我已经放置了security.provider.1 = org.bouncycastle.jce.provider.BouncyCastleProvider，但在SSL握手期间未使用它 [英] I've put security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider but it isn't being used during SSL handshake

问题描述

这是我的过程中其中一个连接的堆栈跟踪：

Here is the stack trace of one of the connections in my process:

"ServerConnection on port 10000 Thread 27" #521 prio=5 os_prio=0 tid=0x0000000002db4800 nid=0x2d79 runnable [0x00007f0ababb1000] 
java.lang.Thread.State: RUNNABLE
 at java.net.SocketInputStream.socketRead0(Native Method)
 at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
 at java.net.SocketInputStream.read(SocketInputStream.java:171)
 at java.net.SocketInputStream.read(SocketInputStream.java:141)
 at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
 at sun.security.ssl.InputRecord.read(InputRecord.java:503)
 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
 - locked <0x00000006d63c51f0> (a java.lang.Object)
 at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
 at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
 - locked <0x00000006d6405210> (a sun.security.ssl.AppInputStream)
 at org.apache.geode.internal.cache.tier.sockets.Message.fetchHeader(Message.java:691)
 at org.apache.geode.internal.cache.tier.sockets.Message.readHeaderAndPayload(Message.java:709)
 at org.apache.geode.internal.cache.tier.sockets.Message.read(Message.java:657)
 at org.apache.geode.internal.cache.tier.sockets.Message.recv(Message.java:1105)
 - locked <0x00000006d6405288> (a java.nio.HeapByteBuffer)
 at org.apache.geode.internal.cache.tier.sockets.Message.recv(Message.java:1118)
 at org.apache.geode.internal.cache.tier.sockets.BaseCommand.readRequest(BaseCommand.java:869)
 at org.apache.geode.internal.cache.tier.sockets.ServerConnection.doNormalMsg(ServerConnection.java:723)
 at org.apache.geode.internal.cache.tier.sockets.ServerConnection.doOneMessage(ServerConnection.java:914)
 at org.apache.geode.internal.cache.tier.sockets.ServerConnection.run(ServerConnection.java:1171)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at org.apache.geode.internal.cache.tier.sockets.AcceptorImpl$1$1.run(AcceptorImpl.java:519)
 at java.lang.Thread.run(Thread.java:745)

在这里，我猜想应该从弹性城堡库中看到一些东西，而不是sun.security.ssl。

Here I guess instead of sun.security.ssl I should see something used from bouncy castle library.

推荐答案

几件事：

1）您要添加哪个充气城堡提供者？ Bouncy castle将JCE提供程序和JSSE提供程序包装在单独的jar中，并且必须使用单独的提供程序类。 JSSE提供程序类是 org.bouncycastle.jsse.provider.BouncyCastleJsseProvider ，而JCE提供程序是org.bouncycastle.jce.provider.BouncyCastleProvider

1) Which bouncy castle provider you are adding? Bouncy castle packages the JCE provider and JSSE provider in separate jars and have to use separate provider class. JSSE provider class is org.bouncycastle.jsse.provider.BouncyCastleJsseProvider and the JCE provider is org.bouncycastle.jce.provider.BouncyCastleProvider

2）是，按优先级顺序查找了提供程序，但是如上述响应中所述，返回哪种实现还取决于在应用程序代码中如何请求算法/协议。首先，提供者应实现您所请求的算法/协议，并且还必须使用您在请求时使用的名称/别名来注册它。

2) Yes, the providers are looked up in the order of priority but as mentioned in above responses, which implementation is returned also depends on how the algorithm/protocol is requested in the application code. First a provider should be implementing the algorithm/protocol you are requesting and also it has to register it using the name/alias that you are using while requesting.

例如，如果代码以javax.net.ssl.SSLContext.getInstance（ SSL）的形式请求TLS上下文，则BC将不会返回任何上下文，因为它没有使用该别名注册任何实现。但是，SunJSSE将返回上下文，因为它将 SSL作为别名添加到 TLS

For example, if the code is requesting TLS context as javax.net.ssl.SSLContext.getInstance("SSL"), BC won't return any context as it does not register any implementation with that alias. However, SunJSSE will return a context as it add "SSL" as an alias to "TLS"

是的，您可以明确地要求特定提供商的实现。所有JCE / JSSE api都有一个附加的重载方法，该方法采用提供程序名称。例如，

Yes, you can explicitly ask the implementation from a specific provider. All JCE/JSSE api has an additional overloaded method that takes provider name. For example,

javax.net.ssl.SSLContext.getInstance（ TLS， BCJSSE）;

javax.net.ssl.SSLContext.getInstance("TLS", "BCJSSE");

javax.net.ssl.KeyManagerFactory（ PKIX， BCJSSE）;

javax.net.ssl.KeyManagerFactory("PKIX", "BCJSSE");

这篇关于我已经放置了security.provider.1 = org.bouncycastle.jce.provider.BouncyCastleProvider，但在SSL握手期间未使用它的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！