java - 在 cxf 和 IIS 之间进行客户端身份验证的 ssl 导致 SocketException 和 SocketTimeoutException

标签 java ssl cxf

因此,过去几天我一直在努力解决 Tomcat6/Camel/Cxf 到 IIS6 之间的双向 ssl 设置。

快速概述:我有一个 cxf 消费者在 Tomcat 的 Camel 中运行,它调用 IIS 上由第三方托管的网络服务。第三方使用的是“有效”证书,而我们使用的是自签名证书。 IIS 配置为需要客户端身份验证。

我已经正确配置了 cxf,并且正在执行相互身份验证。

我需要解决一些问题才能到达那里:

  • allowUnsafeRenegotiation=true
  • https.protocols=TLSv1(否则 java 会在握手过程中发送 SSLv2 客户端问候)
  • 删除我从大多数 CXF 示例中复制的默认密码套件过滤器,它太严格了

所有证书、防火墙设置等都是正确的,因为我能够使用 curl 调用第三方并且我得到有效的 SOAP 响应。

问题:从我的应用程序发送 SOAP POST 消息时出现超时异常

查看 ssl 调试日志有一些奇怪的错误(我试图删除所有不必要的东西):

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-9203-1, setSoTimeout(120000) called
%% No cached client session
*** ClientHello, TLSv1
http-9203-1, WRITE: TLSv1 Handshake, length = 111
http-9203-1, READ: TLSv1 Handshake, length = 2454
*** ServerHello, TLSv1
RandomCookie:  GMT: 1354816328 bytes = { 63, 194, 181, 182, 56, 251, 234, 198, 234, 92, 162, 175, 243, 127, 133, 182, 0, 237, 102, 9, 37, 133, 141, 3, 175, 120, 34, 92 }
Session ID:  {36, 10, 0, 0, 166, 131, 36, 81, 251, 181, 83, 154, 76, 240, 235, 82, 39, 135, 239, 235, 231, 195, 17, 225, 220, 59, 105, 207, 116, 185, 114, 172}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
***
Found trusted certificate:
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
http-9203-1, WRITE: TLSv1 Handshake, length = 262
http-9203-1, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 124, 172, 175, 239, 103, 187, 134, 164, 206, 241, 145, 41 }
***
http-9203-1, WRITE: TLSv1 Handshake, length = 32
http-9203-1, READ: TLSv1 Change Cipher Spec, length = 1
http-9203-1, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data:  { 84, 207, 104, 255, 19, 151, 27, 11, 159, 84, 124, 216 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
[read] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 54 CF 68 FF   13 97 1B 0B 9F 54 7C D8  ....T.h......T..
Padded plaintext before ENCRYPTION:  len = 365
0000: 50 4F 53 54 20 2F 69 73   61 2E 64 6C 6C 2F 41 43  POST /isa.dll/AC
http-9203-1, WRITE: TLSv1 Application Data, length = 365
Padded plaintext before ENCRYPTION:  len = 1200
0000: 3C 73 6F 61 70 3A 45 6E   76 65 6C 6F 70 65 20 78  <soap:Envelope x
http-9203-1, WRITE: TLSv1 Application Data, length = 1200
default-workqueue-1, READ: TLSv1 Handshake, length = 20

这是第一次没有客户端身份验证的握手(因为 IIS 使用重新协商来获取客户端证书)。请注意,已经进行了第一次发布 SOAP 消息的尝试(这正常吗?)。

Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: false
Is secure renegotiation: false
*** HelloRequest (empty)
Warning: continue with insecure renegotiation
%% Client cached [Session-1, SSL_RSA_WITH_RC4_128_MD5]
%% Try resuming [Session-1, SSL_RSA_WITH_RC4_128_MD5] from port 58460
*** ClientHello, TLSv1
default-workqueue-1, WRITE: TLSv1 Handshake, length = 159
default-workqueue-1, READ: TLSv1 Handshake, length = 5416
*** ServerHello, TLSv1
%% Created:  [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
***
Found trusted certificate:
*** CertificateRequest
*** ServerHelloDone
matching alias: servercert
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
default-workqueue-1, WRITE: TLSv1 Handshake, length = 909
*** CertificateVerify
default-workqueue-1, WRITE: TLSv1 Handshake, length = 150
[Raw write]: length = 155
default-workqueue-1, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data:  { 242, 160, 100, 95, 172, 14, 166, 71, 158, 148, 220, 42 }
***
default-workqueue-1, WRITE: TLSv1 Handshake, length = 32
default-workqueue-1, READ: TLSv1 Change Cipher Spec, length = 17
default-workqueue-1, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data:  { 115, 32, 183, 236, 113, 63, 144, 117, 126, 132, 150, 67 }
***
%% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
default-workqueue-1, handling exception: java.net.SocketException: Connection reset
%% Invalidated:  [Session-2, SSL_RSA_WITH_RC4_128_MD5]
default-workqueue-1, SEND TLSv1 ALERT:  fatal, description = unexpected_message
default-workqueue-1, WRITE: TLSv1 Alert, length = 18
default-workqueue-1, Exception sending alert: java.net.SocketException: Broken pipe
default-workqueue-1, called closeSocket()
default-workqueue-1, called close()
default-workqueue-1, called closeInternal(true)

第二次握手将客户端证书发送到服务器,我删除了详细的日志记录,但已找到并确定了证书。如您所见,此握手已经以错误结束(没有任何时间延迟)。

Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
default-workqueue-1, setSoTimeout(120000) called
%% No cached client session
*** ClientHello, TLSv1
default-workqueue-1, WRITE: TLSv1 Handshake, length = 111                                      
default-workqueue-1, READ: TLSv1 Handshake, length = 2454
*** ServerHello, TLSv1
Warning: No renegotiation indication extension in ServerHello
%% Created:  [Session-3, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
***
Found trusted certificate:
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
default-workqueue-1, WRITE: TLSv1 Handshake, length = 262
... no IV used for this cipher
default-workqueue-1, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 130, 65, 225, 31, 41, 14, 21, 42, 102, 176, 151, 245 }
***
default-workqueue-1, WRITE: TLSv1 Handshake, length = 32
default-workqueue-1, READ: TLSv1 Change Cipher Spec, length = 1
default-workqueue-1, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data:  { 125, 78, 165, 103, 115, 60, 111, 169, 180, 174, 0, 169 }
***
%% Cached client session: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
default-workqueue-1, WRITE: TLSv1 Application Data, length = 365
default-workqueue-1, handling exception: java.net.SocketTimeoutException: Read timed out
default-workqueue-1, called close()
default-workqueue-1, called closeInternal(true)
default-workqueue-1, SEND TLSv1 ALERT:  warning, description = close_notify
default-workqueue-1, WRITE: TLSv1 Alert, length = 18

然后执行第三次握手(正常?),再次完成 SOAP 消息的 POST(写入申请日期)。在那次 POST 之后,日志记录一直等到套接字超时到期(我已经将其设置为 2 分钟或 10 秒,没有区别),之后我得到 SocketTimeoutException。我尝试切换到 SSLv3 或 2,但结果完全相同。

知道是什么导致了这种行为吗?

最佳答案

如果有人遇到过同样的问题,this最终为我解决了。我要求我们的第三方将此标志设置为 true,因为我们只相互通信,这应该不是问题。将标志设置为 true 会禁用重新协商,从而跳过 ssl 设置中出错的部分。

关于java - 在 cxf 和 IIS 之间进行客户端身份验证的 ssl 导致 SocketException 和 SocketTimeoutException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17201805/

上一篇:GWT SSL 连接

下一篇:Spring Security HTTPS拦截url访问

相关文章:

java - Gradle 依赖项不是在 Gradle 缓存中创建的吗?

java - 设置和获取 HTTP header 的最佳选项是什么?使用 Apache CXF 拦截器或过滤器

当值为 'true' 或 'false' 时,JSON 提供程序构建错误的字符串字段

java - 关于字节数组异或运算的字符串长度

java - 软件如何引用硬盘上的文件

使用 TortoiseHG https 模式克隆时出现 SSL 版本错误

php - 使用 SSL 从 PHP 发送电子邮件以及在 outlook 的接收端需要什么配置

apache-flex - 在 flex/air 中使用 ssl 调用具有不受信任证书的 Web 服务

在 Azure 中部署时 Java SpringBoot 构建失败 - 无法执行 objective-c om.microsoft.azure :azure-webapp-maven-plugin:1. 1.0:deploy

java - 如何将文件添加到 android 中的 java 应用程序以便获取它的路径?

©2024 IT工具网  联系我们