SSL通信中的Apache CXF异常:SocketTimeOut [英] Apache CXF Exception in SSL communication: SocketTimeOut
问题描述
所以这是交易。我有一个Web服务WSDL,我需要在公司网络之外进行SOAP调用。 Web服务是HTTPS SOAP,需要客户端证书。我用 wsdl2java 生成了Java中的客户端代码,事情似乎进展得很顺利。
So here's the deal. I have a web service WSDL that I need to make SOAP calls to outside my corporate network. The webservice is HTTPS SOAP, and requires a client certificate. I've generated the client code in Java from wsdl2java, and things seem to go pretty well.
我现在不能做的是通过CXF从Web服务收到回复。 SSL握手似乎只是花花公子甚至达到了CXF尝试进行HTTP POST的程度,但等待响应的时间超时(如下所示):
What I cannot do right now is receive a response from the web service through CXF. The SSL handshake seems to go just dandy even up to the point where CXF tries to do an HTTP POST, but times out waiting for a response (shown below):
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: false
Is secure renegotiation: false
*** HelloRequest (empty)
main, SEND TLSv1 ALERT: warning, description = no_renegotiation
Padded plaintext before ENCRYPTION: len = 24
0000: 01 64 01 FD 5B 38 03 A6 70 41 57 58 6D 75 60 F7 .d..[8..pAWXmu`.
0010: 93 1F 02 F3 C4 46 01 01 .....F..
main, WRITE: TLSv1 Alert, length = 24
[Raw write]: length = 29
0000: 15 03 01 00 18 0C 9B DF 1B 60 AB 12 EE C7 CF C9 .........`......
0010: 62 97 A5 5D 5F 14 48 E1 9F AD 8A 08 05 b..]_.H......
main, handling exception: java.net.SocketTimeoutException: Read timed out
main, called close()
main, called closeInternal(true)
main, SEND TLSv1 ALERT: warning, description = close_notify
Padded plaintext before ENCRYPTION: len = 24
0000: 01 00 BD 99 7A 7C 72 1F BB 11 2D AB 3F 53 C9 CD ....z.r...-.?S..
... continuing on
现在,如果我使用 curl 或类似的东西,我可以在不到一秒的时间内收到回复,所以我知道网络服务没有错。下面是创建服务端口所需的全部代码,包括使用TLS和HTTP代理进行设置。我有一个非常简单的JUnit测试来创建和运行它:
Now, if I use curl or somethign similar, I can get a response in less than a second, so I know the web service isn't at fault. Below is the entirety of the code necessary to create the service port, including setup with TLS and an HTTP proxy. I have a very simple JUnit test to create and run this, too:
public static MYPORT setupTLS(MYPORT port) throws IOException,
GeneralSecurityException {
HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port)
.getConduit();
String keyPassword = "password";
KeyStore keyStore = KeyStore.getInstance("pkcs12");
URL pkcs12_file = MECTPortFactory.class.getResource(System
.getProperty("pkcs12.keyFile"));
InputStream keyFile = pkcs12_file.openStream();
keyStore.load(keyFile, keyPassword.toCharArray());
KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
TLSClientParameters tlsCP = new TLSClientParameters();
tlsCP.setKeyManagers(myKeyManagers);
tlsCP.setDisableCNCheck(true);
FiltersType cipher_suite_filter = new FiltersType();
cipher_suite_filter.getInclude().add("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
cipher_suite_filter.getExclude().add(".*_DH_anon_.*");
tlsCP.setCipherSuitesFilter(cipher_suite_filter);
httpConduit.setTlsClientParameters(tlsCP);
httpConduit.setClient(getHttpClient());
return port;
}
private static HTTPClientPolicy getHttpClient() {
HTTPClientPolicy client_policy = new HTTPClientPolicy();
client_policy.setProxyServer("PROXY_SERVER_ADDRESS");
client_policy.setProxyServerPort(8080);
client_policy.setAutoRedirect(true);
client_policy.setConnection(ConnectionType.KEEP_ALIVE);
client_policy.setAllowChunking(true);
client_policy.setReceiveTimeout(10000);
return client_policy;
}
private static KeyManager[] getKeyManagers(KeyStore keyStore,
String keyPassword) throws GeneralSecurityException, IOException {
String alg = KeyManagerFactory.getDefaultAlgorithm();
char[] keyPass = keyPassword != null ? keyPassword.toCharArray() : null;
KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
fac.init(keyStore, keyPass);
return fac.getKeyManagers();
}
编辑:
我已经摆弄了一些客户端设置,例如更改是否 AutoRedirect , AllowChunking 等,没有任何差异,所以我认为这不会导致错误。
I've fiddled with some client settings such as changing whether to AutoRedirect, AllowChunking, etc., with no differences, so I don't think that's causing errors.
我没有收到来自网络服务的回复。 如何解决和修复导致CXF超时而不是接收响应的原因?
I don't get a response from the web service. How can I troubleshoot and fix what is causing CXF to time out instead of receiving the response?
推荐答案
OMG!我想通了。
所以我穿过了互联网,发现了这个小宝石:
So I went traipsing through the interwebs and found this little gem:
它引用了Oracle / Sun的一个非常重要的说明:
And it references a very important note from Oracle/Sun:
Transport Layer Security (TLS) Renegotiation Issue Readme
接收来自对等方的重新协商请求的应用程序将根据所处的连接类型响应
:
Applications that receive a renegotiation request from the peer will respond according to the type of connection in place:
TLSv1:类型为no_renegotiation(100)的警告提示消息将是
发送给对等方,连接将保持打开状态。
TLSv1: A warning Alert message of type "no_renegotiation(100)" will be sent to the peer and the connection will remain open.
然后,进一步向下:
通过设置新的重新协商可以为需要它的应用重新启用初始化JSSE库之前,系统属性
sun.security.ssl.allowUnsafeRenegotiation到true。有几种方法可以设置此属性:
Renegotiations can be re-enabled for those applications that need it by setting the new system property
sun.security.ssl.allowUnsafeRenegotiationtotruebefore the JSSE library is initialized. There are several ways to set this property:
-
命令行:
Command Line:
%java -Dsun.security.ssl.allowUnsafeRenegotiation = true Main
Java控制面板( Java Plug-in / Java Web Start) - 运行时环境。
Java Control Panel (Java Plug-in / Java Web Start) - Runtime Environment.
在应用程序中:
java.lang.System.setProperty (sun.security.ssl.allowUnsafeRenegotiation,true);
请注意除非
客户端和服务器都启用了重新协商,否则不会发生TLS / SSL重新协商。
Note that TLS/SSL renegotiation will not occur unless both client and server have enabled renegotiations.
所以它的长短不一? System.setProperty(sun.security.ssl.allowUnsafeRenegotiation,true);
So the long and short of it? System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
等等。只是。工作。
这篇关于SSL通信中的Apache CXF异常:SocketTimeOut的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
