使用客户端身份验证进行 Web 服务访问:handshake_failure

我尝试使用 pkcs 12 格式的证书连接到 Web 服务，但我收到此错误 javax.net.ssl.SSLHandshakeException：收到致命警报： handshake_failure.我阅读了堆栈溢出中存在的每个响应，但我无法弄清楚问题出在哪里。

我使用此代码

System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStore", "certificato.p12");
System.setProperty("javax.net.ssl.keyStorePassword", "<pw>");

和调试日志：

.....
keyStore is : certificato.p12
keyStore type is : pkcs12
keyStore provider is : 
init keystore
init keymanager of type SunX509
....
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(60000) called
main, the previous server name in SNI (type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it) was replaced with (type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1522402781 bytes = { 230, 149, 170, 160, 96, 3, 20, 194, 35, 95, 51, 144, 240, 242, 1, 185, 116, 210, 225, 214, 208, 170, 253, 30, 253, 205, 77, 198 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_KRB5_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=wstest.agenziadoganemonopoli.gov.it]
***
main, WRITE: TLSv1.2 Handshake, length = 217
main, READ: TLSv1.2 Handshake, length = 89
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 843419311 bytes = { 2, 154, 215, 104, 32, 197, 59, 136, 48, 242, 21, 86, 144, 250, 121, 115, 130, 97, 90, 238, 44, 73, 133, 103, 122, 36, 210, 246 }
Session ID:  {3, 111, 126, 100, 51, 57, 110, 201, 135, 102, 65, 156, 56, 132, 148, 198, 229, 47, 220, 146, 214, 66, 71, 233, 251, 146, 231, 74, 20, 55, 43, 145}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, READ: TLSv1.2 Handshake, length = 3881
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=wstest.adm.gov.it, O=Sogei - Societa' Generale d'Informatica S.p.A., L=Rome, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key:  Sun RSA public key, 2048 bits
modulus: 25419731442206390593645385783404702655267624607655886886586579033277263788093373992316533519614413768987220348067912658765779900645263321853746972064637161938435805567613643957429752362355933531417681870133823645315121191427143131377937830838050657155922764655579621555942502387731877471464619602709418992558060826542318275546503785686897936728729751825524180287855913433073881874132502422571860488498582431532471712013797553571057054314243072094292449266868965533309794853529204639866789866609617498173211239260574372830187459660967406616094045636157545783011722924489392938382648416564815561090724635178650796195467
public exponent: 65537
Validity: [From: Mon May 21 02:00:00 CEST 2018,
To: Thu May 28 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [    08e09466 2094b01d 65a1b95f 3eb92c66]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B   01 69 00 76 00 A4 B9 09  ...o...k.i.v....
0010: 90 B4 18 58 14 87 BB 13   A2 CC 67 70 0A 3C 35 98  ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD   0E C8 0D DC 10 00 00 01  ......w.........
0030: 63 82 03 F4 00 00 00 04   03 00 47 30 45 02 21 00  c.........G0E.!.
0040: 9A A2 E4 E3 3B 1A F2 02   63 E6 9D A6 62 E7 C0 DC  ....;...c...b...
0050: 8D 95 70 54 01 D5 07 1B   40 B9 11 FD 4A 2D 1C C4  ..pT....@...J-..
0060: 02 20 2C BC 8B 1A 55 0E   25 8C FC B8 29 55 F5 EE  . ,...U.%...)U..
0070: 9C 2A B7 97 34 5C 95 FC   A4 F5 9E 6C 38 90 F0 B7  .*..4.....l8...
0080: DD F4 00 77 00 6F 53 76   AC 31 F0 31 19 D8 99 00  ...w.oSv.1.1....
0090: A4 51 15 FF 77 15 1C 11   D9 02 C1 00 29 06 8D B2  .Q..w.......)...
00A0: 08 9A 37 D9 13 00 00 01   63 82 03 F4 69 00 00 04  ..7.....c...i...
00B0: 03 00 48 30 46 02 21 00   B6 41 FD F7 CE 31 4D 75  ..H0F.!..A...1Mu
00C0: A4 BB D6 2E E7 66 0D 03   2B 6C 97 35 ED 86 DC 25  .....f..+l.5...%
00D0: EF 6C 00 B4 BC 1C B3 FE   02 21 00 D2 C5 BA 46 42  .l.......!....FB
00E0: 38 F2 68 8F 68 A8 14 1F   A3 0C 52 CB 0A BE DD E0  8.h.h.....R.....
00F0: E9 F2 FA E7 E2 9F 22 8E   3B 2B 06 00 76 00 BB D9  ......".;+..v...
0100: DF BC 1F 8A 71 B5 93 94   23 97 AA 92 7B 47 38 57  ....q...#....G8W
0110: 95 0A AB 52 E8 1A 90 96   64 36 8E 1E D1 85 00 00  ...R....d6......
0120: 01 63 82 03 F3 5E 00 00   04 03 00 47 30 45 02 21  .c...^.....G0E.!
0130: 00 9A 67 22 9D CC B4 B6   F0 34 B8 FE 57 6D FA 2C  ..g".....4..Wm.,
0140: 47 37 F0 93 D6 18 63 68   C6 C2 F0 99 83 F6 EE D1  G7....ch........
0150: CC 02 20 68 47 59 19 AE   02 D3 E6 30 27 EF 48 76  .. hGY.....0'.Hv
0160: 27 9A F8 5B 60 CD B4 4A   03 08 38 DC 72 AB ED 65  '..[`..J..8.r..e
0170: 94 A7 5E                                           ..^

[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
, 
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5   2F 28 E7 8D 46 38 B4 2C  ..a..1a./(..F8.,
0010: E1 C6 D9 E2                                        ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS
]]  ]
[CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: wstest.adm.gov.it
DNSName: wstest.agenziadoganemonopoli.gov.it
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 86 1A C9 BF 3A 50 51   77 C2 23 D7 A0 B9 9F 93  .....:PQw.#.....
0010: 15 A5 2E 98                                        ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
.... deleted ....
]
chain [1] = [
[
Version: V3
Subject: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key:  Sun RSA public key, 2048 bits
modulus: 27858400285679723188777933283712642951289579686400775596360785472462618845441045591174031407467141927949303967273640603370583027943461489694611514307846044788608302737755893035638149922272068624160730850926560034092625156444445564936562297688651849223419070532331233030323585681010618165796464257277453762819678070632408347042070801988771058882131228632546107451893714991242153395658429259537934263208634002792828772169217510656239241005311075681025394047894661420520700962300445533960645787118986590875906485125942483622981513806162241672544997253865343228332025582679476240480384023017494305830194847248717881628827
public exponent: 65537
Validity: [From: Fri Mar 08 13:00:00 CET 2013,
To: Wed Mar 08 13:00:00 CET 2023]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [    01fda3eb 6eca75c8 88438b72 4bcfbc91]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
0010: B2 3D D1 55                                        .=.U
]
]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/DigiCertGlobalRootCA.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/DigiCertGlobalRootCA.crl]
]]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS
]]  ]
]
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5   2F 28 E7 8D 46 38 B4 2C  ..a..1a./(..F8.,
0010: E1 C6 D9 E2                                        ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 23 3E DF 4B D2 31 42 A5   B6 7E 42 5C 1A 44 CC 69  #>.K.1B...B.D.i
0010: D1 68 B4 5D 4B E0 04 21   6C 4B E2 6D CC B1 E0 97  .h.]K..!lK.m....
0020: 8F A6 53 09 CD AA 2A 65   E5 39 4F 1E 83 A5 6E 5C  ..S...*e.9O...n
0030: 98 A2 24 26 E6 FB A1 ED   93 C7 2E 02 C6 4D 4A BF  ..$&.........MJ.
0040: B0 42 DF 78 DA B3 A8 F9   6D FF 21 85 53 36 60 4C  .B.x....m.!.S6`L
0050: 76 CE EC 38 DC D6 51 80   F0 C5 D6 E5 D4 4D 27 64  v..8..Q......M'd
0060: AB 9B C7 3E 71 FB 48 97   B8 33 6D C9 13 07 EE 96  ...>q.H..3m.....
0070: A2 1B 18 15 F6 5C 4C 40   ED B3 C2 EC FF 71 C1 E3  .....L@.....q..
0080: 47 FF D4 B9 00 B4 37 42   DA 20 C9 EA 6E 8A EE 14  G.....7B. ..n...
0090: 06 AE 7D A2 59 98 88 A8   1B 6F 2D F4 F2 C9 14 5F  ....Y....o-...._
00A0: 26 CF 2C 8D 7E ED 37 C0   A9 D5 39 B9 82 BF 19 0C  &.,...7...9.....
00B0: EA 34 AF 00 21 68 F8 AD   73 E2 C9 32 DA 38 25 0B  .4..!h..s..2.8%.
00C0: 55 D3 9A 1D F0 68 86 ED   2E 41 34 EF 7C A5 50 1D  U....h...A4...P.
00D0: BF 3A F9 D3 C1 08 0C E6   ED 1E 8A 58 25 E4 B8 77  .:.........X%..w
00E0: AD 2D 6E F5 52 DD B4 74   8F AB 49 2E 9D 3B 93 34  .-n.R..t..I..;.4
00F0: 28 1F 78 CE 94 EA C7 BD   D3 C9 6D 1C DE 5C 32 F3  (.x.......m..2.
]
chain [2] = [
[
Version: V3
Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key:  Sun RSA public key, 2048 bits
modulus: 28559384442792876273280274398620578979733786817784174960112400169719065906301471912340204391164075730987771255281479191858503912379974443363319206013285922932969143082114108995903507302607372164107846395526169928849546930352778612946811335349917424469188917500996253619438384218721744278787164274625243781917237444202229339672234113350935948264576180342492691117960376023738627349150441152487120197333042448834154779966801277094070528166918968412433078879939664053044797116916260095055641583506170045241549105022323819314163625798834513544420165235412105694681616578431019525684868803389424296613694298865514217451303
public exponent: 65537
Validity: [From: Fri Nov 10 01:00:00 CET 2006,
To: Mon Nov 10 01:00:00 CET 2031]
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber: [    083be056 904246b1 a1756ac9 5991c74a]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
0010: B2 3D D1 55                                        .=.U
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB   66 F0 A3 E2 1B 1B C3 97  ..P5V.L.f.......
0010: B2 3D D1 55                                        .=.U
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: CB 9C 37 AA 48 13 12 0A   FA DD 44 9C 4F 52 B0 F4  ..7.H.....D.OR..
0010: DF AE 04 F5 79 79 08 A3   24 18 FC 4B 2B 84 C0 2D  ....yy..$..K+..-
0020: B9 D5 C7 FE F4 C1 1F 58   CB B8 6D 9C 7A 74 E7 98  .......X..m.zt..
0030: 29 AB 11 B5 E3 70 A0 A1   CD 4C 88 99 93 8C 91 70  )....p...L.....p
0040: E2 AB 0F 1C BE 93 A9 FF   63 D5 E4 07 60 D3 A3 BF  ........c...`...
0050: 9D 5B 09 F1 D5 8E E3 53   F4 8E 63 FA 3F A7 DB B4  .[.....S..c.?...
0060: 66 DF 62 66 D6 D1 6E 41   8D F2 2D B5 EA 77 4A 9F  f.bf..nA..-..wJ.
0070: 9D 58 E2 2B 59 C0 40 23   ED 2D 28 82 45 3E 79 54  .X.+Y.@#.-(.E>yT
0080: 92 26 98 E0 80 48 A8 37   EF F0 D6 79 60 16 DE AC  .&...H.7...y`...
0090: E8 0E CD 6E AC 44 17 38   2F 49 DA E1 45 3E 2A B9  ...n.D.8/I..E>*.
00A0: 36 53 CF 3A 50 06 F7 2E   E8 C4 57 49 6C 61 21 18  6S.:P.....WIla!.
00B0: D5 04 AD 78 3C 2C 3A 80   6B A7 EB AF 15 14 E9 D8  ...x<,:.k.......
00C0: 89 C1 B9 38 6C E2 91 6C   8A FF 64 B9 77 25 57 30  ...8l..l..d.w%W0
00D0: C0 1B 24 A3 E1 DC E9 DF   47 7C B5 B4 24 08 05 30  ..$.....G...$..0
00E0: EC 2D BD 0B BF 45 BF 50   B9 A9 F3 EB 98 01 12 AD  .-...E.P........
00F0: C8 88 C6 98 34 5F 8D 0A   3C C6 E9 D5 95 95 6D DE  ....4_..<.....m.
]
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=wstest.adm.gov.it, O=Sogei - Societa' Generale d'Informatica S.p.A., L=Rome, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key:  Sun RSA public key, 2048 bits
modulus: 25419731442206390593645385783404702655267624607655886886586579033277263788093373992316533519614413768987220348067912658765779900645263321853746972064637161938435805567613643957429752362355933531417681870133823645315121191427143131377937830838050657155922764655579621555942502387731877471464619602709418992558060826542318275546503785686897936728729751825524180287855913433073881874132502422571860488498582431532471712013797553571057054314243072094292449266868965533309794853529204639866789866609617498173211239260574372830187459660967406616094045636157545783011722924489392938382648416564815561090724635178650796195467
public exponent: 65537
Validity: [From: Mon May 21 02:00:00 CEST 2018,
To: Thu May 28 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [    08e09466 2094b01d 65a1b95f 3eb92c66]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B   01 69 00 76 00 A4 B9 09  ...o...k.i.v....
0010: 90 B4 18 58 14 87 BB 13   A2 CC 67 70 0A 3C 35 98  ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD   0E C8 0D DC 10 00 00 01  ......w.........
0030: 63 82 03 F4 00 00 00 04   03 00 47 30 45 02 21 00  c.........G0E.!.
0040: 9A A2 E4 E3 3B 1A F2 02   63 E6 9D A6 62 E7 C0 DC  ....;...c...b...
0050: 8D 95 70 54 01 D5 07 1B   40 B9 11 FD 4A 2D 1C C4  ..pT....@...J-..
0060: 02 20 2C BC 8B 1A 55 0E   25 8C FC B8 29 55 F5 EE  . ,...U.%...)U..
0070: 9C 2A B7 97 34 5C 95 FC   A4 F5 9E 6C 38 90 F0 B7  .*..4.....l8...
0080: DD F4 00 77 00 6F 53 76   AC 31 F0 31 19 D8 99 00  ...w.oSv.1.1....
0090: A4 51 15 FF 77 15 1C 11   D9 02 C1 00 29 06 8D B2  .Q..w.......)...
00A0: 08 9A 37 D9 13 00 00 01   63 82 03 F4 69 00 00 04  ..7.....c...i...
00B0: 03 00 48 30 46 02 21 00   B6 41 FD F7 CE 31 4D 75  ..H0F.!..A...1Mu
00C0: A4 BB D6 2E E7 66 0D 03   2B 6C 97 35 ED 86 DC 25  .....f..+l.5...%
00D0: EF 6C 00 B4 BC 1C B3 FE   02 21 00 D2 C5 BA 46 42  .l.......!....FB
00E0: 38 F2 68 8F 68 A8 14 1F   A3 0C 52 CB 0A BE DD E0  8.h.h.....R.....
00F0: E9 F2 FA E7 E2 9F 22 8E   3B 2B 06 00 76 00 BB D9  ......".;+..v...
0100: DF BC 1F 8A 71 B5 93 94   23 97 AA 92 7B 47 38 57  ....q...#....G8W
0110: 95 0A AB 52 E8 1A 90 96   64 36 8E 1E D1 85 00 00  ...R....d6......
0120: 01 63 82 03 F3 5E 00 00   04 03 00 47 30 45 02 21  .c...^.....G0E.!
0130: 00 9A 67 22 9D CC B4 B6   F0 34 B8 FE 57 6D FA 2C  ..g".....4..Wm.,
0140: 47 37 F0 93 D6 18 63 68   C6 C2 F0 99 83 F6 EE D1  G7....ch........
0150: CC 02 20 68 47 59 19 AE   02 D3 E6 30 27 EF 48 76  .. hGY.....0'.Hv
0160: 27 9A F8 5B 60 CD B4 4A   03 08 38 DC 72 AB ED 65  '..[`..J..8.r..e
0170: 94 A7 5E                                           ..^

[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
, 
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5   2F 28 E7 8D 46 38 B4 2C  ..a..1a./(..F8.,
0010: E1 C6 D9 E2                                        ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS
]]  ]
[CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: wstest.adm.gov.it
DNSName: wstest.agenziadoganemonopoli.gov.it
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 86 1A C9 BF 3A 50 51   77 C2 23 D7 A0 B9 9F 93  .....:PQw.#.....
0010: 15 A5 2E 98                                        ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: AE 8B FD 52 1E 1C 80 F8   84 5C 81 D9 FE D2 CB 7E  ...R...........
0010: F4 7F 53 56 AD 0E D8 DF   DC A0 3F 64 BE 66 DF C1  ..SV......?d.f..
0020: 4C 7D 03 A1 E3 A6 D5 E7   2C 5C 69 02 83 6E D6 4F  L.......,i..n.O
0030: 81 6B 05 6F 98 04 20 94   B1 A3 EF 5A BB 2D A9 78  .k.o.. ....Z.-.x
0040: 8F 8F E0 78 AD 22 B8 5F   F4 30 4B BD 63 94 E3 FA  ...x."._.0K.c...
0050: C0 3A 7C 76 B7 8D 11 FC   7E 55 F4 A9 CF 7A DA 67  .:.v.....U...z.g
0060: 2B B7 2D A9 F0 93 57 B8   DD E2 91 03 9D 90 03 B6  +.-...W.........
0070: 75 94 3F DA 75 16 3D 2A   54 92 02 1D 10 7F C6 A9  u.?.u.=*T.......
0080: EB C8 67 B4 E9 05 84 1F   FF B8 C6 AB 8B A8 F2 E4  ..g.............
0090: EA F2 D2 E8 03 80 FF 1D   4E 2A EA 10 54 34 38 C4  ........N*..T48.
00A0: 79 89 06 10 73 04 6C CF   1B 8A DF E8 BE BF 67 96  y...s.l.......g.
00B0: B6 92 77 A9 AD 73 2B D8   A8 FC BD 50 39 83 4D 75  ..w..s+....P9.Mu
00C0: 59 78 00 48 AC EF AA 1C   92 A6 34 34 C5 9E 5D 1C  Yx.H......44..].
00D0: B1 25 A5 0E BF 90 D0 8F   87 7F 10 5D C0 F4 5D 03  .%.........]..].
00E0: 18 42 C8 62 32 94 D0 2F   34 43 93 28 F3 60 91 CF  .B.b2../4C.(.`..
00F0: 5D 27 D1 E5 00 3B 09 B4   EB 9F 63 AE E2 AA 9B F0  ]'...;....c.....
]
main, READ: TLSv1.2 Handshake, length = 401
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 521 bits
public x coord: 6045100197973385201207771559448860684258102659082760208907503122802851644235164834387633913906709736246059687127225117512119492050557728511283217428042196683
public y coord: 2360883751657537086387545659332980524396108773124766916635460732420511834927919909730280023858128820419409002491789355667533178954193764726472471819590561957
parameters: secp521r1 [NIST P-521] (1.3.132.0.35)
main, READ: TLSv1.2 Handshake, length = 392
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=CA Agenzia delle Dogane Test, OU=Servizio Telematico, O=Agenzia delle Dogane, C=it>
<CN=CA Agenzia delle Dogane, OU=Servizio Telematico, O=Agenzia delle Dogane, C=IT>
<CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 1, 127, 118, 238, 87, 20, 170, 152, 173, 222, 199, 191, 190, 60, 225, 192, 50, 182, 3, 172, 253, 250, 146, 185, 9, 185, 210, 101, 70, 124, 133, 100, 77, 38, 192, 17, 178, 136, 108, 118, 233, 121, 52, 237, 63, 87, 98, 224, 194, 163, 186, 33, 98, 72, 227, 168, 9, 124, 44, 179, 136, 216, 32, 182, 21, 230, 1, 206, 141, 86, 19, 84, 36, 3, 141, 180, 185, 45, 5, 110, 24, 249, 220, 164, 87, 222, 48, 115, 134, 145, 66, 151, 62, 93, 18, 97, 109, 20, 239, 168, 45, 208, 19, 253, 122, 6, 128, 58, 49, 80, 16, 205, 203, 68, 200, 221, 203, 91, 73, 99, 76, 195, 83, 157, 197, 209, 91, 98, 173, 80, 123, 120 }
main, WRITE: TLSv1.2 Handshake, length = 145
SESSION KEYGEN:
PreMaster Secret:
0000: 00 76 B0 FC E9 4A 80 89   B2 88 A4 21 CE A3 FF 3C  .v...J.....!...<
0010: D0 1F 48 3B B2 D8 84 24   14 EB 77 9E 3C 20 64 CE  ..H;...$..w.< d.
0020: EF 2F 7A 90 50 6F 2D 75   4C 9B 9F 48 0B 04 01 A6  ./z.Po-uL..H....
0030: 2D C3 8B 2D 10 B6 FD AC   AE 66 85 F8 1E 5E 8A 62  -..-.....f...^.b
0040: 46 CE                                              F.
CONNECTION KEYGEN:
Client Nonce:
0000: 5B BE 06 DD E6 95 AA A0   60 03 14 C2 23 5F 33 90  [.......`...#_3.
0010: F0 F2 01 B9 74 D2 E1 D6   D0 AA FD 1E FD CD 4D C6  ....t.........M.
Server Nonce:
0000: 32 46 8F AF 02 9A D7 68   20 C5 3B 88 30 F2 15 56  2F.....h .;.0..V
0010: 90 FA 79 73 82 61 5A EE   2C 49 85 67 7A 24 D2 F6  ..ys.aZ.,I.gz$..
Master Secret:
0000: 4D 96 F1 24 13 EA 84 96   D3 D6 6D DD 64 92 05 F9  M..$......m.d...
0010: D2 BA BF 04 80 79 71 66   9C A6 EA 9B AC 3A 4D 37  .....yqf.....:M7
0020: 90 BE A6 C4 37 B8 70 63   1D B2 74 5A DA 8C 98 34  ....7.pc..tZ...4
... no MAC keys used for this cipher
Client write key:
0000: C3 1C 66 54 84 5A F7 B6   D9 9B 04 80 11 E4 9F E4  ..fT.Z..........
0010: 83 67 52 95 B5 E9 36 CE   0C A2 BF AA AE A2 E1 7C  .gR...6.........
Server write key:
0000: B9 44 4A 92 B6 95 DE CA   89 D0 8E A0 88 50 11 6B  .DJ..........P.k
0010: EC 34 65 52 FD BB 45 C3   57 26 BF A0 A4 B2 90 2F  .4eR..E.W&...../
Client write IV:
0000: F8 A3 11 9A                                        ....
Server write IV:
0000: 47 B6 75 08                                        G.u.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 21, 80, 48, 53, 249, 154, 28, 96, 252, 49, 18, 72 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1.2 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)

似乎证书已正确加载，因此我无法确定问题出在哪里。任何人都可以帮助理解吗？

如果我将证书与 chrome 或 firefox 一起使用，我可以访问网络服务，因此证书是正确的。

以下是日志的重要部分：

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=CA Agenzia delle Dogane Test, OU=Servizio Telematico, O=Agenzia delle Dogane, C=it>
<CN=CA Agenzia delle Dogane, OU=Servizio Telematico, O=Agenzia delle Dogane, C=IT>
<CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>

这意味着密钥管理器在您的密钥库中找不到由服务器指定的任何证书颁发机构 (CA( 颁发的证书和密钥条目。您省略了(用点(日志中密钥管理器初始化应该记录在密钥库中找到的证书链的部分 - 它这样做了吗？如果没有，请用例如keytool -list -v -keystore certifcado.p12 -storetype pkcs12 [-alias your_alias_name].该链中的某个证书实际上是否由服务器指定的某个 CA 颁发？(请注意，名称必须完全匹配：每个 RDN 的类型和值相同，按顺序排列。甚至有可能(尽管现在很少见(证书中的颁发者名称和 CA 请求的名称看起来相同，但由于不同的 ASN.1 编码而实际上有所不同。如果它们看起来相同，我将详细介绍这个更晦涩的观点。

编辑：好的，完整的日志确认密钥管理器正在加载带有Issuer: CN=CA Agenzia delle Dogane e dei Monopoli Test, O=Agenzia delle Dogane e dei Monopoli, C=IT的密钥和证书，该证书肯定与服务器请求的第三个CA匹配。Chrome和Firefox的工作(对不起，我之前错过了(很好地证实了它确实匹配。那么为什么Java(JSSE+keymanager(不匹配呢？我不知道，这可能不容易调试。我不认为在 maven 下运行或使用 cxf 应该有任何影响，但它们可能会。我建议从最简单的情况开始：编译并运行这样的程序(使用 javax.net.ssl.keyStore* 和 javax.net.debug sysprops(，看看它在这个连接上得到什么结果：

public class sometest {
public static void main (String[] args) throws Exception {
Socket s = SSLSocketFactory.getDefault().createSocket("wstest.agenziadoganemonopoli.gov.it",443);
// per comment, type fixed (for anyone else who might have a similar issue)
((SSLSocket)s).startHandshake(); // actually completes not just starts
}
}

如果这显示了失败，我们有一个更简单的案例来调查。如果可行，请尝试：

public class sometest {
public static void main (String[] args) throws Exception {
URLConnection c = new URL("https://wstest.agenziadoganemonopoli.gov.it/").openConnection();
((HttpsURLConnection)c).connect();
}
}
// for TLS-level test it doesn't matter what 'resource' (path and/or query) we request

该错误似乎与客户端和服务器之间的信任有关：

Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>

如果未找到合适的证书，并且证书链为空，则程序可能不信任要连接到的对等方的根 CA 证书。

检查信任存储以查看是否至少导入了对等方的根 CA 证书。

相关内容

最新更新

热门标签：