魅族手机Flyme5.0固件下载
419 2023-04-03 02:36:22
我的应用程序使用由我们自己的CA签名的SSL客户端证书连接到各种Web服务,因此我设置了-Djavax.net.ssl.keyStore和-Djavax.net.ssl.trustStore系统属性.
我已将https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem证书添加到我的trustStore,我可以通过命令行客户端使用SSL连接到MySQL.
我的MySQL连接字符串如下所示:
jdbc:mysql://my-server-id.eu-west-1.rds.amazonaws.com/my-database?verifyServerCertificate=true&useSSL=true&requireSSL=true
我使用mysql:mysql-connector-java:jar:5.1.38来运行JBDC连接.
我发现当我设置trustStore时,我的Java应用程序可以连接到MySQL,但是当我设置keyStore和trustStore时它会失败:
! javax.net.ssl.SSLException: Unsupported record version Unknown-0.0! at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) ~[na:1.8.0_91]! at sun.security.ssl.InputRecord.readV3Record(InputRecord.java:565) ~[na:1.8.0_91]! at sun.security.ssl.InputRecord.read(InputRecord.java:532) ~[na:1.8.0_91]! at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[na:1.8.0_91]! at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_91]! at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_91]! at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_91]! at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:149) ~[user-portal-web-0.0.1.jar:0.0.1]! ... 40 common frames omitted
似乎Java正在向MySQL发布我的私有CA签名客户端证书,而这正拒绝它.我使用tcpdump捕获了交互,并且我的客户端证书的DN被发送到MySQL.
如何将我的客户端证书用于HTTPS连接,但不能将其用于MySQL连接?
我已经尝试创建一个空的密钥库并设置我的连接字符串来使用它:
jdbc:mysql://my-server-id.eu-west-1.rds.amazonaws.com/my-database?verifyServerCertificate=true&useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:nokeys.jks&clientCertificateKeyStorePassword=changeit
这给了我以下错误:
java.lang.IllegalStateException: TrustManagerFactoryImpl is not initialized at sun.security.ssl.TrustManagerFactoryImpl.engineGetTrustManagers(TrustManagerFactoryImpl.java:100) at javax.net.ssl.TrustManagerFactory.getTrustManagers(TrustManagerFactory.java:285) at com.mysql.jdbc.ExportControlled.getSSLSocketFactoryDefaultOrConfigured(ExportControlled.java:323) at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:85)您可以通过在连接URL中设置空密钥库来强制MySQL不使用客户端证书.
我上面遇到的问题是https://bugs.mysql.com/bug.php?id=36948的变种 – 如果你在连接URL中设置“clientCertificateKeyStoreUrl”而不是“trustCertificateKeyStoreUrl”(以及下面的其他4个参数),那么MySQL将崩溃“TrustManagerFactoryImpl未初始化”而不是一个更有帮助的错误.
您可以使用以下命令创建一个空密钥库:
keytool -genkey -alias foo -keystore empty.jks # (set password "changeit")keytool -delete -alias foo -keystore empty.jks
然后使用以下URL连接到MySQL:
jdbc:mysql://my-server-id.rds.amazonaws.com/my-database?verifyServerCertificate=true&useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:empty.jks&clientCertificateKeyStorePassword=changeit&clientCertificateKeyStoreType=JKS&trustCertificateKeyStoreUrl=file:/etc/pki/cosmos/current/client.jks&trustCertificateKeyStoreType=JKS&trustCertificateKeyStorePassword=changeit
即使您需要默认值,也需要所有6个密钥库args,否则您将看到“TrustManagerFactoryImpl未初始化”错误