.ca...L.j.r.c.
0010: 63 48 23 2c cH..
]
[CN=Internal Zone Applications root CA, OU=Global Information Security, O=XXXX XXXX, DC=xxxx, DC=com]
SerialNumber: [xxxxxxxxxxxxxxxxxxxxxxxxxxx]
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
1.3.6.1.5.5.7.3.1 1.3.6.1.5.5.7.3.2]
[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[5]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
]
[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8b 74 8c b4 9e 21 d6 dd 86 f0 51 5f 77 c0 21 52 .t........Q.w..R
0010: 78 ab a8 2a x...
]
]
]
Algorithm: [SHA1withRSA]
Signature:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
]
***
*** ServerHelloDone
[email protected], WRITE: TLSv1 Handshake, length = 1443
[email protected], READ: TLSv1 Alert, length = 2
[email protected], RECV TLSv1 ALERT: fatal, handshake_failure
[email protected], fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
[email protected], fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure**
에 만료된다.