Estou usando JDK 23, Spring Boot 3.4.1. Eu crio materiais confiáveis seguindo https://github.com/kirilarsov/mtls/blob/main/README.md e aplico o recurso SSLBundle do Spring Boot ( https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl )
keytool -genkeypair -alias server -keyalg RSA -keysize 4096 -validity 365 -dname "CN=Server,OU=Server,O=Examples,L=,S=CA,C=U" -keypass changeit -keystore server.p12 -storeType PKCS12 -storepass changeit
keytool -genkeypair -alias client -keyalg RSA -keysize 4096 -validity 365 -dname "CN=Client,OU=Server,O=Examples,L=,S=CA,C=U" -keypass changeit -keystore client.p12 -storeType PKCS12 -storepass changeit
keytool -exportcert -alias client -file client.cer -keystore client.p12 -storepass changeit
keytool -exportcert -alias server -file server.cer -keystore server.p12 -storepass changeit
keytool -importcert -keystore client-truststore.p12 -alias server-public -file server.cer -storepass changeit -noprompt
keytool -importcert -keystore server-truststore.p12 -alias client-public -file client.cer -storepass changeit -noprompt
Mas quando eu uso SSLBundle, sempre pego erro
javax.net.ssl|INFO|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|AlpnExtension.java:179|No available application protocols
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|SessionTicketExtension.java:352|Stateless resumption supported
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.442 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.539 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.540 GMT+07:00|PreSharedKeyExtension.java:659|No session to resume.
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.540 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.544 GMT+07:00|ClientHello.java:638|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "E77AF343A88EC48D9F25215023BB546C7869E14F62486BB251DFBEFCC559C957",
"session id" : "711B47572621C39B1CA004852D4B8AEA3842721A552DD9DA68539EA0667DB0E9",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"server_name (0)": {
type=host_name (0), value=Server
},
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"named groups": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"session_ticket (35)": {
<empty>
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: F4 CE 71 61 2C DF B8 F3 B7 4B FE DB AD BA 2C 36 ..qa,....K....,6
0010: 82 D9 C0 24 C8 E1 F1 B0 AB 9B 9E 41 F9 F4 85 78 ...$.......A...x
}
},
{
"named group": secp256r1
"key_exchange": {
0000: 04 57 EA 73 91 49 E3 54 40 19 77 63 A0 D9 08 7E [email protected]....
0010: E9 88 28 B4 C9 F3 DE 90 71 80 1A 82 7E 49 88 3D ..(.....q....I.=
0020: 82 34 62 A4 44 C6 F7 CA 37 7E 7E 84 89 83 DF 1C .4b.D...7.......
0030: 05 D8 64 3C 20 C4 FB EA 06 40 BB D9 E7 A8 59 10 ..d< [email protected].
0040: E6
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|ServerHello.java:892|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : "385B3637216A5EE39A33137C69C5D3F2037F524AC254CB4CED53FE4B87D3DC3D",
"session id" : "711B47572621C39B1CA004852D4B8AEA3842721A552DD9DA68539EA0667DB0E9",
"cipher suite" : "TLS_AES_256_GCM_SHA384(0x1302)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
},
"key_share (51)": {
"server_share": {
"named group": x25519
"key_exchange": {
0000: 50 FF BB 0F 35 37 8C 80 8E 3B D4 48 23 4E FD F9 P...57...;.H#N..
0010: 3C 15 84 15 35 28 D9 39 49 2B FB 87 DD 6F 57 6D <...5(.9I+...oWm
}
},
}
]
}
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_versions
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|ServerHello.java:988|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: server_name
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: max_fragment_length
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: status_request
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.632 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: session_ticket
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.632 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_versions
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:204|Consumed extension: key_share
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|PreSharedKeyExtension.java:922|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: session_ticket
javax.net.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.639 GMT+07:00|SSLCipher.java:1836|KeyLimit read side: algorithm = AES/GCM/NoPadding:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.639 GMT+07:00|SSLCipher.java:1987|KeyLimit write side: algorithm = AES/GCM/NoPadding:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.640 GMT+07:00|ChangeCipherSpec.java:244|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|EncryptedExtensions.java:172|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
"supported_groups (10)": {
"named groups": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
}
]
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_groups
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|CertificateRequest.java:974|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate_request_context": "",
"extensions": [
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
},
"certificate_authorities (47)": {
"certificate authorities": [
CN=Client, OU=Server, O=Examples, L=, ST=CA, C=U]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
}
]
}
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:204|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:204|Consumed extension: certificate_authorities
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:204|Consumed extension: signature_algorithms_cert
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:236|Populated with extension: signature_algorithms
javax.net.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: certificate_authorities
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:236|Populated with extension: signature_algorithms_cert
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.646 GMT+07:00|CertificateMessage.java:1143|Consuming server Certificate handshake message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate" : {
"version" : "v3",
"serial number" : "00:fe:0f:1d:85:55:76:f1:12",
"signature algorithm": "SHA384withRSA",
"issuer" : "CN=Server, OU=Server, O=Examples, L=, ST=CA, C=U",
"not before" : "2025-01-09 11:57:07.000 GMT+07:00",
"not after" : "2026-01-09 11:57:07.000 GMT+07:00",
"subject" : "CN=Server, OU=Server, O=Examples, L=, ST=CA, C=U",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9D FB 7F 8F 60 53 4C A7 0B 4E E0 A7 A7 D2 97 9A ....`SL..N......
0010: 44 AD E6 84 D...
]
]
}
]}
"extensions": {
<no extension>
}
},
]
}
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.646 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: status_request
javax.net.ssl|ERROR|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.652 GMT+07:00|TransportContext.java:375|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
at java.base/sun.security.validator.Validator.validate(Validator.java:256)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1304)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1274)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1597)
at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1148)
at java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:178)
at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1143)
at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1109)
at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:508)
at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:283)
at java.net.http/jdk.internal.net.http.common.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:182)
at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:207)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1575)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
... 26 more}
)
O SSLBundle do Spring Boot pode funcionar com certificados sem CA (apenas autenticação mútua, não CA)?
É possível ter tls mútuos sem ca. Acho que você está na direção certa, mas faltam algumas partes importantes no comando, o que está resultando nesse problema.
Tenho os seguintes comandos que devem resolver o problema para você.
Crie a identidade do servidor
Crie a identidade do cliente
Certificado de exportação do servidor
Certificado de exportação do cliente
Crie o truststore do servidor com o certificado do cliente
Crie o truststore do cliente com o certificado do servidor
Acho que a principal diferença entre os comandos que usei é a parte da extensão, que,
-ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth
fora isso, é bem parecida.Você pode tentar novamente os passos acima e compartilhar seus resultados?
Aqui você também pode encontrar mais informações sobre essas etapas e um exemplo prático que eu mesmo criei: https://github.com/Hakky54/mutual-tls-ssl
A resposta curta é sim. É possível, você só precisa adicionar uma maneira para o cliente saber que pode confiar no seu certificado (ou ignorar verificações).
Você pode:
Detalhes sobre como fazer isso dependerão do cliente. Parece que seu cliente é um cliente Java, então aqui está um exemplo para um RestClient