Java Jetty 日志中的 SSL_NULL_WITH_NULL_NULL 密码套件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18080996/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSL_NULL_WITH_NULL_NULL cipher suite in in Jetty logs
提问by Laurent Caillette
I'm using Jetty with HTTPS and a valid certificate, and I'm not sure to get it right because cipher suite appears to be SSL_NULL_WITH_NULL_NULLin server logs. Client logs look good, however.
我将 Jetty 与 HTTPS 和有效证书一起使用,但我不确定是否正确,因为密码套件似乎SSL_NULL_WITH_NULL_NULL在服务器日志中。但是,客户端日志看起来不错。
The long story: I'm attaching a Java sample expecting Jetty-7.6.10 and two scripts to create both keystore and truststore.
长话短说:我附上了一个 Java 示例,期望使用 Jetty-7.6.10 和两个脚本来创建密钥库和信任库。
JettyHttpsForStackOverflowruns client and server, together, or separately to deintricate the logs.
JettyHttpsForStackOverflow一起或单独运行客户端和服务器以消除日志的复杂性。
The create-chains.shscript creates the keystore and the truststore. The keystore contains a chain ending by a root certificate authority generated from a transient keystore. It replicates a real-world case with a certification authority and intermediate certificates.
该create-chains.sh脚本创建密钥库和信任库。密钥库包含一个由临时密钥库生成的根证书颁发机构结尾的链。它使用证书颁发机构和中间证书复制了一个真实案例。
The create-single-autosigned.shscript creates the keystore and the truststore, too, but with a self-signed certificate.
该create-single-autosigned.sh脚本也创建密钥库和信任库,但使用自签名证书。
Please note that SSL_NULL_WITH_NULL_NULLappears as the server's cipher suite with both certificate chains.
请注意,它SSL_NULL_WITH_NULL_NULL显示为带有两个证书链的服务器密码套件。
I think there is no problem with the server domain name. I get the same problem with a server running on a machine with a domain name matching the distinguished name in a properly-signed certificate. SSLLab confirmed that SSL on my server works fine (grade B), and Google Chrome connects happily.
我认为服务器域名没有问题。我在一台机器上运行的服务器遇到了同样的问题,该机器的域名与正确签名的证书中的专有名称相匹配。SSLLab 确认我服务器上的 SSL 工作正常(B 级),并且 Google Chrome 连接愉快。
I think there is no problem with Jetty client. As I'm using it, it just calls the SSLContextFactoryI'm setting up to create an SSLSocket. Amazingly, in Jetty client logs, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAappears to be the cipher suite in use.
我认为Jetty客户端没有问题。当我使用它时,它只是调用SSLContextFactory我正在设置以创建一个SSLSocket. 令人惊讶的是,在 Jetty 客户端日志中,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA似乎是正在使用的密码套件。
Is it normal to get SSL_NULL_WITH_NULL_NULLin Jetty server logs? If not, how to get that thing right?
SSL_NULL_WITH_NULL_NULL进入Jetty服务器日志正常吗?如果没有,如何正确处理?
create-single-autosigned.sh
创建单自动签名.sh
#!/bin/bash
rm their-keystore.jks 2> /dev/null
rm my-keystore.jks 2> /dev/null
rm my-truststore.jks 2> /dev/null
echo "===================================================="
echo "Creating fake third-party chain ca2 -> ca1 -> ca ..."
echo "===================================================="
keytool -genkeypair -alias ca -dname cn=ca \
-validity 10000 -keyalg RSA -keysize 2048 \
-ext BasicConstraints:critical=ca:true,pathlen:10000 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass
keytool -genkeypair -alias ca1 -dname cn=ca1 \
-validity 10000 -keyalg RSA -keysize 2048 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass
keytool -genkeypair -alias ca2 -dname cn=ca2 \
-validity 10000 -keyalg RSA -keysize 2048 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass
keytool -certreq -alias ca1 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -gencert -alias ca \
-ext KeyUsage:critical=keyCertSign \
-ext SubjectAlternativeName=dns:ca1 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -alias ca1 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass
#echo "Debug exit" ; exit 0
keytool -certreq -alias ca2 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -gencert -alias ca1 \
-ext KeyUsage:critical=keyCertSign \
-ext SubjectAlternativeName=dns:ca2 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -alias ca2 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass
keytool -list -v -storepass Storepass -keystore their-keystore.jks
echo "===================================================================="
echo "Fake third-party chain generated. Now generating my-keystore.jks ..."
echo "===================================================================="
read -p "Press a key to continue."
# Import authority's certificate chain
keytool -exportcert -alias ca \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -trustcacerts -noprompt -alias ca \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass
keytool -exportcert -alias ca1 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -noprompt -alias ca1 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass
keytool -exportcert -alias ca2 \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -noprompt -alias ca2 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass
# Create our own certificate, the authority signs it.
keytool -genkeypair -alias e1 -dname cn=e1 \
-validity 10000 -keyalg RSA -keysize 2048 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass
keytool -certreq -alias e1 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -gencert -alias ca2 \
-ext SubjectAlternativeName=dns:localhost,ip:127.0.0.1 \
-ext KeyUsage:critical=keyEncipherment,digitalSignature \
-ext ExtendedKeyUsage=serverAuth,clientAuth \
-keystore their-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -alias e1 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass
keytool -list -v -storepass Storepass -keystore my-keystore.jks
echo "================================================="
echo "Keystore generated. Now generating truststore ..."
echo "================================================="
read -p "Press a key to continue."
keytool -exportcert -alias ca \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -trustcacerts -noprompt -alias ca \
-keystore my-truststore.jks -keypass Keypass -storepass Storepass
keytool -exportcert -alias ca1 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -noprompt -alias ca1 \
-keystore my-truststore.jks -keypass Keypass -storepass Storepass
keytool -exportcert -alias ca2 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -noprompt -alias ca2 \
-keystore my-truststore.jks -keypass Keypass -storepass Storepass
keytool -exportcert -alias e1 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -noprompt -alias e1 \
-keystore my-truststore.jks -keypass Keypass -storepass Storepass
keytool -list -v -storepass Storepass -keystore my-truststore.jks
rm their-keystore.jks 2> /dev/null
create-single-autosigned.sh
创建单自动签名.sh
#!/bin/bash
rm my-keystore.jks 2> /dev/null
rm my-truststore.jks 2> /dev/null
keytool -genkeypair -alias e1 -dname cn=e1 \
-validity 10000 -keyalg RSA -keysize 2048 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass
keytool -list -v -storepass Storepass -keystore my-keystore.jks
echo "================================================="
echo "Keystore generated. Now generating truststore ..."
echo "================================================="
read -p "Press a key to continue."
keytool -exportcert -alias e1 \
-keystore my-keystore.jks -keypass Keypass -storepass Storepass \
| keytool -importcert -noprompt -alias e1 \
-keystore my-truststore.jks -keypass Keypass -storepass Storepass
keytool -list -v -storepass Storepass -keystore my-truststore.jks
JettyHttpsForStackOverflow.java
JettyHttpsForStackOverflow.java
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.eclipse.jetty.client.ContentExchange;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
/**
* Code sample for Jetty {@link HttpClient} with HTTPS, in a completely standalone fashion.
* Use create-chains.sh and create-empty.sh to generate completely standalone certificates.
*/
public class JettyHttpsForStackOverflow {
public static void main( final String... arguments ) throws Exception {
System.setProperty( "javax.net.debug", "all" ) ;
try {
if( arguments.length == 0 || "server".equals( arguments[ 0 ] ) ) {
runServer() ;
}
if( arguments.length == 0 || "client".equals( arguments[ 0 ] ) ) {
runClient() ;
}
} catch( Exception e ) {
e.printStackTrace() ;
System.exit( 1 ) ; // Avoids keeping the port open.
}
}
private static void runServer() throws Exception {
final KeyStore keyStore = loadKeystore() ;
final SSLContext sslContext = createSslContext(
keyStore,
KEYPASS,
newTrustManagers( keyStore, CERTIFICATE_ALIAS )
) ;
final SslContextFactory sslContextFactory = new SslContextFactory() {
@Override
public SSLEngine newSslEngine() {
return sslContext.createSSLEngine() ;
}
@Override
public SSLEngine newSslEngine( final String host, final int port ) {
return sslContext.createSSLEngine( host, port ) ;
}
} ;
sslContextFactory.setAllowRenegotiate( true ) ;
sslContextFactory.setNeedClientAuth( false ) ;
sslContextFactory.setWantClientAuth( false ) ;
sslContextFactory.setKeyStorePath( keyStore.toString() ) ; // Better logging.
sslContextFactory.setKeyStore( keyStore ) ;
sslContextFactory.setCertAlias( CERTIFICATE_ALIAS ) ;
sslContextFactory.setKeyManagerPassword( KEYPASS ) ;
final SslSelectChannelConnector sslConnector =
new SslSelectChannelConnector( sslContextFactory ) ;
sslConnector.setPort( PORT ) ;
sslConnector.open() ;
final Server jettyServer = new Server() ;
jettyServer.addConnector( sslConnector ) ;
jettyServer.start() ;
}
public static void runClient() throws Exception {
final KeyStore keyStore = loadTruststore() ;
final HttpClient httpClient = new HttpClient() ;
httpClient.getSslContextFactory().setKeyStore( keyStore ) ; // Better logging.
httpClient.getSslContextFactory().setKeyStorePassword( "storepwd" ) ;
httpClient.getSslContextFactory().setKeyManagerPassword( KEYPASS ) ;
httpClient.setConnectorType( HttpClient.CONNECTOR_SELECT_CHANNEL ) ;
httpClient.setConnectorType(HttpClient.CONNECTOR_SOCKET);
// Don't need that because shipping our own certificate in the truststore.
// Anyways, it blows when set to true.
// httpClient.getSslContextFactory().setValidateCerts( false ) ;
httpClient.start() ;
final ContentExchange contentExchange = new ContentExchange() ;
contentExchange.setURI( new URL( "https://localhost:" + PORT ).toURI() ) ;
contentExchange.setTimeout( 36_000_000 ) ; // Leave time for debugging.
httpClient.send( contentExchange ) ;
contentExchange.waitForDone() ;
assert( contentExchange.getStatus() == ContentExchange.STATUS_COMPLETED ) ;
}
private static SSLContext createSslContext(
final KeyStore keyStore,
final String keypass,
final TrustManager[] trustManagers
) {
try {
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance( "SunX509" ) ;
keyManagerFactory.init( keyStore, keypass == null ? null : keypass.toCharArray() ) ;
final KeyManager[] keyManagers = keyManagerFactory.getKeyManagers() ;
final SecureRandom secureRandom = new SecureRandom() ;
final SSLContext sslContext = SSLContext.getInstance( "TLS" ) ;
sslContext.init(
keyManagers,
trustManagers,
secureRandom
) ;
return sslContext ;
} catch( NoSuchAlgorithmException | UnrecoverableKeyException | KeyStoreException
| KeyManagementException e
) {
throw new RuntimeException( e ) ;
}
}
private static TrustManager[] newTrustManagers(
final KeyStore keyStore,
final String certificateAlias
) {
try {
final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( "SunX509" ) ;
trustManagerFactory.init( keyStore ) ;
final TrustManager[] trustManagers ;
if( certificateAlias == null ) {
trustManagers = trustManagerFactory.getTrustManagers() ;
} else {
final Certificate certificate = keyStore.getCertificate( certificateAlias ) ;
final X509Certificate[] x509Certificates ;
if( certificate == null ) {
x509Certificates = new X509Certificate[ 0 ] ;
} else {
x509Certificates = new X509Certificate[] { ( X509Certificate ) certificate } ;
}
trustManagers = new TrustManager[] { newX509TrustManager( x509Certificates ) } ;
}
return trustManagers ;
} catch( KeyStoreException | NoSuchAlgorithmException e ) {
throw new RuntimeException( e );
}
}
private static final TrustManager newX509TrustManager( final X509Certificate[] certificates ) {
return new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return certificates ;
}
public void checkClientTrusted(
final X509Certificate[] certs,
final String authType
) { ; }
public void checkServerTrusted(
final X509Certificate[] certs,
final String authType
) { ; }
} ;
}
public static KeyStore loadKeystore()
throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException
{
return loadKeystore( KEYSTORE_RESOURCE_URL ) ;
}
public static KeyStore loadTruststore()
throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException
{
return loadKeystore( TRUSTSTORE_RESOURCE_URL ) ;
}
public static KeyStore loadKeystore( final URL keystoreResourceUrl )
throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException
{
try( final InputStream inputStream = keystoreResourceUrl.openStream() ) {
final KeyStore keyStore = KeyStore.getInstance( "JKS" ) ;
// We don't need the storepass for just reading one password-protected certificate
// of our own, or a trusted entry.
keyStore.load( inputStream, null ) ;
return keyStore ;
}
}
private static final int PORT = 8443 ;
private static final String CERTIFICATE_ALIAS = "e1";
private static final String KEYPASS = "Keypass";
private static final URL KEYSTORE_RESOURCE_URL
= JettyHttpsForStackOverflow.class.getResource( "my-keystore.jks" ) ;
private static final URL TRUSTSTORE_RESOURCE_URL
= JettyHttpsForStackOverflow.class.getResource( "my-truststore.jks" ) ;
}
采纳答案by Laurent Caillette
It turns out that SslConnectionin Jetty-7.6.10.v20130312 logs incorrectly, while ciphering happens as it should.
事实证明,SslConnection在 Jetty-7.6.10.v20130312 中日志不正确,而加密却按原样进行。
Long story: when created, the SslConnectionextracts the initial SSLSessionobject from the SSLEngineand keeps logging with it. Initial SSLSessionhas a SSL_NULL_WITH_NULL_NULLcipher and that's normal because SSL handshake hasn't happened yet. Activating -Djavax.net.debug=allshows that handshake really occurs, and interactive debugging shows that SSLEngineupgrades to an SSLSessionwith a real cipher. The problem is just Jetty's SslConnectionthat still logs with initial SSLSessionobject. (It also uses values from initial SSLSessionto allocate buffers but that's another problem.)
长话短说:创建时,从 中SslConnection提取初始SSLSession对象SSLEngine并继续记录。InitialSSLSession有一个SSL_NULL_WITH_NULL_NULL密码,这是正常的,因为 SSL 握手还没有发生。激活-Djavax.net.debug=all表明握手确实发生了,交互式调试表明SSLEngine升级到SSLSession一个真正的密码。问题只是 JettySslConnection仍然使用初始SSLSession对象记录。(它还使用初始值SSLSession来分配缓冲区,但这是另一个问题。)
Patching SslConnectionfor logging with _engine.getSession()gives expected result.
修补SslConnection日志记录_engine.getSession()给出了预期的结果。
Epilogue: Jetty 9 completely rewrites its SslConnection.
结语:Jetty 9 完全重写了它的SslConnection.
回答by user207421
You will see this under at least the following circumstances:
您至少会在以下情况下看到这一点:
You have modified the
enabledCipherSuitesto include all the supported cipher suites. (Don't!)The SSL handshake is not yet complete.
您已修改
enabledCipherSuites以包含所有支持的密码套件。(别!)SSL 握手尚未完成。
