使用Akka BidiFlow通过TLS进行TCP

时间:2018-12-05 12:38:28

标签: java scala akka tls1.2 akka-stream

我们正在尝试使用BidiFlow在Akka中添加对Tcp的TLS支持。我们设法建立了连接并传递消息,但是,握手中似乎有一些我们无法理解的部分。

显然,我们在代码中所做的限制(例如TLSv1.2和4个特定的密码套件)不适用于握手级别,但是在不遵守这些限制的情况下尝试传递消息时确实会看到错误。这意味着TLSv1客户端可以连接到我们的TLSv1.2服务器(我们在日志中仅看到closing output),但是不会通知客户端该协议不受支持(与不受支持的密码套件相同);消息不通过。

在TLS分析期间,所有工具报告的服务器好像都支持TLSv1,v1.1等,而我们只希望v1.2

我们发现,真正限制连接的唯一方法是在jdk的java.security文件中添加过滤器。

这是预期的行为吗?

以下是执行协商的代码:

object Tls {

  def getGraph(tlsConfig: TlsConfig, role: TLSRole):
  BidiFlow[ByteString, ByteString, ByteString, ByteString, NotUsed] = {
    val sslContext = createSslContext(tlsConfig)
    val firstSession = createFirstSession(sslContext)
    createGraph(sslContext, firstSession, role)
  }

  private def createFirstSession(sslContext: SSLContext): NegotiateNewSession = {
    val negotiatedSession = TLSProtocol.NegotiateNewSession
      .withProtocols("TLSv1.2")
      .withCipherSuites(
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
      )
      .withParameters(sslContext.getDefaultSSLParameters)

    negotiatedSession
  }

  private def createSslContext(tlsConfig: TlsConfig): SSLContext = {
    val ksTrust = createKeyStore(tlsConfig.trustStoreType, tlsConfig.trustStoreFile, tlsConfig.trustStorePass)
    val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
    trustManagerFactory.init(ksTrust)

    val ksKeys = createKeyStore(tlsConfig.keyStoreType, tlsConfig.keyStoreFile, tlsConfig.keyStorePass)
    val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
    keyManagerFactory.init(ksKeys, tlsConfig.keyStorePass.toCharArray)

    val sslContext = SSLContext.getInstance("TLSv1.2")
    sslContext.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, new SecureRandom)
    sslContext
  }

  private def createKeyStore(storeType: String, file: String, password: String): KeyStore = {
    val keyStore: KeyStore = KeyStore.getInstance(storeType)
    keyStore.load(new FileInputStream(file), password.toCharArray)
    keyStore
  }

  private def createGraph(
                           sslContext: SSLContext,
                           firstSession: NegotiateNewSession,
                           role: TLSRole)
  : BidiFlow[ByteString, ByteString, ByteString, ByteString, NotUsed] = {

    val tls: BidiFlow[TLSProtocol.SslTlsOutbound, ByteString, ByteString, TLSProtocol.SslTlsInbound, NotUsed] =
      TLS(sslContext, firstSession, role)

    val tlsSupport: BidiFlow[ByteString, TLSProtocol.SslTlsOutbound, TLSProtocol.SslTlsInbound, ByteString, NotUsed] =
      BidiFlow.fromFlows(
        Flow[ByteString].map(TLSProtocol.SendBytes),
        Flow[TLSProtocol.SslTlsInbound].map {
          case TLSProtocol.SessionBytes(_, bytes) => bytes
          case TLSProtocol.SessionTruncated =>
            throw ProcessingException("TLS session truncated")
          case _ =>
            throw ProcessingException("Unexpected type received from TLS pipeline")
        })

    tlsSupport.atop(tls)
  }
}

0 个答案:

没有答案
相关问题
最新问题