GLEzzly与TLS - 握手问题

时间:2014-03-28 23:22:27

标签: java security ssl grizzly

我目前正在尝试使用SSL来保护我的Grizzly HTTP-Server(根据教程和示例应该很容易) - 仅限服务器端。 首先,我已经从Orcale下载了UnlimitedJCEPolicy,以便能够支持强大的TLS算法。 然后,我使用keytool和以下命令创建了一个新的密钥库文件:

keytool -keyalg rsa -keysize 2048 -genkey -keystore .\keystore_server.jks -alias server -dname "..."

最后,我使用以下Java代码设置我的服务器:

    //Create Http Server
    HttpServer server = new HttpServer();

    //Configure and register listener
    NetworkListener adminListener = new NetworkListener("admin", "localhost", 19241);

    SSLContextConfigurator configurator = new SSLContextConfigurator();
    URL url = configurator.getClass().getResource("/keystore_server.jks");
    if(url == null) throw new Error("Could not get Keystore!");
    configurator.setKeyStoreFile(url.getFile());
    configurator.setKeyStorePass("store");
    configurator.setKeyPass("key");
    configurator.setSecurityProtocol("TLS");


    SSLContext context = configurator.createSSLContext();
    SSLEngineConfigurator engineConfigurator = new SSLEngineConfigurator(context);
    engineConfigurator.setWantClientAuth(false);
    engineConfigurator.setClientMode(true);
    engineConfigurator.setNeedClientAuth(false);


    adminListener.setSSLEngineConfig(engineConfigurator);
    adminListener.setSecure(true);

    server.addListener(adminListener);

    Endpoint endpoint = new Endpoint();

    EndpointApplication application = new EndpointApplication(endpoint);

    HttpHandler httpHandler = RuntimeDelegate.getInstance().createEndpoint(application, HttpHandler.class);
    server.getServerConfiguration().addHttpHandler(httpHandler, "/test");

    server.start();

感谢Warren,我解决了第一个没有明确指定HTTPS作为协议使用的问题。但是,现在还有另一个问题。这是日志:

*** ClientHello, TLSv1
RandomCookie:  GMT: 1396054606 bytes = { 72, 223, 146, 247, 36, 165, 251, 160, 151, 23, 75, 48, 62, 242, 48, 178, 113, 150, 150, 62, 180, 118, 59, 232, 207, 168, 163, 93 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
[write] MD5 and SHA1 hashes:  len = 163
'...'
Grizzly(2) SelectorRunner, WRITE: TLSv1 Handshake, length = 163
[Raw write]: length = 168
'...'
[Raw read]: length = 5
'...'
[Raw read]: length = 171
'...'
Grizzly(2) SelectorRunner, READ: TLSv1 Handshake, length = 171
Grizzly(2) SelectorRunner, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 1
Grizzly(2) SelectorRunner, SEND TLSv1 ALERT:  fatal, description = internal_error
Grizzly(2) SelectorRunner, WRITE: TLSv1 Alert, length = 2

是否有人熟悉此类错误?

1 个答案:

答案 0 :(得分:1)

我使用-Djavax.net.debug=all命令行参数时遇到了同样的问题,我找到了这个日志行:

Grizzly(2) SelectorRunner, fatal error: 80: problem unwrapping net record

根据alexey的评论,我将代码更改为:

engineConfigurator.setClientMode(false);
engineConfigurator.setNeedClientAuth(false);

此更改后,致命错误消失,我可以通过https通过浏览器访问application.wadl。

我已经失去了相当多的时间来寻找解决方案,如果Grizzly以更易读,易懂的方式报告此问题,那就太好了。