GLEzzly与TLS - 握手问题 [英] Grizzly with TLS - Handshaking issue
问题描述
我目前正在尝试使用SSL保护我的Grizzly HTTP-Server(根据教程和示例应该很容易) - 仅限服务器端。
首先我从Orcale下载了UnlimitedJCEPolicy,以便能够支持强大的TLS算法。
然后我用keytool和以下命令创建了一个新的密钥库文件:
keytool -keyalg rsa - keysize 2048 -genkey -keystore .\keystore_server.jks -alias server -dname...
最后,我使用以下Java代码设置我的服务器:
//创建Http Server
HttpServer server = new的HttpServer();
//配置和注册监听器
NetworkListener adminListener = new NetworkListener(admin,localhost,19241);
SSLContextConfigurator configurator = new SSLContextConfigurator();
URL url = configurator.getClass()。getResource(/ keystore_server.jks);
if(url == null)抛出新错误(无法获取密钥库!);
configurator.setKeyStoreFile(url.getFile());
configurator.setKeyStorePass(store);
configurator.setKeyPass(key);
configurator.setSecurityProtocol(TLS);
SSLContext context = configurator.createSSLContext();
SSLEngineConfigurator engineConfigurator = new SSLEngineConfigurator(context);
engineConfigurator.setWantClientAuth(false);
engineConfigurator.setClientMode(true);
engineConfigurator.setNeedClientAuth(false);
adminListener.setSSLEngineConfig(engineConfigurator);
adminListener.setSecure(true);
server.addListener(adminListener);
Endpoint endpoint = new Endpoint();
EndpointApplication application = new EndpointApplication(endpoint);
HttpHandler httpHandler = RuntimeDelegate.getInstance()。createEndpoint(application,HttpHandler.class);
server.getServerConfiguration()。addHttpHandler(httpHandler,/ test);
server.start();
感谢Warren,我解决了第一个没有明确指定HTTPS作为协议使用的问题。但是,现在还有另一个问题。这是日志:
*** ClientHello,TLSv1
RandomCookie:GMT:1396054606 bytes = {72,223 ,146,247,36,165,251,160,151,23,75,48,62,242,48,178,113,150,150,62,180,118,59,232,207,168,163 ,93}
会话ID:{}
密码套件:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,SLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC _SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
压缩方法:{0}
分机elliptic_curves,曲线名称:{secp256r1,sect163k1,sect163r2,secp192r1,secp224r1,sect233k1,sect233r1 ,sect283k1,sect283r1,secp384r1,sect409k1,sect409r1,secp521r1,sect571k1,sect571r1,secp160k1,secp160r1,secp160r2,sect163r1,secp192k1,sect193r1,sect193r2,secp224k1,sect239k1,secp256k1}
扩展ec_point_formats,格式:[uncompressed]
***
[写] MD5和SHA1哈希:len = 163
'...'
Grizzly(2)SelectorRunner,WRITE:TLSv1握手,长度= 163
[原始写入]:长度= 168
'...'
[原始读取]:长度= 5
'...'$
[原始读取]:长度= 171
'...'
Grizzly(2)SelectorRunner,阅读:TLSv1握手,长度= 171
Gr izzly(2)SelectorRunner,致命错误:80:问题展开网络记录
javax.net.ssl.SSLProtocolException:握手消息序列违规,1
Grizzly(2)SelectorRunner,发送TLSv1警告:致命,描述= internal_error
Grizzly(2)SelectorRunner,WRITE:TLSv1提醒,长度= 2
是任何熟悉这类错误的人?
使用时,我遇到了同样的问题-Djavax.net.debug = all
命令行参数我找到了这个日志行:
Grizzly( 2)SelectorRunner,致命错误:80:问题展开净记录
根据alexey的评论,我改变了代码:
engineConfigurator.setClientMode(false);
engineConfigurator.setNeedClientAuth(false);
此更改后,致命错误消失,我可以通过https访问application.wadl浏览器。
我已经失去了相当多的时间来寻找解决方案,如果Grizzly以更易读,易懂的方式报告这个问题,那就太好了。 / p>
I'm currently trying to secure my Grizzly HTTP-Server with SSL (which should be quite easy according to tutorials and examples) - server side only. So first I've downloaded the UnlimitedJCEPolicy from Orcale in order to be able to support strong TLS algorithms. Then I've created a new keystore file with the keytool and the following command:
keytool -keyalg rsa -keysize 2048 -genkey -keystore .\keystore_server.jks -alias server -dname "..."
Finally I set up my Server with the following Java code:
//Create Http Server
HttpServer server = new HttpServer();
//Configure and register listener
NetworkListener adminListener = new NetworkListener("admin", "localhost", 19241);
SSLContextConfigurator configurator = new SSLContextConfigurator();
URL url = configurator.getClass().getResource("/keystore_server.jks");
if(url == null) throw new Error("Could not get Keystore!");
configurator.setKeyStoreFile(url.getFile());
configurator.setKeyStorePass("store");
configurator.setKeyPass("key");
configurator.setSecurityProtocol("TLS");
SSLContext context = configurator.createSSLContext();
SSLEngineConfigurator engineConfigurator = new SSLEngineConfigurator(context);
engineConfigurator.setWantClientAuth(false);
engineConfigurator.setClientMode(true);
engineConfigurator.setNeedClientAuth(false);
adminListener.setSSLEngineConfig(engineConfigurator);
adminListener.setSecure(true);
server.addListener(adminListener);
Endpoint endpoint = new Endpoint();
EndpointApplication application = new EndpointApplication(endpoint);
HttpHandler httpHandler = RuntimeDelegate.getInstance().createEndpoint(application, HttpHandler.class);
server.getServerConfiguration().addHttpHandler(httpHandler, "/test");
server.start();
Thanks to Warren, I resolved the first issue not explicitly specifying HTTPS as the protocol to use. However, there is now another problem. Here is the log:
*** ClientHello, TLSv1
RandomCookie: GMT: 1396054606 bytes = { 72, 223, 146, 247, 36, 165, 251, 160, 151, 23, 75, 48, 62, 242, 48, 178, 113, 150, 150, 62, 180, 118, 59, 232, 207, 168, 163, 93 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
[write] MD5 and SHA1 hashes: len = 163
'...'
Grizzly(2) SelectorRunner, WRITE: TLSv1 Handshake, length = 163
[Raw write]: length = 168
'...'
[Raw read]: length = 5
'...'
[Raw read]: length = 171
'...'
Grizzly(2) SelectorRunner, READ: TLSv1 Handshake, length = 171
Grizzly(2) SelectorRunner, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 1
Grizzly(2) SelectorRunner, SEND TLSv1 ALERT: fatal, description = internal_error
Grizzly(2) SelectorRunner, WRITE: TLSv1 Alert, length = 2
Is anybody familiar with this type of error?
I've had this exact same problem, when using -Djavax.net.debug=all
command line parameter I found this log line:
Grizzly(2) SelectorRunner, fatal error: 80: problem unwrapping net record
Based on the comments by alexey I changed the code to:
engineConfigurator.setClientMode(false);
engineConfigurator.setNeedClientAuth(false);
After this change, the fatal error dissapears and I am able to access the application.wadl over https with a browser.
I've lost quite a bit of time searching for a solution, it would be nice if Grizzly reported this problem in a more readable, understandable way.
这篇关于GLEzzly与TLS - 握手问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!