我想使用TLS 1.3与HiveMQ进行安全通信。我已配置HiveMQ社区版服务器config.xml文件以指定使用TLS 1.3密码套件,并将其指向包含使用该曲线的256位椭圆曲线密钥(EC NOT DSA)的密钥对的密钥库。 :secp256r1(这是TLS 1.3支持的几条曲线之一)。 256位密钥对适用于我要使用的TLS 1.3密码套件:TLS_AES_128_GCM_SHA256。我还为TLS_AES_256_GCM_SHA384生成了一个384位椭圆曲线密钥,但是我只关注TLS_AES_128_GCM_SHA256,因为如果我使AES 128有效,则AES 256套件将起作用。我已经为两个密钥对生成了证书,并将它们都放在cacerts的{{1}}文件中。我仍然收到javax.net.ssl.SSLHandshakeException:
JAVA HOME Folder
我已经尝试使用以下TLS 1.2密码套件:javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify(具有适当的证书),并且可以正常工作,因此没有出现任何问题,因此看来此问题专门针对TLS 1.3。我的项目在TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256中。我注意到,虽然HiveMQ服务器识别TLSv1.3,但它启用了TLSv1.2协议,但没有说它启用了任何TLSv1.3密码套件。我是否需要以某种方式在HiveMQ中手动启用TLSv1.3密码套件,因为即使指定了特定协议,该套件看起来也没有启用?我在下面留下了服务器控制台输出的副本以及Java代码和异常。
更新:我已指定客户端使用Java 12.0.1中的.protocols()方法使用TLS1.3。我尝试将密码套件sslConfig手动添加到config.xml文件中,但是这次我收到SSL异常错误。更新的输出和异常如下。我怀疑HiveMQ正在过滤出我要使用的密码套件。我尝试创建SSL引擎作为测试,并使用了TLS_AES_128_GCM_SHA256和.getEnabledCipherSuites(),它说我的JVM支持TLS1.3密码套件以及TLS1.3协议本身。
HiveMQ服务器控制台输出(来自getSupportedCipherSuites()中启用了DEBUG的run.sh文件):
logback.xmlJava代码:
2019-07-06 12:06:42,394 INFO - Starting HiveMQ Community Edition Server
2019-07-06 12:06:42,398 INFO - HiveMQ version: 2019.1
2019-07-06 12:06:42,398 INFO - HiveMQ home directory: /Users/chigozieasikaburu/git/IoT-HiveMqtt-Community-Edition/build/zip/hivemq-ce-2019.1
2019-07-06 12:06:42,508 INFO - Log Configuration was overridden by /Users/someuser/git/IoT-HiveMqtt-Community-Edition/build/zip/hivemq-ce-2019.1/conf/logback.xml
2019-07-06 12:06:42,619 DEBUG - Reading configuration file /Users/someuser/git/IoT-HiveMqtt-Community-Edition/build/zip/hivemq-ce-2019.1/conf/config.xml
2019-07-06 12:06:42,838 DEBUG - Adding TCP Listener with TLS of type TlsTcpListener on bind address 0.0.0.0 and port 8883.
2019-07-06 12:06:42,839 DEBUG - Setting retained messages enabled to true
2019-07-06 12:06:42,839 DEBUG - Setting wildcard subscriptions enabled to true
2019-07-06 12:06:42,839 DEBUG - Setting subscription identifier enabled to true
2019-07-06 12:06:42,839 DEBUG - Setting shared subscriptions enabled to true
2019-07-06 12:06:42,839 DEBUG - Setting maximum qos to EXACTLY_ONCE
2019-07-06 12:06:42,840 DEBUG - Setting topic alias enabled to true
2019-07-06 12:06:42,840 DEBUG - Setting topic alias maximum per client to 5
2019-07-06 12:06:42,840 DEBUG - Setting the number of max queued messages per client to 1000 entries
2019-07-06 12:06:42,841 DEBUG - Setting queued messages strategy for each client to DISCARD
2019-07-06 12:06:42,841 DEBUG - Setting the expiry interval for client sessions to 4294967295 seconds
2019-07-06 12:06:42,841 DEBUG - Setting the expiry interval for publish messages to 4294967296 seconds
2019-07-06 12:06:42,841 DEBUG - Setting the server receive maximum to 10
2019-07-06 12:06:42,841 DEBUG - Setting keep alive maximum to 65535 seconds
2019-07-06 12:06:42,841 DEBUG - Setting keep alive allow zero to true
2019-07-06 12:06:42,842 DEBUG - Setting the maximum packet size for mqtt messages 268435460 bytes
2019-07-06 12:06:42,842 DEBUG - Setting global maximum allowed connections to -1
2019-07-06 12:06:42,842 DEBUG - Setting the maximum client id length to 65535
2019-07-06 12:06:42,842 DEBUG - Setting the timeout for disconnecting idle tcp connections before a connect message was received to 10000 milliseconds
2019-07-06 12:06:42,842 DEBUG - Throttling the global incoming traffic limit 0 bytes/second
2019-07-06 12:06:42,842 DEBUG - Setting the maximum topic length to 65535
2019-07-06 12:06:42,843 DEBUG - Setting allow server assigned client identifier to true
2019-07-06 12:06:42,843 DEBUG - Setting validate UTF-8 to true
2019-07-06 12:06:42,843 DEBUG - Setting payload format validation to false
2019-07-06 12:06:42,843 DEBUG - Setting allow-problem-information to true
2019-07-06 12:06:42,843 DEBUG - Setting anonymous usage statistics enabled to false
2019-07-06 12:06:42,845 INFO - This HiveMQ ID is JAzWT
2019-07-06 12:06:43,237 DEBUG - Using disk-based Publish Payload Persistence
2019-07-06 12:06:43,259 DEBUG - 1024.00 MB allocated for qos 0 inflight messages
2019-07-06 12:06:45,268 DEBUG - Initializing payload reference count and queue sizes for client_queue persistence.
2019-07-06 12:06:45,690 DEBUG - Diagnostic mode is disabled
2019-07-06 12:06:46,276 DEBUG - Throttling incoming traffic to 0 B/s
2019-07-06 12:06:46,277 DEBUG - Throttling outgoing traffic to 0 B/s
2019-07-06 12:06:46,321 DEBUG - Set extension executor thread pool size to 4
2019-07-06 12:06:46,321 DEBUG - Set extension executor thread pool keep-alive to 30 seconds
2019-07-06 12:06:46,336 DEBUG - Building initial topic tree
2019-07-06 12:06:46,395 DEBUG - Started JMX Metrics Reporting.
2019-07-06 12:06:46,491 INFO - Starting HiveMQ extension system.
2019-07-06 12:06:46,536 DEBUG - Starting extension with id "hivemq-file-rbac-extension" at /Users/someuser/git/IoT-HiveMqtt-Community-Edition/build/zip/hivemq-ce-2019.1/extensions/hivemq-file-rbac-extension
2019-07-06 12:06:46,558 INFO - Starting File RBAC extension.
2019-07-06 12:06:46,795 INFO - Extension "File Role Based Access Control Extension" version 4.0.0 started successfully.
2019-07-06 12:06:46,818 INFO - Enabled protocols for TCP Listener with TLS at address 0.0.0.0 and port 8883: [TLSv1.3]
2019-07-06 12:06:46,819 INFO - Enabled cipher suites for TCP Listener with TLS at address 0.0.0.0 and port 8883: []
2019-07-06 12:06:46,823 WARN - Unknown cipher suites for TCP Listener with TLS at address 0.0.0.0 and port 8883: [TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384]
2019-07-06 12:06:46,827 INFO - Starting TLS TCP listener on address 0.0.0.0 and port 8883
2019-07-06 12:06:46,881 INFO - Started TCP Listener with TLS on address 0.0.0.0 and on port 8883
2019-07-06 12:06:46,882 INFO - Started HiveMQ in 4500ms
2019-07-06 12:10:32,396 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:10:38,967 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:23:29,721 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:23:35,990 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:24:17,436 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
2019-07-06 12:24:29,160 DEBUG - SSL Handshake failed for client with IP UNKNOWN: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
异常(使用Ssl调试工具:-Djavax.net.debug = ssl):
Mqtt5BlockingClient subscriber = Mqtt5Client.builder()
.identifier(UUID.randomUUID().toString()) // the unique identifier of the MQTT client. The ID is randomly generated between
.serverHost("localhost") // the host name or IP address of the MQTT server. Kept it localhost for testing. localhost is default if not specified.
.serverPort(8883) // specifies the port of the server
.addConnectedListener(context -> ClientConnectionRetreiver.printConnected("Subscriber1")) // prints a string that the client is connected
.addDisconnectedListener(context -> ClientConnectionRetreiver.printDisconnected("Subscriber1")) // prints a string that the client is disconnected
.sslConfig()
.cipherSuites(Arrays.asList("TLS_AES_128_GCM_SHA256"))
.applySslConfig()
.buildBlocking(); // creates the client builder
subscriber.connectWith() // connects the client
.simpleAuth()
.username("user1")
.password("somepassword".getBytes())
.applySimpleAuth()
.send();
答案 0 :(得分:0)
似乎您必须在服务器和客户端中都将协议设置为“ TLSv1.3”。
客户:
...
.sslConfig()
.cipherSuites(Arrays.asList("TLS_AES_128_GCM_SHA256"))
.protocols(Arrays.asList("TLSv1.3"))
.applySslConfig()
...
HiveMQ:
<tls-tcp-listener>
<tls>
...
<protocols>
<protocol>TLSv1.3</protocol>
</protocols>
<cipher-suites>
<cipher-suite>TLS_AES_128_GCM_SHA256</cipher-suite>
</cipher-suites>
...
</tls>
</tls-tcp-listener>
答案 1 :(得分:0)