2016-11-17 17 views
0

私は、サーバーとクライアントの間でNetty on Javaとの相互認証を試みました。共通のNettyの暗号スイートがありません

私はすでにjava keytoolを使用していくつかの例を使って証明書を生成しています。クライアントとサーバーの両方で手動で暗号スイートを設定しようとしました。クライアント認証をオフにすると、コードを正常に動作させることができます。

sslのデバッグ出力では、決定的な情報は得られません。私の問題を解決するために誰かが私にいくつかの指針を与えることができれば、それは私を大きく助けるでしょう。

クライアントコード:

@Override public void initChannel(SocketChannel ch) throws Exception { 
    ChannelPipeline pipeline = ch.pipeline(); 

    String password = "blablabla"; 

    KeyStore ks = KeyStore.getInstance("JKS"); 
    InputStream readStream = getClass().getResourceAsStream("clientCert.jks"); 
    ks.load(readStream, 
      password.toCharArray()); 

    TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory 
      .getDefaultAlgorithm()); 
    tmFactory.init(ks); 

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
    kmf.init(ks, password.toCharArray()); 

    SSLContext sslContext = SSLContext.getInstance("TLS"); 
    sslContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null); 

    SSLEngine sslEngine = sslContext.createSSLEngine(); 
    sslEngine.setUseClientMode(true); 

    sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols()); 
    sslEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"}); 
    sslEngine.setEnableSessionCreation(true); 

    pipeline.addFirst("SSL", new SslHandler(sslEngine)); 

    pipeline.addLast(new ProtobufVarint32FrameDecoder()); 
    pipeline.addLast(new ProtobufDecoder(Messaging.BaseMessage.getDefaultInstance())); 
    pipeline.addLast(new ProtobufVarint32LengthFieldPrepender()); 
    pipeline.addLast(new ProtobufEncoder()); 

    // and then business logic. 
    pipeline.addLast(new ServerHandlerCorrelator()); 
} 

Serverコード:

@Override public void initChannel(SocketChannel ch) throws Exception { 
    ChannelPipeline pipeline = ch.pipeline(); 

    String password = "blablabla"; 

    KeyStore ks = KeyStore.getInstance("JKS"); 
    // Use nettyserver.jks do client side authentication 
    InputStream readStream = getClass().getResourceAsStream("serverCert.jks"); 
    ks.load(readStream, 
      password.toCharArray()); 

    TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory 
      .getDefaultAlgorithm()); 
    tmFactory.init(ks); 

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
    kmf.init(ks, password.toCharArray()); 

    SSLContext sslContext = SSLContext.getInstance("TLS"); 
    sslContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null); 

    SSLEngine sslEngine = sslContext.createSSLEngine(); 
    sslEngine.setUseClientMode(false); 
    sslEngine.setNeedClientAuth(true); 
    sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols()); 
    sslEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"}); 
    sslEngine.setEnableSessionCreation(true); 

    // Add SSL handler into pipeline 
    pipeline.addFirst("SSL", new SslHandler(sslEngine)); 

    // Add protobuf handler into pipeline 
    pipeline.addLast(new ProtobufVarint32FrameDecoder()); 
    pipeline.addLast(new ProtobufDecoder(Messaging.BaseMessage.getDefaultInstance())); 
    pipeline.addLast(new ProtobufVarint32LengthFieldPrepender()); 
    pipeline.addLast(new ProtobufEncoder()); 

    // Add custom handler 
    pipeline.addLast(new ServerHandler()); 
} 

サーバのSSLログイン:

trigger seeding of SecureRandom 
done seeding SecureRandom 
Using SSLEngineImpl. 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
Ignoring disabled protocol: SSLv3 
%% No cached client session 
*** ClientHello, TLSv1.2 
RandomCookie: GMT: 1479318961 bytes = { 32, 234, 91, 96, 106, 19, 244, 166, 143, 174, 72, 157, 75, 108, 113, 168, 230, 206, 9, 133, 102, 255,  246, 237, 100, 250, 62, 211 } 
Session ID: {} 
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA] 
Compression Methods: { 0 } 
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,  SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA 
Extension renegotiation_info, renegotiated_connection: <empty> 
*** 
[write] MD5 and SHA1 hashes: len = 84 
0000: 01 00 00 50 03 03 58 2D 9E B1 20 EA 5B 60 6A 13 ...P..X-.. .[`j. 
0010: F4 A6 8F AE 48 9D 4B 6C 71 A8 E6 CE 09 85 66 FF ....H.Klq.....f. 
0020: F6 ED 64 FA 3E D3 00 00 02 00 2F 01 00 00 25 00 ..d.>...../...%. 
0030: 0D 00 1C 00 1A 06 03 06 01 05 03 05 01 04 03 04 ................ 
0040: 01 04 02 03 03 03 01 03 02 02 03 02 01 02 02 FF ................ 
0050: 01 00 01 00          .... 
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 84 
[write] MD5 and SHA1 hashes: len = 47 
0000: 01 03 03 00 06 00 00 00 20 00 00 2F 00 00 FF 58 ........ ../...X 
0010: 2D 9E B1 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B -.. .[`j.....H.K 
0020: 6C 71 A8 E6 CE 09 85 66 FF F6 ED 64 FA 3E D3  lq.....f...d.>. 
nioEventLoopGroup-2-1, WRITE: SSLv2 client hello message, length = 47 
[Raw write]: length = 49 
0000: 80 2F 01 03 03 00 06 00 00 00 20 00 00 2F 00 00 ./........ ../.. 
0010: FF 58 2D 9E B1 20 EA 5B 60 6A 13 F4 A6 8F AE 48 .X-.. .[`j.....H 
0020: 9D 4B 6C 71 A8 E6 CE 09 85 66 FF F6 ED 64 FA 3E .Klq.....f...d.> 
0030: D3             . 
6539 [nioEventLoopGroup-2-1] DEBUG one.ppdrforensics.server.comms.ServerHandlerCorrelator - NETTY Connected to Correlator 
nioEventLoopGroup-2-1, called closeOutbound() 
nioEventLoopGroup-2-1, closeOutboundInternal() 
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT: warning, description = close_notify 
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2 
nioEventLoopGroup-2-1, called closeInbound() 
nioEventLoopGroup-2-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack? 
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description = internal_error 
nioEventLoopGroup-2-1, Exception sending alert: java.io.IOException: writer side was already closed. 

クライアントのSSLログ:

trigger seeding of SecureRandom 
done seeding SecureRandom 
Using SSLEngineImpl. 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
Ignoring disabled protocol: SSLv3 
[Raw read]: length = 5 
0000: 80 2F 01 03 03          ./... 
[Raw read]: length = 44 
0000: 00 06 00 00 00 20 00 00 2F 00 00 FF 58 2D 9E B1 ..... ../...X-.. 
0010: 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B 6C 71 A8 .[`j.....H.Klq. 
0020: E6 CE 09 85 66 FF F6 ED 64 FA 3E D3    ....f...d.>. 
[read] MD5 and SHA1 hashes: len = 3 
0000: 01 03 03           ... 
[read] MD5 and SHA1 hashes: len = 44 
0000: 00 06 00 00 00 20 00 00 2F 00 00 FF 58 2D 9E B1 ..... ../...X-.. 
0010: 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B 6C 71 A8 .[`j.....H.Klq. 
0020: E6 CE 09 85 66 FF F6 ED 64 FA 3E D3    ....f...d.>. 
nioEventLoopGroup-3-1, READ: SSL v2, contentType = Handshake, translated length = 47 
*** ClientHello, TLSv1.2 
RandomCookie: GMT: 1479318961 bytes = { 32, 234, 91, 96, 106, 19, 244, 166, 143, 174, 72, 157, 75, 108, 113, 168, 230, 206, 9, 133, 102, 255,  246, 237, 100, 250, 62, 211 } 
Session ID: {} 
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods: { 0 } 
*** 
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL] 
nioEventLoopGroup-3-1, fatal error: 40: no cipher suites in common 
javax.net.ssl.SSLHandshakeException: no cipher suites in common 
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL] 
nioEventLoopGroup-3-1, SEND TLSv1.2 ALERT: fatal, description = handshake_failure 
nioEventLoopGroup-3-1, WRITE: TLSv1.2 Alert, length = 2 
nioEventLoopGroup-3-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common 
nioEventLoopGroup-3-1, called closeOutbound() 
nioEventLoopGroup-3-1, closeOutboundInternal() 
nioEventLoopGroup-3-1, called closeInbound() 
nioEventLoopGroup-3-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify:  possible truncation attack? 
0 [nioEventLoopGroup-3-1] ERROR one.ppdrforensics.correlator.comms.ServerHandler - [exceptionCaught] Exception  javax.net.ssl.SSLHandshakeException: no cipher suites in common 
nioEventLoopGroup-3-1, called closeOutbound() 
nioEventLoopGroup-3-1, closeOutboundInternal() 
nioEventLoopGroup-3-1, called closeInbound() 
nioEventLoopGroup-3-1, closeInboundInternal() 
+0

あなたの主な問題は、「共通の暗号スイートはありません」です。どのようなクライアント/サーバーソフトウェア/ Javaバージョンを使用していますか? – Robert

+0

私は、同じマシン上でクライアントとサーバーの両方を実行しようとしています。 Javaは1.8_102、Nettyは4.1.4です。 –

答えて

0

-Djavax.net.debug = ssl:all parameter enableを使用してデバッグしてください。 SSLハンドシェイクに関する詳細情報を提供します。クライアントとサーバー証明書のタイプを探してください。彼らはDSAかRSA証明書ですか? Java "no cipher suites in common" issue when trying to securely connect to server

+0

投稿した最後の2つのコードは、-Djavax.net.debug = ssl:allパラメータを使用するログです。 RSAを使用して証明書を生成しました。 –

関連する問題