c ++ thrift客户端不使用ssl（SSL_connect挂起）

Question

我想在我的c ++服务器和客户端中使用thrift提供的ssl支持。我自己的节俭客户端在通过“transport-＆gt; open（）”后总是挂在SSL_connect中 。所以我为windows构建了官方的thrift \ thrift-0.9.1 \ test \ cpp \ src \ TestServer.cpp和testclient.cpp。在这里也发生了同样的事情。

我真的可以使用任何帮助或指针。

更新

我也尝试使用https://github.com/apache/thrift的最新资源 在我使用0.9.1之前

---

因为我看到testserver.cpp正在执行以下操作

    sslSocketFactory->loadCertificate("./server-certificate.pem");
    sslSocketFactory->loadPrivateKey("./server-private-key.pem");
    sslSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");

并且testclient.cpp正在执行以下操作

    factory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
    factory->loadTrustedCertificates("./trusted-ca-certificate.pem");
    factory->authenticate(true);

所以我采取了以下步骤来构建证书

openssl genrsa -out ca-private-key.pem 2048
openssl req -new -x509 -nodes -days 3600 -key ca-private-key.pem -out ca-certificate.pem 

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-private-key.pem -out server-request.pem
openssl rsa -in server-private-key.pem -out server-private-key.pem
openssl x509 -req -in server-request.pem -days 3600 -CA ca-certificate.pem -CAkey ca-private-key.pem -set_serial 01 -out server-certificate.pem

不同测试用例的输出 -

---

TestServer.exe --ssl
TestClient.exe --host 192.168.0.4 --ssl

I saw TestClient.exe hang on SSL_connect while running       
  testClient.testVoid();

在挂起服务器端调用堆栈期间

在挂起客户端的callstack期间。显然双方都在阅读！

上述客户端服务器通信的Wireshark调试跟踪。

Debug output through "openssl s_client" run against thriftserver-

openssl s_client -connect 192.168.0.4:9090 -state -debug
Loading 'screen' into random state - done
CONNECTED(00000100)
SSL_connect:before/connect initialization
write to 0x1e2b5c0 [0x1e2bf50] (321 bytes => 321 (0x141))
0000 - 16 03 01 01 3c 01 00 01-38 03 03 52 dc 25 39 ad   ....<...8..R.%9.
SSL_connect:SSLv2/v3 write client hello A      

---

TestServer.exe --ssl --server-type nonblocking
TestClient.exe --ssl

I saw TestClient.exe failed on SSL_connect (10054) while running       
  testClient.testVoid();

Server stderr was saying 
Thrift: Sat Jan 18 19:31:21 2014 TNonblockingServer: frame size too large (369295616 > 268435456) 
from client <Host: ::1 Port: 22869>. Remote side not using TFramedTransport?

openssl.exe s_client -connect localhost:9090 -state -debug  
Loading 'screen' into random state - done
CONNECTED(0000018C)
SSL_connect:before/connect initialization
write to 0x6db5c0 [0x6dbf50] (321 bytes => 321 (0x141))
0000 - 16 03 01 01 3c 01 00 01-38 03 03 52 db 4b 8a dd   ....<...8..R.K..
SSL_connect:SSLv2/v3 write client hello A
read from 0x6db5c0 [0x6e14b0] (7 bytes => -1 (0xFFFFFFFF))
SSL_connect:error in SSLv2/v3 read server hello A
write:errno=10054  

---

TestServer.exe --ssl --server-type nonblocking --transport framed
TestClient.exe --ssl --transport framed

Server stderr was saying 
Thrift: Sat Jan 18 19:36:01 2014 TNonblockingServer: frame size too large (36929
5616 > 268435456) from client <Host: ::1 Port: 23087>. Remote side not using TFramedTransport?

通过逐步确认我确定testclient正在使用框架式传输。

Answer 1

我想我知道可能会发生什么，可能已经发现了这个错误。

进一步调试后，我看到虚函数createSocket是用参数“int”

声明的

boost :: shared_ptr createSocket（int socket）; https://github.com/apache/thrift/blob/master/lib/cpp/src/thrift/transport/TSSLServerSocket.h https://github.com/apache/thrift/blob/master/lib/cpp/src/thrift/transport/TSSLServerSocket.cpp

但是基类TServerSocket.h将它声明为“THRIFT_SOCKET”，它在Windows上是ULONG_PTR

virtual boost :: shared_ptr createSocket（THRIFT_SOCKET client）; https://github.com/apache/thrift/blob/master/lib/cpp/src/thrift/transport/TServerSocket.h

因此没有从内部调用正确的createSocket。

进行此更改后，我可以继续前进，我再次使用openssl s_client -connect localhost确认：9090 -state -debug

我会将我的补丁寄给thrift dev，以防他们愿意接受它。