使用Java 8重新协商TLS_1.2期间，服务器证书更改受到限制 [英] server certificate change is restricted during renegotiation for TLS_1.2 with Java 8

问题描述

我对SSL来说还很陌生，并且受到了已知问题的打击.我的应用程序是SSL客户端，它调用为双向SSL启用的另一个组件.两个组件中的证书均正确，有时连接正常.每个服务器都有自己的服务器证书和私钥，但具有相同的根证书和中间证书.

I am pretty new to SSL and have been hit by what seems like known issue. My application is the SSL client and invokes another component which is enabled for two way SSL. The certificates in both the components are proper and connection works fine sometimes. Each server has its own server certificate and private key , but same root and intermediate certificate.

服务器中的SSL检查是在Apache SW LB中完成的.

The SSL check in Server is done in Apache SW LB.

                                                                            |-------------|
                                                                          / |   Tomcat1   |
                                                         |-------------| /  |-------------| 
                                             |---------->|Apache SW LB |/ 
                                             |           |-------------|\       
                                             |                           \
                                             |                            \  |-------------|
|-----------|            |------------|      |                               |  Tomcat 2   |
|SSL Client |---HTTPS--->|Hardware LB |------|                               |-------------|    
|-----------|            |------------|      |                              |-------------| 
                                             |                            / |   Tomcat3   |
                                             |           |-------------| /  |-------------|
                                             |---------->|Apache SW LB |/   
                                                         |-------------|\
                                                                         \
                                                                          \|-------------|  
                                                                           |    Tomcat4  |
                                                                           |-------------|

有时我会收到如下错误:-

Sometimes I am getting an error as below:-

***
%% Invalidated:  [Session-10, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
http-nio-8443-exec-10, SEND TLSv1.2 ALERT:  fatal, description = bad_certificate
http-nio-8443-exec-10, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 2A                               ......*
http-nio-8443-exec-10, called closeSocket()
http-nio-8443-exec-10, handling exception: javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation

我正在使用Spring REST模板来调用REST调用，并且仅使用TLS_V1.2，但是仍然出现上述错误.

I am using Spring REST template to invoke the REST call and using only TLS_V1.2, but still getting the above error.

TrustStrategy ts = new TrustStrategy() {
      @Override
      public boolean isTrusted(
          X509Certificate[] x509Certificates, String s)
          throws CertificateException {
        return true; // TODO : revisit
      }
    };
    SSLContext sslcontext = org.apache.http.ssl.SSLContexts.custom()
        .loadKeyMaterial(keyStore, keypass.toCharArray())
        .loadTrustMaterial(trustStore, ts) 
        .build();

 SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(

            sslcontext, new String[] {
                "TLSv1.2" }, null,
            SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);   
        return HttpClients.custom().setSSLSocketFactory(sslsf).build();

      }

在谷歌搜索中，我发现对于TLSv1.2和Java 8(java版本"1.8.0_60")不会发生此问题.我正在使用Spring 4 RestTemplete来调用rest调用.

ON googling i find like that this issue will not be happeneing for TLSv1.2 and Java 8(java version "1.8.0_60"). I am using Spring 4 RestTemplete for invoking rest calls.

我正在使用以下版本的httpclinet:-

And I am using the below version of httpclinet :-

 <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
        <version>4.4.1</version>
    </dependency>

由于我是SSL新手，所以我有几个问题要开头:-

Since I am new to SSL , i have few questions to start with:-

1).这是SSL客户端或SSL服务器问题吗?

1). Is this a SSL clinet or SSL server issue?

2).有时连接正常并且有时断开的任何真正原因是失败的技术原因.

2). Any real reason why the connection is working sometimes and breaking sometime?The technical reason for the failure.

3).这与客户端的任何缓存有关吗

3). Is this to do with any caching at client side

如果有人可以指出这个问题的真实原因，那就太好了.

Also it be great if someone can point to the real slotion for this issue.

推荐答案

Java SSL堆栈可能在硬件负载平衡器将连接从一个节点切换到另一个节点之后拒绝重新协商.

Java SSL stack rejects re-negotiation probably after hardware loadbalancer has switched your connexion from one node to the other.

为使这样的部署正常工作，两个"Apache SW LB"实例都必须使用非常相同的虚拟主机URL和SSL配置.而且没有明显的理由不这样做，因为它与任何系统配置都没有冲突.

For such a deployment to work, both "Apache SW LB" instances have to use the very same virtual host URL and SSL configurations. And there is no obvious reason not do to so, as it does not conflict with any system configurations.

因此，问题是混合在一起的，客户端行为拒绝您的群集部署，即使虚拟主机URL相同，每个节点都针对群集部署使用不同的私钥/服务器证书.

So your issue is a mixed between a client behaviour that rejects your cluster deployment for which each node use a different private key / server certificate, even if virtual host URL is the same.

这篇关于使用Java 8重新协商TLS_1.2期间，服务器证书更改受到限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！