私は、サーバーとクライアントの間でNetty on Javaとの相互認証を試みました。共通のNettyの暗号スイートがありません
私はすでにjava keytoolを使用していくつかの例を使って証明書を生成しています。クライアントとサーバーの両方で手動で暗号スイートを設定しようとしました。クライアント認証をオフにすると、コードを正常に動作させることができます。
sslのデバッグ出力では、決定的な情報は得られません。私の問題を解決するために誰かが私にいくつかの指針を与えることができれば、それは私を大きく助けるでしょう。
クライアントコード:
@Override public void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline pipeline = ch.pipeline();
String password = "blablabla";
KeyStore ks = KeyStore.getInstance("JKS");
InputStream readStream = getClass().getResourceAsStream("clientCert.jks");
ks.load(readStream,
password.toCharArray());
TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory
.getDefaultAlgorithm());
tmFactory.init(ks);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null);
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(true);
sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
sslEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"});
sslEngine.setEnableSessionCreation(true);
pipeline.addFirst("SSL", new SslHandler(sslEngine));
pipeline.addLast(new ProtobufVarint32FrameDecoder());
pipeline.addLast(new ProtobufDecoder(Messaging.BaseMessage.getDefaultInstance()));
pipeline.addLast(new ProtobufVarint32LengthFieldPrepender());
pipeline.addLast(new ProtobufEncoder());
// and then business logic.
pipeline.addLast(new ServerHandlerCorrelator());
}
Serverコード:
@Override public void initChannel(SocketChannel ch) throws Exception {
ChannelPipeline pipeline = ch.pipeline();
String password = "blablabla";
KeyStore ks = KeyStore.getInstance("JKS");
// Use nettyserver.jks do client side authentication
InputStream readStream = getClass().getResourceAsStream("serverCert.jks");
ks.load(readStream,
password.toCharArray());
TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory
.getDefaultAlgorithm());
tmFactory.init(ks);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null);
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(true);
sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
sslEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"});
sslEngine.setEnableSessionCreation(true);
// Add SSL handler into pipeline
pipeline.addFirst("SSL", new SslHandler(sslEngine));
// Add protobuf handler into pipeline
pipeline.addLast(new ProtobufVarint32FrameDecoder());
pipeline.addLast(new ProtobufDecoder(Messaging.BaseMessage.getDefaultInstance()));
pipeline.addLast(new ProtobufVarint32LengthFieldPrepender());
pipeline.addLast(new ProtobufEncoder());
// Add custom handler
pipeline.addLast(new ServerHandler());
}
サーバのSSLログイン:
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1479318961 bytes = { 32, 234, 91, 96, 106, 19, 244, 166, 143, 174, 72, 157, 75, 108, 113, 168, 230, 206, 9, 133, 102, 255, 246, 237, 100, 250, 62, 211 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes: len = 84
0000: 01 00 00 50 03 03 58 2D 9E B1 20 EA 5B 60 6A 13 ...P..X-.. .[`j.
0010: F4 A6 8F AE 48 9D 4B 6C 71 A8 E6 CE 09 85 66 FF ....H.Klq.....f.
0020: F6 ED 64 FA 3E D3 00 00 02 00 2F 01 00 00 25 00 ..d.>...../...%.
0030: 0D 00 1C 00 1A 06 03 06 01 05 03 05 01 04 03 04 ................
0040: 01 04 02 03 03 03 01 03 02 02 03 02 01 02 02 FF ................
0050: 01 00 01 00 ....
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 84
[write] MD5 and SHA1 hashes: len = 47
0000: 01 03 03 00 06 00 00 00 20 00 00 2F 00 00 FF 58 ........ ../...X
0010: 2D 9E B1 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B -.. .[`j.....H.K
0020: 6C 71 A8 E6 CE 09 85 66 FF F6 ED 64 FA 3E D3 lq.....f...d.>.
nioEventLoopGroup-2-1, WRITE: SSLv2 client hello message, length = 47
[Raw write]: length = 49
0000: 80 2F 01 03 03 00 06 00 00 00 20 00 00 2F 00 00 ./........ ../..
0010: FF 58 2D 9E B1 20 EA 5B 60 6A 13 F4 A6 8F AE 48 .X-.. .[`j.....H
0020: 9D 4B 6C 71 A8 E6 CE 09 85 66 FF F6 ED 64 FA 3E .Klq.....f...d.>
0030: D3 .
6539 [nioEventLoopGroup-2-1] DEBUG one.ppdrforensics.server.comms.ServerHandlerCorrelator - NETTY Connected to Correlator
nioEventLoopGroup-2-1, called closeOutbound()
nioEventLoopGroup-2-1, closeOutboundInternal()
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT: warning, description = close_notify
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2
nioEventLoopGroup-2-1, called closeInbound()
nioEventLoopGroup-2-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
nioEventLoopGroup-2-1, Exception sending alert: java.io.IOException: writer side was already closed.
クライアントのSSLログ:
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
[Raw read]: length = 5
0000: 80 2F 01 03 03 ./...
[Raw read]: length = 44
0000: 00 06 00 00 00 20 00 00 2F 00 00 FF 58 2D 9E B1 ..... ../...X-..
0010: 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B 6C 71 A8 .[`j.....H.Klq.
0020: E6 CE 09 85 66 FF F6 ED 64 FA 3E D3 ....f...d.>.
[read] MD5 and SHA1 hashes: len = 3
0000: 01 03 03 ...
[read] MD5 and SHA1 hashes: len = 44
0000: 00 06 00 00 00 20 00 00 2F 00 00 FF 58 2D 9E B1 ..... ../...X-..
0010: 20 EA 5B 60 6A 13 F4 A6 8F AE 48 9D 4B 6C 71 A8 .[`j.....H.Klq.
0020: E6 CE 09 85 66 FF F6 ED 64 FA 3E D3 ....f...d.>.
nioEventLoopGroup-3-1, READ: SSL v2, contentType = Handshake, translated length = 47
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1479318961 bytes = { 32, 234, 91, 96, 106, 19, 244, 166, 143, 174, 72, 157, 75, 108, 113, 168, 230, 206, 9, 133, 102, 255, 246, 237, 100, 250, 62, 211 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
nioEventLoopGroup-3-1, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
nioEventLoopGroup-3-1, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
nioEventLoopGroup-3-1, WRITE: TLSv1.2 Alert, length = 2
nioEventLoopGroup-3-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
nioEventLoopGroup-3-1, called closeOutbound()
nioEventLoopGroup-3-1, closeOutboundInternal()
nioEventLoopGroup-3-1, called closeInbound()
nioEventLoopGroup-3-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
0 [nioEventLoopGroup-3-1] ERROR one.ppdrforensics.correlator.comms.ServerHandler - [exceptionCaught] Exception javax.net.ssl.SSLHandshakeException: no cipher suites in common
nioEventLoopGroup-3-1, called closeOutbound()
nioEventLoopGroup-3-1, closeOutboundInternal()
nioEventLoopGroup-3-1, called closeInbound()
nioEventLoopGroup-3-1, closeInboundInternal()
あなたの主な問題は、「共通の暗号スイートはありません」です。どのようなクライアント/サーバーソフトウェア/ Javaバージョンを使用していますか? – Robert
私は、同じマシン上でクライアントとサーバーの両方を実行しようとしています。 Javaは1.8_102、Nettyは4.1.4です。 –