0
JDK 1.4.2では、サーバー側のコードは試行されましたが、Https(reCAPTCHA検証用)を使用してGoogle URLに接続できません。致命的なアラートcertificate_unknownとともに、チェーン内のGeoTrust証明書に到達するとハンドシェイク処理が失敗するようです。私はkeytoolを使って、有効なジオトラスト証明書がトラストストアにあることを確認しました。クライアント側の証明書は、keytoolによって生成された自己署名付きです。このエラーの点にはまだ関与していないようです。私の質問は次のとおりです:証明書不明のエラー - JavaでtrustStoreを使用しています
- これはJDKバージョンが古すぎますか?
- トラストストアが使用されていることを確認する方法を教えてください。デバッグ出力にはその点に関するインジケータはありません。私は確かに自分のコードに明示的にトラストストアの場所を設定しました。
これを動作させる方法についての洞察をいただきたいと思います。ありがとう。マイコードの
パート:
System.setProperty("javax.net.debug", "all");
debug.println(" -- java home: " + System.getProperty("java.home"));
System.setProperty("javax.net.ssl.trustStore", System.getProperty("java.home") + "/lib/security/cacerts");
debug.println(" -- javax.net.ssl.trustStore: " + System.getProperty("javax.net.ssl.trustStore"));
System.setProperty("javax.net.ssl.keyStore", System.getProperty("java.home") + "/lib/security/sl-test.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStorePassword", "password");
URL u = new URL(VERIFY_URL);
HttpsURLConnection urlConn = (HttpsURLConnection)u.openConnection();
debug.println(" -- set params");
urlConn.setRequestMethod("POST");
urlConn.setDoOutput(true);
String params = "secret=" + secretKey + "&response=" + answer + "remoteip=" + remoteIP;
debug.println(" -- write");
DataOutputStream wr = new DataOutputStream(urlConn.getOutputStream());
wr.writeBytes(params);
wr.flush();
...
デバッグ出力:
11/1/16 6:29:59 AM, Debug: -- java home: /usr/local/j2sdk1.4.2_13/jre
11/1/16 6:29:59 AM, Debug: -- javax.net.ssl.trustStore: /usr/local/j2sdk1.4.2_13/jre/lib/security/cacerts
11/1/16 6:29:59 AM, Debug: -- set params
11/1/16 6:29:59 AM, Debug: -- write
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1477941207 bytes = { 45, 37, 131, 243, 221, 171, 180, 252, 49, 49, 23, 95, 184, 46, 27, 142, 123, 251, 231, 191, 36, 237, 192, 105, 13, 131, 247, 18 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
thread-pool-26, WRITE: TLSv1 Handshake, length = 73
thread-pool-26, WRITE: SSLv2 client hello message, length = 98
thread-pool-26, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1477941207 bytes = { 197, 41, 29, 25, 107, 127, 2, 82, 166, 216, 201, 197, 71, 86, 192, 136, 13, 41, 74, 115, 11, 230, 3, 56, 247, 142, 3, 84 }
Session ID: {98, 65, 244, 32, 10, 29, 122, 200, 236, 125, 14, 230, 208, 25, 47, 42, 248, 37, 243, 170, 183, 55, 207, 106, 178, 32, 136, 84, 11, 199, 209, 223}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
%% Created: [Session-7, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
thread-pool-26, READ: TLSv1 Handshake, length = 3081
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
930c0073 cd6105e6 7f838615 e1ec7f03 b6c37090 6768877d 5ca8d3dc f859a602
744ccd31 bff5a67d 15ea0e5a c556191c d7749342 43635694 31377d0f 5a2ac2a7
dc49f4e0 ca19a1f4 d7f41943 e2ce56fc 7638ffa0 e70cef9c 2396e05e b4638987
bb238f06 a0c8b826 05de9310 e717ede8 6e2cfcb1 fab5cea5 9c98a0bd 712a1639
e7dfce2b e6757238 38b995b9 ceb7f73d 944377dd f1ed7fe3 4b881e9f 2b9da8d8
2083552b 07f951f7 ac186edf d3f92d84 47caec93 b5bf34fc 324e7856 af4343b3
c3be2f41 c826cbe5 61eeb2da db22e0e2 b0a61e14 78b3a266 2dd33c38 56b5a28f
615c5e7f 8b75f708 49816aae 09e807b2 a0ecf8e2 632bfe64 03ed38c0 1425c90f
Validity: [From: Wed Oct 26 03:08:50 PDT 2016,
To: Wed Jan 18 01:56:00 PST 2017]
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
SerialNumber: [ 1311feb2 5eb90fa0]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 5C 30 5A 30 2B 06 08 2B 06 01 05 05 07 30 02 .\0Z0+..+.....0.
0010: 86 1F 68 74 74 70 3A 2F 2F 70 6B 69 2E 67 6F 6F ..http://pki.goo
0020: 67 6C 65 2E 63 6F 6D 2F 47 49 41 47 32 2E 63 72 gle.com/GIAG2.cr
0030: 74 30 2B 06 08 2B 06 01 05 05 07 30 01 86 1F 68 t0+..+.....0...h
0040: 74 74 70 3A 2F 2F 63 6C 69 65 6E 74 73 31 2E 67 ttp://clients1.g
0050: 6F 6F 67 6C 65 2E 63 6F 6D 2F 6F 63 73 70 oogle.com/ocsp
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 C0 2B 4A D4 81 93 09 DD 23 15 24 87 95 D4 6A ..+J.....#.$...j
0010: AB 70 CE B3 .p..
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki.google.com/GIAG2.crl]
]]
[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[DNSName: www.google.com]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [1.2.840.113549.1.1.11]
Signature:
0000: 22 09 AA 59 92 54 50 BF C8 C5 4C 6A DC F5 86 D1 "..Y.TP...Lj....
0010: F8 F3 2A CF C1 72 CB AE 12 A7 3E 0A 88 8E 3D FF ..*..r....>...=.
0020: E3 14 B5 EB E6 EB 36 45 BD E3 86 D9 61 26 21 55 ......6E....a&!U
0030: 1D 6F 28 D9 23 F2 75 13 47 15 C4 ED DF 1A 52 59 .o(.#.u.G.....RY
0040: 36 95 80 17 D4 89 18 8D BC 32 0F FF D8 FA 5E 64 6........2....^d
0050: FA 79 1E B4 60 E1 71 41 8D 7A E7 B8 FF C3 3B 21 .y..`.qA.z....;!
0060: CA 45 62 5B B4 BD 31 F1 7A 74 D2 51 2A 11 98 42 .Eb[..1.zt.Q*..B
0070: 1D 14 F1 1F 44 D9 0B 50 B6 C4 52 4F 79 89 03 47 ....D..P..ROy..G
0080: 96 89 33 E3 FF 21 DF 9D 66 B8 FC 9C 01 86 9C 12 ..3..!..f.......
0090: 4E 86 E1 34 79 4B 27 F9 FE 98 C9 CC 40 A3 15 29 N..4yK'[email protected])
00A0: 4A F6 4B F3 1A 2F E4 F4 B6 8A 97 80 A6 53 70 27 J.K../.......Sp'
00B0: FD 29 B1 6E 6D 5A D2 B6 DE 7A A8 FC C4 1F 54 9C .).nmZ...z....T.
00C0: DB E3 8A 36 96 13 D9 10 11 95 11 F9 8B EF 7B 87 ...6............
00D0: 7E 70 54 B6 06 1B 16 65 91 7A 4D DA C1 17 DE E7 .pT....e.zM.....
00E0: 0D 57 F1 8A 98 BE C8 E7 3E 82 7A 14 C7 B7 3F 7A .W......>.z...?z
00F0: 7F E4 0C 6D 8B 62 E5 4A 94 23 FD 2A 5D A2 4D 4F ...m.b.J.#.*].MO
]
chain [1] = [
[
Version: V3
Subject: CN=Google Internet Authority G2, O=Google Inc, C=US
Signature Algorithm: 1.2.840.113549.1.1.11, OID = 1.2.840.113549.1.1.11
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
9c2a0477 5cd85091 3a06a382 e0d85048 bc893ff1 19701a88 467ee08f c5f189ce
21ee5afe 610db732 4489a074 0b534f55 a4ce8262 95eeeb59 5fc6e105 8012c45e
943fbc5b 4838f453 f724e6fb 91e915c4 cff4530d f44afc9f 54de7dbe a06b6f87
c0d0501f 28300340 da087351 6c7fff3a 3ca73706 8ebd4b11 04eb7d24 dee6f9fc
3171fb94 d560f32e 4aaf42d2 cbeac46a 1ab2cc53 dd154b8b 1fc81961 1fcd9da8
3e632b84 35696584 c819c546 22f85395 bee3804a 10c62aec ba972011 c7399910
04a0f061 7a95258c 4e5275e2 b6ed08ca 14fcce22 6ab34ecf 46039797 037ec0b1
de7baf45 33cfba3e 71b7def4 2525c20d 35899d9d fb0e1179 891e37c5 af8e7269
Validity: [From: Tue Mar 31 17:00:00 PDT 2015,
To: Sun Dec 31 15:59:59 PST 2017]
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
SerialNumber: [ 023a92]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 22 30 20 30 1E 06 08 2B 06 01 05 05 07 30 01 ."0 0...+.....0.
0010: 86 12 68 74 74 70 3A 2F 2F 67 2E 73 79 6D 63 64 ..http://g.symcd
0020: 2E 63 6F 6D .com
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.
0010: BA 5A 81 2F .Z./
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://g.symcb.com/crls/gtglobal.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1]
[] ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
]
Algorithm: [1.2.840.113549.1.1.11]
Signature:
0000: 08 4E 04 A7 80 7F 10 16 43 5E 02 AD D7 42 80 F4 .N......C^...B..
0010: B0 8E D2 AE B3 EB 11 7D 90 84 18 7D E7 90 15 FB ................
0020: 49 7F A8 99 05 91 BB 7A C9 D6 3C 37 18 09 9A B6 I......z..<7....
0030: C7 92 20 07 35 33 09 E4 28 63 72 0D B4 E0 32 9C .. .53..(cr...2.
0040: 87 98 C4 1B 76 89 67 C1 50 58 B0 13 AA 13 1A 1B ....v.g.PX......
0050: 32 A5 BE EA 11 95 4C 48 63 49 E9 99 5D 20 37 CC 2.....LHcI..] 7.
0060: FE 2A 69 51 16 95 4B A9 DE 49 82 C0 10 70 F4 2C .*iQ..K..I...p.,
0070: F3 EC BC 24 24 D0 4E AC A5 D9 5E 1E 6D 92 C1 A7 ...$$.N...^.m...
0080: AC 48 35 81 F9 E5 E4 9C 65 69 CD 87 A4 41 50 3F .H5.....ei...AP?
0090: 2E 57 A5 91 51 12 58 0E 8C 09 A1 AC 7A A4 12 A5 .W..Q.X.....z...
00A0: 27 F3 9A 10 97 7D 55 03 06 F7 66 58 5F 5F 64 E1 '.....U...fX__d.
00B0: AB 5D 6D A5 39 48 75 98 4C 29 5A 3A 8D D3 2B CA .]m.9Hu.L)Z:..+.
00C0: 9C 55 04 BF F4 E6 14 D5 80 AC 26 ED 17 89 A6 93 .U........&.....
00D0: 6C 5C A4 CC B8 F0 66 8E 64 E3 7D 9A E2 00 B3 49 l\....f.d......I
00E0: C7 E4 0A AA DD 5B 83 C7 70 90 46 4E BE D0 DB 59 .....[..p.FN...Y
00F0: 96 6C 2E F5 16 36 DE 71 CC 01 C2 12 C1 21 C6 16 .l...6.q.....!..
]
chain [2] = [
[
Version: V3
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
dacc1863 30fdf417 231a567e 5bdf3c6c 38e471b7 7891d4bc a1d84cf8 a843b603
e94d2107 0888da58 2f663929 bd05788b 9d38e805 b76a7e71 a4e6c460 a6b0ef80
e489280f 9e25d6ed 83f3ada6 91c798c9 42183514 9dad9846 922e4fca f18743c1
1695572d 50ef892d 807a57ad f2ee5f6b d2008db9 14f81415 35d9c046 a37b72c8
91bfc955 2bcdd097 3e9c2664 ccdfce83 1971ca4e e6d4d57b a919cd55 dec8ecd2
5e3853e5 5c4f8c2d fe502336 fc66e6cb 8ea43919 00b79502 39910b0e fe382ed1
1d059af6 4d3e6f0f 071daf2c 1e8f6039 e2fa3653 1339d45e 262bdb3d a814bd32
eb180328 520471e5 ab333de1 38bb0736 84629c79 ea1630f4 5fc02be8 716be4f9
Validity: [From: Mon May 20 21:00:00 PDT 2002,
To: Mon Aug 20 21:00:00 PDT 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 12bbe6]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e
0010: B8 CA CC 4E ...N
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.geotrust.com/crls/secureca.crl]
]]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge
0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou
0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository
]] ]
]
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[6]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......
0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....
0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.6
0030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\
0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....
0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo
0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._
0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.
]
***
thread-pool-26, SEND TLSv1 ALERT: fatal, description = certificate_unknown
thread-pool-26, WRITE: TLSv1 Alert, length = 2
thread-pool-26, called closeSocket()
thread-pool-26, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Critical: ReCaptcha.verify(), error: Exception while contacting verification site, exception: sun.security.validator.ValidatorException: Certificate signature validation failed
11/1/16 6:29:59 AM, Debug: ReCaptcha.verify(), success ? false
ありがとうございます。私はアップグレードに入る前にBouncyCastleを調べます。 – Braeburn
BouncyCastleを使用しました!再度、感謝します。 – Braeburn