我看到SSLEngine出现了一个奇怪的问题,并想知道我的代码或SSLEngine是否存在问题。这是我看到事物的顺序
最重要的问题:如何彻底调试?如何以某种方式“看到”每条消息?我可以很容易地捕获字节流,但是是否有一些库可以将其解析为SSL握手对象?
第298行(记录以前的握手状态)到第328行(我们在其中抛出异常并附带信息)是此处的相关代码
堆栈跟踪为
2019-06-21 08:58:24,562 [-] [webpiecesThreadPool6] Caller+1 at org.webpieces.util.threading.SessionExecutorImpl$RunnableWithKey.run(SessionExecutorImpl.java:123)
ERROR: Uncaught Exception
java.lang.IllegalStateException: Engine issue. hsStatus=NEED_WRAP status=OK previous hsStatus=NEED_WRAP
at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.sendHandshakeMessageImpl(AsyncSSLEngine3Impl.java:328)
at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.sendHandshakeMessage(AsyncSSLEngine3Impl.java:286)
at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.doHandshakeWork(AsyncSSLEngine3Impl.java:133)
at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.doHandshakeLoop(AsyncSSLEngine3Impl.java:246)
at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.unwrapPacket(AsyncSSLEngine3Impl.java:210)
at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.doWork(AsyncSSLEngine3Impl.java:109)
at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.feedEncryptedPacket(AsyncSSLEngine3Impl.java:82)
at org.webpieces.nio.impl.ssl.SslTCPChannel$SocketDataListener.incomingData(SslTCPChannel.java:175)
at org.webpieces.nio.impl.threading.ThreadDataListener$1.run(ThreadDataListener.java:26)
at org.webpieces.util.threading.SessionExecutorImpl$RunnableWithKey.run(SessionExecutorImpl.java:121)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
有什么想法吗?我该如何真正深入研究呢?我的喜好是一个库,它占用字节并吐出表示每个握手消息或解密数据包的ssl对象(带有原始加密内容附带的任何标头信息)。
具体来说,这是上面提到的代码
HandshakeStatus previousStatus = sslEngine.getHandshakeStatus();
//CLOSE and all the threads that call feedPlainPacket can have contention on wrapping to encrypt and
//must synchronize on sslEngine.wrap
Status lastStatus;
HandshakeStatus hsStatus;
synchronized (wrapLock ) {
HandshakeStatus beforeWrapHandshakeStatus = sslEngine.getHandshakeStatus();
if (beforeWrapHandshakeStatus != HandshakeStatus.NEED_WRAP)
throw new IllegalStateException("we should only be calling this method when hsStatus=NEED_WRAP. hsStatus=" + beforeWrapHandshakeStatus);
//KEEEEEP This very small. wrap and then listener.packetEncrypted
SSLEngineResult result = sslEngine.wrap(SslMementoImpl.EMPTY, engineToSocketData);
lastStatus = result.getStatus();
hsStatus = result.getHandshakeStatus();
}
log.trace(()->mem+"write packet pos="+engineToSocketData.position()+" lim="+
engineToSocketData.limit()+" status="+lastStatus+" hs="+hsStatus);
if(lastStatus == Status.BUFFER_OVERFLOW || lastStatus == Status.BUFFER_UNDERFLOW)
throw new RuntimeException("status not right, status="+lastStatus+" even though we sized the buffer to consume all?");
boolean readNoData = engineToSocketData.position() == 0;
engineToSocketData.flip();
try {
CompletableFuture<Void> sentMsgFuture;
if(readNoData) {
log.trace(() -> "ssl engine is farting. READ 0 data. hsStatus="+hsStatus+" status="+lastStatus);
throw new IllegalStateException("Engine issue. hsStatus="+hsStatus+" status="+lastStatus+" previous hsStatus="+previousStatus);
//A big hack since the Engine was not working in live testing with FireFox and it would tell us to wrap
//and NOT output any data AND not BufferOverflow.....you have to do 1 or the other, right!
//instead cut out of looping since there seems to be no data
//sslEngineIsFarting = true;
//sentMsgFuture = CompletableFuture.completedFuture(null);
谢谢, 院长
答案 0 :(得分:1)
好吧,这越来越像是jdk的错误,现在似乎证明了这一点。我的日志显示我在jdk11.0.3(在MAC上)
2019-06-29 23:37:18,793 [main] [] [-]来电者+1 WEBPIECESxPACKAGE.DevelopmentServer.main(DevelopmentServer.java:32) INFO:在Java version = 11.0.3下启动Development Server
我使用了的调试ssl标志设置
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager -Djava.security.debug=access:stack
我也用自己的日志将对sslEngine.wrap和sslEngine.unwrap的所有调用都包含在自己的日志中,幸运的是,每个人的日志名称中也都包含了线程名称。
似乎客户发送此警告
javax.net.ssl|DEBUG|14|webpiecesThreadPool1|2019-06-29 23:27:14.860
MDT|Alert.java:232|Received alert message (
"Alert": {
"level" : "warning",
"description": "close_notify"
}
)
SSLEngine告诉我们我们需要正确的WRAP,因为我们还需要使用close_notify进行回复,以防止截断攻击,但是引擎会返回0字节,并告诉我们引擎的状态仍为NEED_WRAP。
此外,在sslEngine.wrap调用之前和之后,我的日志之间都有来自Java的ssl调试日志,几乎就像sslEngine放屁一样,什么也没做。
然后,我以为我会很酷,并将其作为main()方法的第一行添加
System.setProperty("jdk.tls.server.protocols", "TLSv1.2");
System.setProperty("jdk.tls.client.protocols", "TLSv1.2");
但是在调试信息中选择的版本仍然是TLSv1.3。...grrrrrr ...哦,我放弃了。
答案 1 :(得分:1)
哦,甚至更好,降级到1.8.0_111会成功
2019-06-30 00:11:54,813 [main] Caller+1 at
WEBPIECESxPACKAGE.DevelopmentServer.main(DevelopmentServer.java:32)
INFO: Starting Development Server under java version=1.8.0_111
webpiecesThreadPool5, READ: TLSv1.2 Alert, length = 26
webpiecesThreadPool2, RECV TLSv1.2 ALERT: warning, close_notify
webpiecesThreadPool2, closeInboundInternal()
webpiecesThreadPool2, closeOutboundInternal()
webpiecesThreadPool5, RECV TLSv1.2 ALERT: warning, close_notify
webpiecesThreadPool5, closeInboundInternal()
webpiecesThreadPool5, closeOutboundInternal()
webpiecesThreadPool2, SEND TLSv1.2 ALERT: warning, description = close_notify
webpiecesThreadPool5, SEND TLSv1.2 ALERT: warning, description = close_notify
webpiecesThreadPool2, WRITE: TLSv1.2 Alert, length = 26
webpiecesThreadPool5, WRITE: TLSv1.2 Alert, length = 26
答案 2 :(得分:1)
System.setProperty(“ jdk.tls.server.protocols”,“ TLSv1.2”);
System.setProperty(“ jdk.tls.client.protocols”,“ TLSv1.2”);
应该在加载JSSE之前设置系统属性。例如,在命令行中设置属性。是系统属性对您不起作用的原因吗?
... SSLEngine告诉我们我们需要正确的WRAP,因为我们也需要使用close_notify进行回复,以防止截断攻击,但是引擎会返回0字节,并告诉我们引擎的状态仍为NEED_WRAP 。
TLS 1.3使用半关闭策略(请参阅RFC 8446)。收到close_notify时,入站端将关闭,出站端将保持打开状态。本地端无法接收任何数据,但可以发送更多应用程序数据。
半关闭策略对兼容性有一些影响(请参见JDK 11发行说明https://www.oracle.com/technetwork/java/javase/11-relnote-issues-5012449.html)。系统属性“ jdk.tls.acknowledgeCloseNotify”可以用作解决方法。有关更多详细信息,请参阅JDK 11发行说明。