我们有一个可以解决TCP连接并使用Akka Actors的应用程序。我们需要为Tcp连接添加TLS支持,因此我们使用Steam和BidiFlow来提供Akka TLS支持。
尽管我们可以正常工作,但我们仍面临诊断问题的问题,例如握手异常。使用-Djavax.net.debug=ssl,handshake,failure
,我们可以在控制台中看到日志记录信息,但是实际上它是不可读的,并且客户端无法通过该日志识别问题。尝试在代码中尝试try / catches不起作用,而在调试中记录Akka则只能得到:
2018-11-07 16:31:13,607调试akka.stream.impl.io.TLSActor
系统/ StreamSupervisor-1 /流0-1
关闭输出
打开javax标志后,我们确实看到抛出了一些异常,但没有办法在代码中捕获它们,不仅用于调试目的,而且还用于在握手失败时关闭连接(显然,在握手失败后不会自动完成)握手失败)。
任何人都知道如何记录或捕获这些异常?
以下是用于管理创建TLSGraphs的代码:
object Tls {
def getGraph(tlsConfig: TlsConfig, role: TLSRole):
BidiFlow[ByteString, ByteString, ByteString, ByteString, NotUsed] = {
val sslContext = createSslContext(tlsConfig)
val firstSession = createFirstSession(sslContext, tlsConfig.clientAuth)
createGraph(sslContext, firstSession, role)
}
private def createFirstSession(sslContext: SSLContext, clientAuth: Boolean): NegotiateNewSession = {
val negotiatedSession = TLSProtocol.NegotiateNewSession
.withProtocols("TLSv1.2")
.withCipherSuites(
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
)
.withParameters(sslContext.getDefaultSSLParameters)
//.withClientAuth(TLSClientAuth.none)
negotiatedSession
}
private def createSslContext(tlsConfig: TlsConfig): SSLContext = {
val ksTrust = createKeyStore(tlsConfig.trustStoreType, tlsConfig.trustStoreFile, tlsConfig.trustStorePass)
val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
trustManagerFactory.init(ksTrust)
val ksKeys = createKeyStore(tlsConfig.keyStoreType, tlsConfig.keyStoreFile, tlsConfig.keyStorePass)
val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
keyManagerFactory.init(ksKeys, tlsConfig.keyStorePass.toCharArray)
val sslContext = SSLContext.getInstance("TLSv1.2")
sslContext.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, new SecureRandom)
sslContext
}
private def createKeyStore(storeType: String, file: String, password: String): KeyStore = {
val keyStore: KeyStore = KeyStore.getInstance(storeType)
keyStore.load(new FileInputStream(file), password.toCharArray)
keyStore
}
private def createGraph(
sslContext: SSLContext,
firstSession: NegotiateNewSession,
role: TLSRole)
: BidiFlow[ByteString, ByteString, ByteString, ByteString, NotUsed] = {
val tls: BidiFlow[TLSProtocol.SslTlsOutbound, ByteString, ByteString, TLSProtocol.SslTlsInbound, NotUsed] =
TLS(sslContext, firstSession, role)
val tlsSupport: BidiFlow[ByteString, TLSProtocol.SslTlsOutbound, TLSProtocol.SslTlsInbound, ByteString, NotUsed] =
BidiFlow.fromFlows(
Flow[ByteString].map(TLSProtocol.SendBytes),
Flow[TLSProtocol.SslTlsInbound].map {
case TLSProtocol.SessionBytes(_, bytes) => bytes
case TLSProtocol.SessionTruncated =>
throw ProcessingException("TLS session truncated")
case _ =>
throw ProcessingException("Unexpected type received from TLS pipeline")
})
tlsSupport.atop(tls)
}
}