java – 具有https tsa的JDK 1.7 jarsigner不再有效

前端之家收集整理的这篇文章主要介绍了java – 具有https tsa的JDK 1.7 jarsigner不再有效前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
看起来JDK 1.7.0_80中的Thawte根证书被撤销了.
https://www.thawte.com/roots/retired.html

使用7u80 jarsigner不再有效,而且几天前工作正常.

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jarsigner: unable to sign jar: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

删除旧证书后,我尝试将Thawtes Timestamping CA证书导入cacerts.

wget https://www.thawte.com/roots/Thawte_Timestamping_CA.pem

/usr/java/jdk1.7.0_80/bin/keytool -import -trustcacerts -alias verisigntsaca -file Thawte_Timestamping_CA.pem -keystore jre/lib/security/cacerts 
Enter keystore password:  
Trust this certificate? [no]:  yes
Certificate was added to keystore

使用JDK 8u60的jarsigner工作,所以我试图将它的cacerts复制到JDK7,但这也不起作用.

由于Javadoc错误,我们无法使用Java 8进行编译.我看到的唯一解决方案是在JDK7中创建符号链接到JDK8 jarsigner.

/usr/java/jdk1.8.0_60/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jar signed.

如果我将tsa从geotrust切换到digicert,它可以正常使用JDK 7,因为它们不使用https.
http://timestamp.digicert.com/

解决方法

我在过去12小时内也只遇到过这个问题.此问题与证书无关,而是与用于与时间戳服务器通信的协议有关.这将适用于JDK7,但是您需要将以下内容添加到jarsigner命令中
-J-Dhttps.protocols=TLSv1.2

因此,您的命令将如下所示:

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -J-Dhttps.protocols=TLSv1.2 -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp

似乎GeoTrust已禁用TLS 1.0版,这是Java 7中的默认值.以下链接提供了有关此内容的更多信息:

GeoTrust Partner: Disable of Transport Layer Security (TLS) version 1.0 protocol

Diagnosing TLS,SSL,and HTTPS

希望这可以帮助.

猜你在找的Java相关文章