我一直在尝试在服务器和客户端之间使用Netty在Java上进行相互身份验证。
我已经通过以下几个示例使用java keytool生成了证书。我试图在客户端和服务器中手动设置密码套件。我可以让代码工作的唯一方法是关闭客户端身份验证。
ssl调试输出没有给我任何确凿的信息。如果有人可以给我一些指示以解决我的问题,这对我有很大帮助。
客户代码:
@Override public void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline pipeline = ch.pipeline();
String password = "blablabla";
KeyStore ks = KeyStore.getInstance("JKS");
InputStream readStream = getClass().getResourceAsStream("clientCert.jks");
ks.load(readStream,
password.toCharArray());
TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory
.getDefaultAlgorithm());
tmFactory.init(ks);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null);
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(true);
sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
sslEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"});
sslEngine.setEnableSessionCreation(true);
pipeline.addFirst("SSL", new SslHandler(sslEngine));
pipeline.addLast(new ProtobufVarint32FrameDecoder());
pipeline.addLast(new ProtobufDecoder(Messaging.BaseMessage.getDefaultInstance()));
pipeline.addLast(new ProtobufVarint32LengthFieldPrepender());
pipeline.addLast(new ProtobufEncoder());
// and then business logic.
pipeline.addLast(new ServerHandlerCorrelator());
}
服务器代码:
@Override public void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline pipeline = ch.pipeline();
String password = "blablabla";
KeyStore ks = KeyStore.getInstance("JKS");
// Use nettyserver.jks do client side authentication
InputStream readStream = getClass().getResourceAsStream("serverCert.jks");
ks.load(readStream,
password.toCharArray());
TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory
.getDefaultAlgorithm());
tmFactory.init(ks);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null);
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(true);
sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
sslEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"});
sslEngine.setEnableSessionCreation(true);
// Add SSL handler into pipeline
pipeline.addFirst("SSL", new SslHandler(sslEngine));
// Add protobuf handler into pipeline
pipeline.addLast(new ProtobufVarint32FrameDecoder());
pipeline.addLast(new ProtobufDecoder(Messaging.BaseMessage.getDefaultInstance()));
pipeline.addLast(new ProtobufVarint32LengthFieldPrepender());
pipeline.addLast(new ProtobufEncoder());
// Add custom handler
pipeline.addLast(new ServerHandler());
}
服务器SSL日志:
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1479318961 bytes = { 32, 234, 91, 96, 106, 19, 244, 166, 143, 174, 72, 157, 75, 108, 113, 168, 230, 206, 9, 133, 102, 255, 246, 237, 100, 250, 62, 211 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes: len = 84
0000: 01 00 00 50 03 03 58 2D 9E B1 20 EA 5B 60 6A 13 ...P..X-.. .[`j.
0010: F4 A6 8F AE 48 9D 4B 6C 71 A8 E6 CE 09 85 66 FF ....H.Klq.....f.
0020: F6 ED 64 FA 3E D3 00 00 02 00 2F 01 00 00 25 00 ..d.>...../...%.
0030: 0D 00 1C 00 1A 06 03 06 01 05 03 05 01 04 03 04 ................
0040: 01 04 02 03 03 03 01 03 02 02 03 02 01 02 02 FF ................
0050: 01 00 01 00 ....
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 84
[write] MD5 and SHA1 hashes: len = 47
0000: 01 03 03 00 06 00 00 00 20 00 00 2F 00 00 FF 58 ........ ../...X
0010: 2D 9E B1 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B -.. .[`j.....H.K
0020: 6C 71 A8 E6 CE 09 85 66 FF F6 ED 64 FA 3E D3 lq.....f...d.>.
nioEventLoopGroup-2-1, WRITE: SSLv2 client hello message, length = 47
[Raw write]: length = 49
0000: 80 2F 01 03 03 00 06 00 00 00 20 00 00 2F 00 00 ./........ ../..
0010: FF 58 2D 9E B1 20 EA 5B 60 6A 13 F4 A6 8F AE 48 .X-.. .[`j.....H
0020: 9D 4B 6C 71 A8 E6 CE 09 85 66 FF F6 ED 64 FA 3E .Klq.....f...d.>
0030: D3 .
6539 [nioEventLoopGroup-2-1] DEBUG one.ppdrforensics.server.comms.ServerHandlerCorrelator - NETTY Connected to Correlator
nioEventLoopGroup-2-1, called closeOutbound()
nioEventLoopGroup-2-1, closeOutboundInternal()
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT: warning, description = close_notify
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2
nioEventLoopGroup-2-1, called closeInbound()
nioEventLoopGroup-2-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
nioEventLoopGroup-2-1, Exception sending alert: java.io.IOException: writer side was already closed.
客户端SSL日志:
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
[Raw read]: length = 5
0000: 80 2F 01 03 03 ./...
[Raw read]: length = 44
0000: 00 06 00 00 00 20 00 00 2F 00 00 FF 58 2D 9E B1 ..... ../...X-..
0010: 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B 6C 71 A8 .[`j.....H.Klq.
0020: E6 CE 09 85 66 FF F6 ED 64 FA 3E D3 ....f...d.>.
[read] MD5 and SHA1 hashes: len = 3
0000: 01 03 03 ...
[read] MD5 and SHA1 hashes: len = 44
0000: 00 06 00 00 00 20 00 00 2F 00 00 FF 58 2D 9E B1 ..... ../...X-..
0010: 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B 6C 71 A8 .[`j.....H.Klq.
0020: E6 CE 09 85 66 FF F6 ED 64 FA 3E D3 ....f...d.>.
nioEventLoopGroup-3-1, READ: SSL v2, contentType = Handshake, translated length = 47
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1479318961 bytes = { 32, 234, 91, 96, 106, 19, 244, 166, 143, 174, 72, 157, 75, 108, 113, 168, 230, 206, 9, 133, 102, 255, 246, 237, 100, 250, 62, 211 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
nioEventLoopGroup-3-1, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
nioEventLoopGroup-3-1, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
nioEventLoopGroup-3-1, WRITE: TLSv1.2 Alert, length = 2
nioEventLoopGroup-3-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
nioEventLoopGroup-3-1, called closeOutbound()
nioEventLoopGroup-3-1, closeOutboundInternal()
nioEventLoopGroup-3-1, called closeInbound()
nioEventLoopGroup-3-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
0 [nioEventLoopGroup-3-1] ERROR one.ppdrforensics.correlator.comms.ServerHandler - [exceptionCaught] Exception javax.net.ssl.SSLHandshakeException: no cipher suites in common
nioEventLoopGroup-3-1, called closeOutbound()
nioEventLoopGroup-3-1, closeOutboundInternal()
nioEventLoopGroup-3-1, called closeInbound()
nioEventLoopGroup-3-1, closeInboundInternal()
答案 0 :(得分:0)
请你使用-Djavax.net.debug = ssl调试:所有参数启用?它将提供有关SSLhandshake的更多信息。请查找客户端和服务器证书的类型。他们是DSA或RSA证书吗? Java "no cipher suites in common" issue when trying to securely connect to server