java - Netty 套接字 SSLHandshakeException WRONG_VERSION_NUMBER

标签 java ssl socket.io netty boringssl

我在 netty 管道上使用证书时遇到问题。 Netty 管道由 Spring 执行,但 SSL 只是 Netty 部分的一部分。
对于依赖项,我使用的是 netty 和boringssl

    <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-all</artifactId>
        <scope>compile</scope>
        <version>4.1.70.Final</version>
    </dependency>
    <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-tcnative-boringssl-static</artifactId>
        <version>2.0.45.Final</version>
    </dependency>
我通过添加 sslhandler 开始我的管道
@Override
protected void initChannel(Channel ch) {
    if (sslProperties.isSecured())
        ch.pipeline().addLast("ssl-handler", getSslHandler(ch));
}
从函数中获取处理程序
protected SslHandler getSslHandler(Channel ch) {
    try {
        final SslContext sslCtx = sslService.getSslContext();
        return sslCtx.newHandler(ch.alloc());
    } catch (IOException e) {
        log.debug("Failed to establish Ssl Context", e);
        ch.writeAndFlush("Failed to establish SSH Context");
        ch.close();
    }
    return null;
}
最后制作上下文
public SslContext getSslContext() throws SSLException {
    PrivateKey privateKey = getPrivateKey();
    X509Certificate[] certChain = getCertificateChain();
    try {
        return SslContextBuilder.forClient()
                .sslProvider(SslProvider.OPENSSL)
                .protocols("TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")
                .trustManager(InsecureTrustManagerFactory.INSTANCE)
                .keyManager(privateKey, certChain)
                .build();
    } catch (IOException e) {
        log.warn("Failed to establish Ssl Context");
        log.debug("Failed to establish Ssl Context", e);
        throw e;
    }
}
PrivateKey 和 CertChain 构造正确,但是一旦客户端第一次尝试连接,我就会得到
io.netty.handler.codec.DecoderException:javax.net.ssl.SSLHandshakeException:错误:100000f7:SSL 例程:OPENSSL_internal:WRONG_VERSION_NUMBER
我过去有这个工作,连接到一个单独的服务器,然后它工作得很好。 channel 正在初始化,尝试从套接字读取时崩溃。它没有命中我的 try catch ,并且只报告下面的堆栈跟踪。
我知道目前我正在处理一个 TLSv1.3,在此之前我不知 Prop 体使用了什么。另外,我在发现这个问题的时候使用的是JDK 1.8,我目前在使用JDK 17。我注意到有人说不是所有的1.8 版本都支持TLSv1.3。
2021-11-10 08:41:47,218 ERROR [nioEventLoopGroup-2-1] com.test.router.nio.pipeline.handler.InboundClientCompleteHandler: Exception Caught from inbound-client-complete-handler
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
    at io.netty.handler.traffic.GlobalChannelTrafficShapingHandler.channelRead(GlobalChannelTrafficShapingHandler.java:573)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
    at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.needWrapAgain(ReferenceCountedOpenSslEngine.java:1334)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1351)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1296)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1383)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1426)
    at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:222)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1342)
    at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1246)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1286)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
    ... 25 common frames omitted
2021-11-10 08:41:47,218 DEBUG [nioEventLoopGroup-2-1] com.test.router.pipeline.handler.decoder.EventDecoder: Caught Exception in EventDecoder: 
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
    at io.netty.handler.traffic.GlobalChannelTrafficShapingHandler.channelRead(GlobalChannelTrafficShapingHandler.java:573)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
    at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.needWrapAgain(ReferenceCountedOpenSslEngine.java:1334)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1351)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1296)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1383)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1426)
    at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:222)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1342)
    at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1246)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1286)
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
    ... 25 common frames omitted

最佳答案

您要连接的服务器是否使用服务器名称指示 (SNI)?如果您未在客户端上启用 SNI,您有时会收到 javax.net.ssl.SSLHandshakeException: error:100000f7:SSLroutines:OPENSSL_internal:WRONG_VERSION_NUMBER 和类似的堆栈跟踪。
要启用 SNI,您需要更改:

protected SslHandler getSslHandler(Channel ch) {
    try {
        final SslContext sslCtx = sslService.getSslContext();
        return sslCtx.newHandler(ch.alloc());
    } catch (IOException e) {
        log.debug("Failed to establish Ssl Context", e);
        ch.writeAndFlush("Failed to establish SSH Context");
        ch.close();
    }
    return null;
}


protected SslHandler getSslHandler(Channel ch, String host, int port) {
    try {
        final SslContext sslCtx = sslService.getSslContext();
        return sslCtx.newHandler(ch.alloc(), host, port);
    } catch (IOException e) {
        log.debug("Failed to establish Ssl Context", e);
        ch.writeAndFlush("Failed to establish SSH Context");
        ch.close();
    }
    return null;
}

关于java - Netty 套接字 SSLHandshakeException WRONG_VERSION_NUMBER,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69905690/

上一篇:nginx - 使用 Let's encrypt 获得的 SSL 证书的访问权限

下一篇:java - 禁用webclient ssl验证springboot 2.0.4

相关文章:

java - 算术异常: "Non-terminating decimal expansion; no exact representable decimal result"

python - SSL 错误 TLSV1_ALERT_INTERNAL_ERROR 与 aiohttp 库

javascript - Socket IO 独立的 javascript 监听器

java - Spring 休息模板 : Host name 'localhost' does not match the certificate subject provided by the peer

java - 在控制台中打印 HL7 消息

node.js - 发送 socket.io .once 消息

java - 无法将字符集 65535 中的字节转换为日语 (5035)

java - Android 向服务器发出请求

java - 逆乘法

mysql - 如何为所有远程用户要求 SSL

©2024 IT工具网  联系我们