我有一个基于Jetty的ProxyServlet的代理servlet,当尝试将请求代理到远程服务器时,由于代理的HttpClient中的SSL重新协商失败而看到间歇性的502响应。 Wireshark跟踪显示SSL握手已完成,但随后HttpClient通过发送另一个客户端Hello数据包再次启动协商。远程服务器(在本例中为F5)配置为不允许SSL重新协商,因此它会关闭连接,导致代理请求失败。
我在配置代理的HttpClient时尝试调用SslContextFactory.setRenegotiationAllowed(false),但这只会导致请求在代理内部失败。调试级别日志记录产生如下所示的输出。注意"重新谈判被拒绝"消息,导致流被关闭,在随后尝试将代理请求写入输出流时导致连接已关闭异常。
那么什么可能导致HttpClient认为它需要执行SSL重新协商,我该怎么做才能解决这个问题?不能选择更改F5的配置以允许SSL重新协商。问题是间歇性的,可重复性是可变的,这表明可能存在计时组件。
我在Java 1.8.0_66上使用Jetty 9.2.13.v20150730。
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=-1/-1,di=-1} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] fill enter
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | ChannelEndPoint | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | filled 1006 SelectChannelEndPoint@57eceb70{mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443<->51386,Open,in,out,-,-,15/30000,SslConnection}{io=0,kio=0,kro=1}
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=1006/-1,di=0} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] filled 1006 encrypted bytes
2015-10-26 15:23:04,987 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=0/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] unwrap Status = OK HandshakeStatus = NEED_WRAP
bytesConsumed = 1006 bytesProduced = 977
2015-10-26 15:23:04,988 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=0/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] renegotiation denied
2015-10-26 15:23:04,988 | DEBUG | vletModel-46-263 | SslConnection | 73 - org.eclipse.jetty.util - 9.2.13.v20150730 | SslConnection@276888f4{NEED_WRAP,eio=-1/-1,di=977} -> HttpConnectionOverHTTP@76f2815f(l:/9.32.133.96:51386 <-> r:mail.notes.collabservdaily.swg.usma.ibm.com/9.70.230.131:443,closed=false)[HttpChannelOverHTTP@44d24828(exchange=HttpExchange@3284d378 req=TERMINATED/null@null res=PENDING/null@null)[send=HttpSenderOverHTTP@74d58ca9(req=QUEUED,snd=COMPLETED,failure=null)[HttpGenerator{s=START}],recv=HttpReceiverOverHTTP@501e585d(rsp=IDLE,failure=null)[HttpParser{s=START,0 of 0}]]] fill exit