如何使用akka-http对自认证服务器进行POST调用 [英] How to make a POST call to self-certified server with akka-http

问题描述

我有一个akka-streams拓扑结构，在这里我使用akka-http进行POST调用。

I have a akka-streams topology, where I make a POST call using akka-http.

将发布请求发送给联合国时，我收到以下错误消息-安全服务器（具有自签名证书）。它是一台内部服务器，因此从安全性的角度来看我还可以。

I am getting following error when hitting the post request to a un-secure server(having self-signed certs). It is a internal server, so I am fine from security point of view.

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:1.8.0_131]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_131]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_131]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_131]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
    at akka.stream.impl.io.TLSActor.akka$stream$impl$io$TLSActor$$doUnwrap(TLSActor.scala:367) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.io.TLSActor.akka$stream$impl$io$TLSActor$$doInbound(TLSActor.scala:290) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.io.TLSActor$$anonfun$1.apply$mcV$sp(TLSActor.scala:225) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.Pump$class.pump(Transfer.scala:199) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.io.TLSActor.pump(TLSActor.scala:48) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.BatchingInputBuffer.enqueueInputElement(ActorProcessor.scala:90) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.BatchingInputBuffer$$anonfun$upstreamRunning$1.applyOrElse(ActorProcessor.scala:141) ~[akka-stream_2.11-2.4.17.jar:?]
    at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) ~[scala-library-2.11.8.jar:?]
    at akka.stream.impl.SubReceive.apply(Transfer.scala:16) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.FanIn$InputBunch$$anonfun$subreceive$1.applyOrElse(FanIn.scala:234) ~[akka-stream_2.11-2.4.17.jar:?]
    at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) ~[scala-library-2.11.8.jar:?]
    at akka.stream.impl.SubReceive.apply(Transfer.scala:16) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.SubReceive.apply(Transfer.scala:12) ~[akka-stream_2.11-2.4.17.jar:?]
    at scala.PartialFunction$class.applyOrElse(PartialFunction.scala:123) ~[scala-library-2.11.8.jar:?]
    at akka.stream.impl.SubReceive.applyOrElse(Transfer.scala:12) ~[akka-stream_2.11-2.4.17.jar:?]
    at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:170) ~[scala-library-2.11.8.jar:?]
    at akka.actor.Actor$class.aroundReceive(Actor.scala:497) ~[akka-actor_2.11-2.4.17.jar:?]
    at akka.stream.impl.io.TLSActor.aroundReceive(TLSActor.scala:48) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.actor.ActorCell.receiveMessage(ActorCell.scala:526) ~[akka-actor_2.11-2.4.17.jar:?]
    at akka.actor.ActorCell.invoke(ActorCell.scala:495) ~[akka-actor_2.11-2.4.17.jar:?]
    at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257) ~[akka-actor_2.11-2.4.17.jar:?]
    at akka.dispatch.Mailbox.run(Mailbox.scala:224) ~[akka-actor_2.11-2.4.17.jar:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_131]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_131]
    at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_131]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_131]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
    at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:402) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.io.TLSActor.akka$stream$impl$io$TLSActor$$doUnwrap(TLSActor.scala:371) ~[akka-stream_2.11-2.4.17.jar:?]
    ... 24 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
    at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144) ~[?:1.8.0_131]
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
    at akka.stream.impl.io.TLSActor.runDelegatedTasks(TLSActor.scala:402) ~[akka-stream_2.11-2.4.17.jar:?]
    at akka.stream.impl.io.TLSActor.akka$stream$impl$io$TLSActor$$doUnwrap(TLSActor.scala:371) ~[akka-stream_2.11-2.4.17.jar:?]

此处和另一种解决方法发生了< a href = https://stackoverflow.com/a/5871301/1610034>此处和此处，但是不适用于我，未完成的讨论此处。在此处提出了一种解决方案，但不确定如何为akka-http实现相同的解决方案。
一些更相关的链接：

Some discussion happened here, and another solution here and here, but didn't worked for me and one unfinished discussion here. One solution is proposed here but not sure how to implement the same for akka-http. Few more relevant links:

akka-issue

配置信任库

SO Question1

SO问题2

Java中的解决方案

我之前使用的是执行它：

earlier I was using just following to execute it:

Http().superPool[MyTracker]()

我也尝试了以下方法，从此处和此处，但问题仍然存在：

I also tried following, getting inspiration from here and here, but problem persists:

    val badSslConfig = AkkaSSLConfig().mapSettings(s => s.withLoose(s.loose.withAcceptAnyCertificate(true)))
    val badCtx = Http().createClientHttpsContext(badSslConfig)
    Http().superPool[MyTracker]()(httpMat)

编辑＃1

我又添加了一个标志，但是错误与之前不同：

Edit #1

I added one more flag, but got different error than earlier:

    val badSslConfig = AkkaSSLConfig().mapSettings(s => s.withLoose(s.loose.withAcceptAnyCertificate(true).withDisableHostnameVerification(true)))
    val badCtx = Http().createClientHttpsContext(badSslConfig)
    Http().superPool[MyTracker]()(httpMat)

错误：

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_131]
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_131]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_131]
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:1.8.0_131]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_131]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_131]

< h2>编辑＃2

不确定从此 answer 获得灵感如何完全使用akka-httlp来实现这一点，我尝试了以下操作：

Edit #2

Getting inspiration from this answer, not sure how to implement that with akka-httlp exactly, I tried following:

val trustStoreConfig = TrustStoreConfig(None, Some("/Users/user/path/my.cer")).withStoreType("PEM")
val trustManagerConfig = TrustManagerConfig().withTrustStoreConfigs(List(trustStoreConfig))

val sslConfig = AkkaSSLConfig().mapSettings { s =>
  s.withHostnameVerifierClass(classOf[DisabledComplainingHostnameVerifier])
  s.withTrustManagerConfig(trustManagerConfig)
  s
}
val badCtx = Http().createClientHttpsContext(sslConfig)
Http().superPool[RequestTracker](badCtx)(httpMat)

但仍然出现此错误：

原因：java.security.cert.CertificateException：没有使用者替代名称

Caused by: java.security.cert.CertificateException: No subject alternative names present

在sun.security.util.HostnameChecker.matchIP（HostnameChecker.java:144）〜[？：1.8.0_131]

at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144) ~[?:1.8.0_131]

在sun.security.util。 HostnameChecker.match（HostnameChecker.java:93）〜[？：1.8.0_131]

at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) ~[?:1.8.0_131]

〜[？：1.8.0_131]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[?:1.8.0_131]

位于sun.security.ssl.X509TrustManagerImpl.checkIdentity（X509TrustManagerImpl.java:436）〜[？：1.8.0_131]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted（X509TrustManagerImpl .java：252）〜[？：1.8.0_131]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[?:1.8.0_131] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[?:1.8.0_131]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted（X509TrustManagerImpl.java:136）〜[？：1.8 .0_131]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_131]

at sun.security.ssl.ClientHandshaker.serverCertificate（ClientHandshaker.java:1501）〜[？：1.8.0_131]

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_131]

在Akka中这不可能吗？

Is this not possible in Akka?

推荐答案

最后，从这个答案中获得灵感，这似乎很复杂，使用下面的代码片段即可：

Finally, Getting inspiration from this answer, which seems way complicated, With following code snippet it worked:

val trustStoreConfig = TrustStoreConfig(None, Some("/etc/Project/keystore/my.cer")).withStoreType("PEM")
val trustManagerConfig = TrustManagerConfig().withTrustStoreConfigs(List(trustStoreConfig))

val badSslConfig = AkkaSSLConfig().mapSettings(s => s.withLoose(s.loose
  .withAcceptAnyCertificate(true)
  .withDisableHostnameVerification(true)
).withTrustManagerConfig(trustManagerConfig))

val badCtx = Http().createClientHttpsContext(badSslConfig)

Http().superPool[RequestTracker](badCtx)(httpMat)

不知道为什么它不能与我的其他尝试一起使用，想深入了解这一点，如果您知道内部原理，请发表解释。

Not sure why it did not work with other attempts of mine, will like to understand this deeply, Please post an explanation if you know the internals.

这篇关于如何使用akka-http对自认证服务器进行POST调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！