Nginx配置TLS双向认证,java客户端,两者之间通过不了,哪位大神求助

nginx

 upstream stream_backend {
      zone tcp_servers 64k;
      hash $remote_addr;
      server 192.168.0.199:1883 weight=1 max_fails=2 fail_timeout=30s;
      server 192.168.0.16:1883 weight=1 max_fails=2 fail_timeout=30s;
  }

  server {
      listen 8882 ssl;
      #status_zone tcp_server;
      proxy_pass stream_backend;
      proxy_buffer_size 4k;
      ssl_certificate      testcert/xxxxx_server.crt;
      ssl_certificate_key  testcert/xxxxx_server.key;
      ssl_client_certificate testcert/xxxxx_client.crt;
      ssl_verify_client on;
      ssl_session_timeout 5m;
      ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
      ssl_prefer_server_ciphers on;
  }

java端

public static SSLSocketFactory getSocketFactory(String serverCrtFile, String clientCrtFile, String clientKeyFile, String password) throws Exception{
        Security.addProvider(new BouncyCastleProvider());

        // load CA certificate
        X509Certificate caCert = null;
        FileInputStream fis = new FileInputStream(serverCrtFile);
        BufferedInputStream bis = new BufferedInputStream(fis);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        while (bis.available() > 0) {
            caCert = (X509Certificate) cf.generateCertificate(bis);
//             System.out.println(caCert.toString());
        }

        // load client certificate
        bis = new BufferedInputStream(new FileInputStream(clientCrtFile));
        X509Certificate cert = null;
        while (bis.available() > 0) {
            cert = (X509Certificate) cf.generateCertificate(bis);
//             System.out.println(caCert.toString());
        }

        // load client private key
        PEMParser pemParser = new PEMParser(new FileReader(clientKeyFile));
        Object object = pemParser.readObject();
        PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder()
                .build(password.toCharArray());

        JcaPEMKeyConverter converter = new JcaPEMKeyConverter()
                .setProvider("BC");
        KeyPair key;
        if (object instanceof PEMEncryptedKeyPair) {
            System.out.println("Encrypted key - we will use provided password");
            key = converter.getKeyPair(((PEMEncryptedKeyPair) object)
                    .decryptKeyPair(decProv));
        } else {
            System.out.println("Unencrypted key - no password needed");
            key = converter.getKeyPair((PEMKeyPair) object);
        }
        pemParser.close();

        // CA certificate is used to authenticate server
        KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
        caKs.load(null, null);
        caKs.setCertificateEntry("ca-certificate", caCert);
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
        tmf.init(caKs);

        // client key and certificates are sent to server so it can authenticate
        // us
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null, null);
        ks.setCertificateEntry("certificate", cert);
        ks.setKeyEntry("private-key", key.getPrivate(), password.toCharArray(),
                new java.security.cert.Certificate[] { cert });
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
                .getDefaultAlgorithm());
        kmf.init(ks, password.toCharArray());

        // finally, create SSL socket factory
        SSLContext context = SSLContext.getInstance("TLSv1.3");
//        SSLContext context = SSLContext.getInstance("SSL");
        context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

        return context.getSocketFactory();
    }

java端报错:

MqttException (0) - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.validator.ValidatorException: TrustAnchor with subject “[CN=xxx.xxxx.com](http://cn%3Dxxx.xxxx.com/)” is not a CA certificate
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.base/java.lang.Thread.run(Thread.java:834)

'MqttException (0) - javax.net.ssl.SSLException: Connection reset

大概是你 Nginx 的证书配置问题。
Nginx 配置项 ssl_client_certificate 这里的值应该客户端证书的 CA 证书,也就是给客户端证书签名的 CA 证书。