netty wss证书验证失败

一起养成写作习惯！这是我参与「掘金日新计划 · 4 月更文挑战」的第1天，点击查看活动详情。

出现这个

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

证书不对

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

可能是证书路径，或者证书有问题

我再重构系统的时候碰到了这个问题ws的时候没问题，wss的时候证书验证不通过。
但是老版本的可以正常跑，搞了一两天发现是加载证书的时候路径有问题

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
nioEventLoopGroup-9-1, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
nioEventLoopGroup-9-1, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
nioEventLoopGroup-9-1, WRITE: TLSv1.2 Alert, length = 2
nioEventLoopGroup-9-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
[Raw write]: length = 7

SSL_NULL_WITH_NULL_NULL 这个主要是匹配加密算法的

运行参数可以打印网络连接的过程和数据

-Djavax.net.debug=all

ssl的流程还是复杂的，可以简单的看下里面的主要信息

服务端日志

如果打印的日志如果没有下面这个，可能是证书加载的路径有问题
*** ServerHello, TLSv1.2

客户端的协议

*** ClientHello, TLSv1.2

证书生成工具 mkcert

mkcert -p12-file keystore.p12 -pkcs12 -client 192.168.0.103 127.0.0.1 localhost

或者 keytool

注意指定这里的RSA算法
keytool -genkey -keysize 2048 -validity 365 -keyalg RSA -keypass changeit -storepass changeit -keystore wss.jks

查看web请求的协议

wss的证书加载

SSLContext sslContext = SslUtil.createSSLContext("PKCS12",
				ResourceUtils.getFile("classpath:keystore.p12").getPath(), "changeit"); // SSLEngine engine =
		sslContext.createSSLEngine();
		SSLEngine sslEngine = sslContext.createSSLEngine();
		sslEngine.setNeedClientAuth(false);
		sslEngine.setUseClientMode(false);
		logger.info(sslContext.getProtocol());
		logger.info("支持的协议: " + Arrays.asList(sslEngine.getSupportedProtocols()));
		logger.info("启用的协议: " + Arrays.asList(sslEngine.getEnabledProtocols()));
		logger.info("支持的加密套件: " + Arrays.asList(sslEngine.getSupportedCipherSuites()));
		logger.info("启用的加密套件: " + Arrays.asList(sslEngine.getEnabledCipherSuites()));
		pipeline.addFirst(new SslHandler(sslEngine));

public class SslUtil {

    private static volatile SSLContext sslContext = null;

    public static SSLContext createSSLContext(String type ,String path ,String password) throws Exception {
        if(null == sslContext){
            synchronized (SslUtil.class) {
                if(null == sslContext){
                    // 支持JKS、PKCS12
                    KeyStore ks = KeyStore.getInstance(type);
                    // 证书存放地址
                    InputStream ksInputStream = new FileInputStream(path);
                    //InputStream ksInputStream = SslUtil.class.getClass().getClassLoader().getResourceAsStream("keystore.p12");
                    ks.load(ksInputStream, password.toCharArray());
                    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                    kmf.init(ks, password.toCharArray());
                    sslContext = SSLContext.getInstance("TLSv1.2");
                    sslContext.init(kmf.getKeyManagers(), null, null);
                }
            }
        }
        return sslContext;
    }
}