我现在正尝试使用双向SSL握手设置Netty,其中客户端和服务器都存在并验证证书。
这似乎没有在SslHandler中实现。有没有人这样做?我想它会进入SslHandler.handshake操作并被委托给javax.net.ssl.SSLEngine?
任何提示/提示/预先存在的实施?
谢谢!
ANSWER(stackoverflow不会让我以正常的方式发布它)我发现如果我在设置我的SslHandler之前在SSLEngine对象上设置了needClientAuth标志,那就解决了这个问题!
答案 0 :(得分:11)
这是基于netty项目中的HttpSnoop服务器示例的解决方案。
设置客户端管道时,必须按如下方式设置ssl引擎:
public ChannelPipeline getPipeline() throws Exception {
// Create a default pipeline implementation.
ChannelPipeline pipeline = pipeline();
// Uncomment the following line if you want HTTPS
SSLEngine engine = SecureChatSslContextFactory.getServerContext().createSSLEngine();
engine.setUseClientMode(false);
engine.setNeedClientAuth(true);
pipeline.addLast("ssl", new SslHandler(engine));
pipeline.addLast("decoder", new HttpRequestDecoder());
pipeline.addLast("logger", new RequestAuditLogger());
// Uncomment the following line if you don't want to handle HttpChunks.
pipeline.addLast("aggregator", new HttpChunkAggregator(1048576));
pipeline.addLast("outputLogger", new ResponseAuditLogger());
pipeline.addLast("encoder", new HttpResponseEncoder());
// Remove the following line if you don't want automatic content compression.
pipeline.addLast("deflater", new HttpContentCompressor());
pipeline.addLast("handler", new HttpSnoopServerHandler());
return pipeline;
}
}
然后,除了密钥库(SecureChatSslContextFactory)之外,还必须按如下方式修改SSLContext以设置信任存储:
public final class SecureChatSslContextFactory {
private static Logger logger = LoggerFactory.getLogger(SecureChatSslContextFactory.class);
private static final String PROTOCOL = "TLS";
private static final SSLContext SERVER_CONTEXT;
private static final SSLContext CLIENT_CONTEXT;
static {
SSLContext serverContext = null;
SSLContext clientContext = null;
// get keystore and trustore locations and passwords
String keyStoreLocation = System.getProperty("javax.net.ssl.keyStore");
String keyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword");
String trustStoreLocation = System.getProperty("javax.net.ssl.trustStore");
String trustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
try {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(KeyStoreStreamManager.asInputStream(keyStoreLocation),
keyStorePassword.toCharArray());
// Set up key manager factory to use our key store
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keyStorePassword.toCharArray());
// truststore
KeyStore ts = KeyStore.getInstance("JKS");
ts.load(KeyStoreStreamManager.asInputStream(trustStoreLocation),
trustStorePassword.toCharArray());
// set up trust manager factory to use our trust store
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ts);
// Initialize the SSLContext to work with our key managers.
serverContext = SSLContext.getInstance(PROTOCOL);
serverContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
} catch (Exception e) {
throw new Error(
"Failed to initialize the server-side SSLContext", e);
}
try {
clientContext = SSLContext.getInstance(PROTOCOL);
clientContext.init(null, SecureChatTrustManagerFactory.getTrustManagers(), null);
} catch (Exception e) {
throw new Error(
"Failed to initialize the client-side SSLContext", e);
}
SERVER_CONTEXT = serverContext;
CLIENT_CONTEXT = clientContext;
}
public static SSLContext getServerContext() {
return SERVER_CONTEXT;
}
public static SSLContext getClientContext() {
return CLIENT_CONTEXT;
}
private SecureChatSslContextFactory() {
// Unused
}
}
答案 1 :(得分:6)
而不是设置SSLEngine使用nettys SslContext来创建新的SslHandler。基本上,您可以通过传递SslContext来创建新的KeyManagerFactory,如下所示
SslContext sslContext = SslContextBuilder.forServer(keyManagerFactory).build();
然后使用创建的SslContext获取ChannelPipeline的处理程序。
ChannelPipeline.addLast(“ssl”,sslContext.newHandler(socketChannel.alloc()));
答案 2 :(得分:4)
SslContext现在支持相互身份验证(目前仅适用于JDK提供商,但OpenSSL即将提供支持)。请参阅newClientContext和newServerContext,它们现在都支持使用TrustManagerFactory和KeyManagerFactory。这些静态工厂方法还支持直接获取证书,密钥和证书链文件,以便为您构建TrustManagerFactory和KeyManagerFactory。
有关如何要求客户端身份验证(对于JDK提供程序)的示例,请参阅JdkSslEngineTest。