SSLEngine documentation指示如何正确关闭 SSL 连接。更具体地说,它提供了有关如何处理断开的连接的说明:
In addition to orderly shutdowns, there can also be unorderly shutdowns in which the transport link is severed before close messages are exchanged. In the previous examples, the application might get -1 when trying to read or write to the non-blocking SocketChannel. When you get to the end of your input data, you should call engine.closeInbound(), which will verify with the SSLEngine that the remote peer has closed cleanly from the SSL/TLS perspective, and then the application should still try to shutdown cleanly by using the procedure above.
基本上,如果链接被切断,应该调用engine.closeInbound()。但是,此 closeInbound() 的文档方法表示如果在从对等方接收到正确的关闭消息之前调用它,它将抛出异常。在我看来,如果连接被切断,则永远不会收到此 close_notify 消息,因此此方法将始终抛出该异常。
我做了测试,做了一个简单的关闭程序,其中 socketChannel.read() 返回 -1,我调用 engine.closeInbound() 我确实得到了以下异常:
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
我错过了什么?文档的这两部分不是自相矛盾吗?
最佳答案
我不认为文档的这两部分相互矛盾。
When you get to the end of your input data, you should call engine.closeInbound()
这适用于完全关闭和切断的连接。当连接被切断时将抛出异常(即如果您在收到 close_notify 之前调用它)。
如果收到 close_notify(或者如果连接根本没有启动),则不会抛出此异常。
我不太确定你是如何进行简单的关机测试的,但你应该先从另一端发送 close_notify(使用 closeOutbound(),例如)。在这种情况下,您不应该在收到 close_notify 之前从 socketChannel.read() 收到 -1(这样您就不会收到异常)。
(以防万一,之前有一个 similar question on SSLSocket。)
关于java - SSLEngine 关闭,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23110427/