Netty 5.0.0Alpha1 SSLHandler在一次请求后崩溃

时间:2014-07-24 10:39:58

标签: java ssl netty

我正在努力解决Netty 5.0.0Alpha1的问题。目前我正在升级我们的一个API以使用SSL。当我按照示例中所示设置所有内容时,服务器处理一个请求并崩溃。基本上我能够在firefox上获得不受信任的证书警告,并且服务器在每个后续请求上重置连接。日志中没有其他有用的信息。我已将io.netty设置为DEBUG级别。

以下是我的服务器初始化的代码示例:

自举: 

String cfgKsLocation = ; // .....
String cfgKsPassword = ; // .....

KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(new FileInputStream(new File(cfgKsLocation)), cfgKsPassword.toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keystore, cfgKsPassword.toCharArray());

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), null, null);

this.sslEngine = sslContext.createSSLEngine();
this.sslEngine.setUseClientMode(false);

EventLoopGroup nettyBossGroup = new NioEventLoopGroup(1);
EventLoopGroup nettyWorkerGroup = new NioEventLoopGroup(2);
try {
      ServerBootstrap bootstrap = new ServerBootstrap();
      bootstrap.group(nettyBossGroup, nettyWorkerGroup);
      bootstrap.channel(NioServerSocketChannel.class);
      bootstrap.childHandler(new ApiChannelInitializer());
      bootstrap.option(ChannelOption.SO_BACKLOG, cfgServerBacklog);
      bootstrap.option(ChannelOption.SO_KEEPALIVE, true);
      Channel channel = bootstrap.bind(cfgServerIpAddress, cfgServerPort).sync().channel();
      channel.closeFuture().sync();
} finally {
      nettyBossGroup.shutdownGracefully();
      nettyWorkerGroup.shutdownGracefully();
}

ApiChannelInitializer: 

private class ApiChannelInitializer extends ChannelInitializer<SocketChannel> {

    @Override
    protected void initChannel(SocketChannel c) throws Exception {
        c.pipeline().addLast(new SslHandler(ApiServer.this.sslEngine));
        c.pipeline().addLast(new HttpRequestDecoder());
        c.pipeline().addLast(new HttpResponseEncoder());
        c.pipeline().addLast(new HttpContentCompressor());
        c.pipeline().addLast(new ApiChannelInboundHandler());
    }

}

到目前为止我尝试了什么:

  • 从EventLoopGroup构造中删除参数
  • 使用可与Java SecureSocketServer一起使用的不同证书
  • 更改为netty版本4.0.X
  • 在SslHandler
    • 之后将DelimiterBasedFrameDecoder添加到pipline

1 个答案:

答案 0 :(得分:0)

经过几个小时的努力,这解决了我的问题。问题是ssl警报在SSLHandler中崩溃了SSLEngine。如果在管道的开头只连接了一个SSLHandler,并且它的SSLEngine崩溃,则SSLHandler将无法再处理SSL / TLS连接。

所以我已将此覆盖添加到我的入站通道处理程序:

    @Override
    public void channelRegistered(ChannelHandlerContext ctx) throws Exception {
        SSLEngine sslEngine = ApiServer.this.sslContext.createSSLEngine();
        sslEngine.setNeedClientAuth(false);
        sslEngine.setUseClientMode(false);
        SslHandler sslHandler = new SslHandler(sslEngine);
        ctx.pipeline().addFirst(sslHandler);
    }
相关问题
最新问题