在tomcat使用APR / Openssl时获取客户端证书身份验证的问题-Java 学习之路

我正在尝试使用客户端证书身份验证（相互SSL身份验证）与使用APR的tomcat服务器（8.0.23） . 这一切都适用于使用常规基于java的io的tomcat，但在使用native io（和基于openssl的加密）时验证客户端签名时失败 . 我可以使用openssl s_client来解决这个问题（见下文） - 它会记录SSL警报号51（我已经广泛搜索了这个，没有任何帮助） .

当我运行openssl s_server并尽可能地将其配置为tomcat配置时，它可以工作!!我在两种情况下都使用完全相同的s_client命令（只有端口不同） - 所有服务器和客户端都在同一台机器上运行 .

任何帮助将不胜感激 .

Tomcat：8.0.23
Openssl：1.0.2a-fips 2015年3月19日
操作系统：CentOS Linux 7（核心）
CPE操作系统名称：cpe：/ o：centos：centos：7
内核：Linux 3.10.0-229.el7.x86_64

Tomcat连接器配置：
<连接器端口= "8444" protocol = "HTTP/1.1"
maxThreads = "150" SSLEnabled = "true" scheme = "https" secure = "true"
SSLCipherSuite = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA" SSLHonorCipherOrder = "true"
SSLCertificateFile = "/var/keys/star_dmiapps_com.cer"
SSLCertificateChainFile = "/var/keys/star_dmiapps_com.chain.cer"
SSLCertificateKeyFile = "/var/keys/star_dmiapps_com.key"
SSLPassword =“XXXXXXX”
SSLVerifyClient = "optional"
SSLVerifyDepth = "4"
SSLCACertificateFile =“/ USR /本地/键/ uberChain.crt” />

s_server命令行

openssl s_server -cert /var/keys/star_dmiapps_com.cer -cipher "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA" -serverpref -key /var/keys/star_dmiapps_com.key -pass pass：xxxxxxxx -CAfile /usr/local/keys/uberChain.crt-verify 4

与tomcat交谈时从s_client输出：

depth = 2 C = US，O = DigiCert Inc，OU = www.digicert.com，CN = DigiCert Global Root CA
验证回报：1
depth = 1 C = US，O = DigiCert Inc，CN = DigiCert SHA2安全服务器CA.
验证回报：1
depth = 0 C = US，ST = Maryland，L = Bethesda，O = "Digital Management, Inc."，CN = .dmiapps.com
验证回报：1
140679845054368:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:s3_pkt.c:1259:SSL alert number 51
140679845054368：错误：140790E5：SSL例程：SSL23_WRITE：ssl握手失败：s23_lib.c：184：
连（00000003）

证书链
0 s：/ C = US / ST = Maryland / L = Bethesda / O = Digital Management，Inc. / CN = . dmiapps.com
i：/ C = US / O = DigiCert Inc / CN = DigiCert SHA2安全服务器CA.
1 s：/ C = US / O = DigiCert Inc / CN = DigiCert SHA2安全服务器CA.
i：/ C = US / O = DigiCert Inc / OU = www.digicert.com / CN = DigiCert Global Root CA
2 s：/ C = US / O = DigiCert Inc / OU = www.digicert.com / CN = DigiCert Global Root CA
i：/ C = US / O = DigiCert Inc / OU = www.digicert.com / CN = DigiCert Global Root CA

服务器证书
-----开始证书-----
MIIFHjCCBAagAwIBAgIQA HdMPwp8NAjvkVYy Y4fDANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQxMTE3MDAwMDAwWhcN
.
.
.
89v8qonrsSCd7AGtKTqf wp6S0LT5KIbvCAq2ZnJ2O8UI1wESswSzZsq1CMOmdl2
gOlXzAf6 sF9jWIyvB8EQYF057zNk0zKEmBs0cyBRLgnV9Zj3bZQxFt 5ZMdODCn
D8d / WE5cE70nnsqcCIiBM5du
-----结束证书-----
subject = / C = US / ST = Maryland / L = Bethesda / O = Digital Management，Inc . / CN = * . dmiapps.com issuer = / C = US / O = DigiCert Inc / CN = DigiCert SHA2 Secure Server CA
可接受的客户端证书CA名称
/ C = US / ST = Maryland / O = DMI / CN = DMI中间CA.
/ C = US / O = DigiCert Inc / CN = DigiCert SHA2安全服务器CA.
/ C = US / ST = Maryland / L = Bethesda / O = DMI / CN = DMI根CA.
/ C = US / O = DigiCert Inc / OU = www.digicert.com / CN = DigiCert Global Root CA
服务器临时密钥：ECDH，prime256v1,256位

SSL握手已读取4278个字节并写入4612个字节
新的，TLSv1 / SSLv3，密码是ECDHE-RSA-AES256-SHA384
服务器公钥是2048位
支持安全重新协商
压缩：无
扩展：无
SSL会话：
协议：TLSv1.2
密码：ECDHE-RSA-AES256-SHA384
会话ID：
会话ID-CTX：
万能钥匙：DEEA668F36C1D567B3CA327338737E674BB89D8A117D31466DC3104E6E02C7CF8009BD41F509A17104096BCAFE95F240
Key-Arg：无
Krb5校长：无
PSK身份：无
PSK身份提示：无
开始时间：1452722344
超时：300（秒）
验证返回码：0（ok）

Output from s_client when talking to s_server

证书链0 s：/ C = US / ST = Maryland / L = Bethesda / O = Digital Management，Inc. / CN = . dmiapps.com
i：/ C = US / O = DigiCert Inc / CN = DigiCert SHA2安全服务器CA.
1 s：/ C = US / O = DigiCert Inc / CN = DigiCert SHA2安全服务器CA.
I：/ C = US / O = DigiCertInc / OU = www.digicert.com / CN = DigiCert Global Root CA.
2 s：/ C = US / O = DigiCert Inc / OU = www.digicert.com / CN = DigiCert Global Root CA
i：/ C = US / O = DigiCert Inc / OU = www.digicert.com / CN = DigiCert Global Root CA

服务器证书
-----开始证书-----
MIIFHjCCBAagAwIBAgIQA HdMPwp8NAjvkVYy Y4fDANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQxMTE3MDAwMDAwWhcN
.
.
.
89v8qonrsSCd7AGtKTqf wp6S0LT5KIbvCAq2ZnJ2O8UI1wESswSzZsq1CMOmdl2
gOlXzAf6 sF9jWIyvB8EQYF057zNk0zKEmBs0cyBRLgnV9Zj3bZQxFt 5ZMdODCn
D8d / WE5cE70nnsqcCIiBM5du
-----结束证书-----
subject = / C = US / ST = Maryland / L = Bethesda / O = Digital Management，Inc . / CN = * . dmiapps.com issuer = / C = US / O = DigiCert Inc / CN = DigiCert SHA2 Secure Server CA
可接受的客户端证书CA名称
/ C = US / ST = Maryland / O = DMI / CN = DMI中间CA.
/ C = US / ST = Maryland / L = Bethesda / O = DMI / CN = DMI根CA.
/ C = US / O = DigiCert Inc / CN = DigiCert SHA2安全服务器CA.
/ C = US / O = DigiCert Inc / OU = www.digicert.com / CN = DigiCert Global Root CA
服务器临时密钥：ECDH，prime256v1,256位
SSL握手已读取5849个字节并写入4861个字节

新的，TLSv1 / SSLv3，密码是ECDHE-RSA-AES256-SHA384
服务器公钥是2048位
支持安全重新协商
压缩：无
扩展：无
SSL会话：
协议：TLSv1.2
密码：ECDHE-RSA-AES256-SHA384
Session 编号：A2978962A54C12A5EEB008A55BAD06872EA1B6BBFCF48C62FD026776BB0AAF
会话ID-CTX：
主钥匙：5D55FD5EF5B5CBDD052F2420FC0D154771F655074BDD58A23B44A20B415E0C404F1F4848E658657685FB797386C28B88
Key-Arg：无
Krb5校长：无
PSK身份：无
PSK身份提示：无
TLS会话票证生命周期提示：300（秒）
TLS会话票：
0000 - 2d 07 bf e6 1e 1d c0 b4-f8 4c 3a 4d f1 c5 4d b7 -... L：M..M .
0010 - 36 c9 d6 b2 43 ae c1 ea-2c 5a 2c 81 5a 7b 0f 09 6 ... C ...，Z，.Z {..
0020 - b0 01 66 dc b6 d1 c7 88-7a a2 d6 38 7b 82 75 02 ..f ..... z..8 { .
.
.
.
0590 - 46 b9 db b2 03 b4 4d 54-f3 27 7c 8e bf a2 44 17 F ..... MT . '| ... D.
05a0 - 54 e5 61 c9 f0 ea 13 aa-4d f4 84 fb b7 34 c5 b1 T.a ..... M .... 4 ..

Start Time: 1452722382

Timeout   : 300 (sec)

Verify return code: 0 (ok)

在tomcat使用APR / Openssl时获取客户端证书身份验证的问题

相关问题