Нет наборов шифров в общей Netty

Я пытался сделать взаимную аутентификацию с Netty на Java между моим сервером и клиентом.

Я уже сгенерировал сертификаты с помощью Java Keytool, следуя нескольким примерам. Я попытался вручную установить наборы шифров как на клиенте, так и на сервере. Единственный способ заставить мой код работать, это отключить аутентификацию клиента.

Вывод отладки ssl не дает мне никакой убедительной информации. Мне бы очень помогло, если бы кто-нибудь дал мне несколько советов, чтобы решить мою проблему.

Код клиента:

@Override public void initChannel(SocketChannel ch) throws Exception {
    ChannelPipeline pipeline = ch.pipeline();

    String password = "blablabla";

    KeyStore ks = KeyStore.getInstance("JKS");
    InputStream readStream = getClass().getResourceAsStream("clientCert.jks");
    ks.load(readStream,
            password.toCharArray());

    TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory
            .getDefaultAlgorithm());
    tmFactory.init(ks);

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(ks, password.toCharArray());

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null);

    SSLEngine sslEngine = sslContext.createSSLEngine();
    sslEngine.setUseClientMode(true);

    sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
    sslEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"});
    sslEngine.setEnableSessionCreation(true);

    pipeline.addFirst("SSL", new SslHandler(sslEngine));

    pipeline.addLast(new ProtobufVarint32FrameDecoder());
    pipeline.addLast(new ProtobufDecoder(Messaging.BaseMessage.getDefaultInstance()));
    pipeline.addLast(new ProtobufVarint32LengthFieldPrepender());
    pipeline.addLast(new ProtobufEncoder());

    // and then business logic.
    pipeline.addLast(new ServerHandlerCorrelator());
}

Код сервера:

@Override public void initChannel(SocketChannel ch) throws Exception {
    ChannelPipeline pipeline = ch.pipeline();

    String password = "blablabla";

    KeyStore ks = KeyStore.getInstance("JKS");
    // Use nettyserver.jks do client side authentication
    InputStream readStream = getClass().getResourceAsStream("serverCert.jks");
    ks.load(readStream,
            password.toCharArray());

    TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory
            .getDefaultAlgorithm());
    tmFactory.init(ks);

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(ks, password.toCharArray());

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(kmf.getKeyManagers(), tmFactory.getTrustManagers(), null);

    SSLEngine sslEngine = sslContext.createSSLEngine();
    sslEngine.setUseClientMode(false);
    sslEngine.setNeedClientAuth(true);
    sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
    sslEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"});
    sslEngine.setEnableSessionCreation(true);

    // Add SSL handler into pipeline
    pipeline.addFirst("SSL", new SslHandler(sslEngine));

    // Add protobuf handler into pipeline
    pipeline.addLast(new ProtobufVarint32FrameDecoder());
    pipeline.addLast(new ProtobufDecoder(Messaging.BaseMessage.getDefaultInstance()));
    pipeline.addLast(new ProtobufVarint32LengthFieldPrepender());
    pipeline.addLast(new ProtobufEncoder());

    // Add custom handler
    pipeline.addLast(new ServerHandler());
}

Журнал SSL сервера:

trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1479318961 bytes = { 32, 234, 91, 96, 106, 19, 244, 166, 143, 174, 72, 157, 75, 108, 113, 168, 230, 206, 9, 133, 102, 255,     246, 237, 100, 250, 62, 211 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,     SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension renegotiation_info, renegotiated_connection: <empty>
***
[write] MD5 and SHA1 hashes:  len = 84
0000: 01 00 00 50 03 03 58 2D   9E B1 20 EA 5B 60 6A 13  ...P..X-.. .[`j.
0010: F4 A6 8F AE 48 9D 4B 6C   71 A8 E6 CE 09 85 66 FF  ....H.Klq.....f.
0020: F6 ED 64 FA 3E D3 00 00   02 00 2F 01 00 00 25 00  ..d.>...../...%.
0030: 0D 00 1C 00 1A 06 03 06   01 05 03 05 01 04 03 04  ................
0040: 01 04 02 03 03 03 01 03   02 02 03 02 01 02 02 FF  ................
0050: 01 00 01 00                                        ....
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Handshake, length = 84
[write] MD5 and SHA1 hashes:  len = 47
0000: 01 03 03 00 06 00 00 00   20 00 00 2F 00 00 FF 58  ........ ../...X
0010: 2D 9E B1 20 EA 5B 60 6A   13 F4 A6 8F AE 48 9D 4B  -.. .[`j.....H.K
0020: 6C 71 A8 E6 CE 09 85 66   FF F6 ED 64 FA 3E D3     lq.....f...d.>.
nioEventLoopGroup-2-1, WRITE: SSLv2 client hello message, length = 47
[Raw write]: length = 49
0000: 80 2F 01 03 03 00 06 00   00 00 20 00 00 2F 00 00  ./........ ../..
0010: FF 58 2D 9E B1 20 EA 5B   60 6A 13 F4 A6 8F AE 48  .X-.. .[`j.....H
0020: 9D 4B 6C 71 A8 E6 CE 09   85 66 FF F6 ED 64 FA 3E  .Klq.....f...d.>
0030: D3                                                 .
6539 [nioEventLoopGroup-2-1] DEBUG one.ppdrforensics.server.comms.ServerHandlerCorrelator  - NETTY Connected to Correlator
nioEventLoopGroup-2-1, called closeOutbound()
nioEventLoopGroup-2-1, closeOutboundInternal()
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT:  warning, description = close_notify
nioEventLoopGroup-2-1, WRITE: TLSv1.2 Alert, length = 2
nioEventLoopGroup-2-1, called closeInbound()
nioEventLoopGroup-2-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
nioEventLoopGroup-2-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error
nioEventLoopGroup-2-1, Exception sending alert: java.io.IOException: writer side was already closed.

Журнал SSL клиента:

trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
[Raw read]: length = 5
0000: 80 2F 01 03 03                                     ./...
[Raw read]: length = 44
0000: 00 06 00 00 00 20 00 00   2F 00 00 FF 58 2D 9E B1  ..... ../...X-..
0010: 20 EA 5B 60 6A 13 F4 A6   8F AE 48 9D 4B 6C 71 A8   .[`j.....H.Klq.
0020: E6 CE 09 85 66 FF F6 ED   64 FA 3E D3              ....f...d.>.
[read] MD5 and SHA1 hashes:  len = 3
0000: 01 03 03                                           ...
[read] MD5 and SHA1 hashes:  len = 44
0000: 00 06 00 00 00 20 00 00   2F 00 00 FF 58 2D 9E B1  ..... ../...X-..
0010: 20 EA 5B 60 6A 13 F4 A6   8F AE 48 9D 4B 6C 71 A8   .[`j.....H.Klq.
0020: E6 CE 09 85 66 FF F6 ED   64 FA 3E D3              ....f...d.>.
nioEventLoopGroup-3-1, READ:  SSL v2, contentType = Handshake, translated length = 47
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1479318961 bytes = { 32, 234, 91, 96, 106, 19, 244, 166, 143, 174, 72, 157, 75, 108, 113, 168, 230, 206, 9, 133, 102, 255,     246, 237, 100, 250, 62, 211 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
nioEventLoopGroup-3-1, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
nioEventLoopGroup-3-1, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
nioEventLoopGroup-3-1, WRITE: TLSv1.2 Alert, length = 2
nioEventLoopGroup-3-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
nioEventLoopGroup-3-1, called closeOutbound()
nioEventLoopGroup-3-1, closeOutboundInternal()
nioEventLoopGroup-3-1, called closeInbound()
nioEventLoopGroup-3-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify:     possible truncation attack?
0    [nioEventLoopGroup-3-1] ERROR one.ppdrforensics.correlator.comms.ServerHandler  - [exceptionCaught] Exception     javax.net.ssl.SSLHandshakeException: no cipher suites in common
nioEventLoopGroup-3-1, called closeOutbound()
nioEventLoopGroup-3-1, closeOutboundInternal()
nioEventLoopGroup-3-1, called closeInbound()
nioEventLoopGroup-3-1, closeInboundInternal()

1 ответ

Не могли бы вы отладить, используя параметр -Djavax.net.debug=ssl:all? Это даст больше информации о SSLhandshake. Пожалуйста, обратите внимание на тип сертификата клиента и сервера. Это сертификат DSA или RSA? Проблема Java "нет общих наборов шифров" при попытке безопасного подключения к серверу

Другие вопросы по тегам