Java7的Jboss AS 6.1.0握手超时
[英]Jboss AS 6.1.0 Handshake timeout with Java7
问题描述
I have a problem with SSL in Jboss 6.1.0. 
我在Jboss 6.1.0中遇到SSL问题。 I use CLIEN-CERT to restrict certain security constraint with client certificate. 我使用CLIEN-CERT限制客户端证书的某些安全性约束。 I configured all needed places( web.xml, jboss-web.xml, jboss-loggin, server.xml, jboss-service ). 我配置了所有需要的位置( web.xml, jboss-web.xml, jboss-loggin, server.xml, jboss-service )。 When I start server with JDK6 everything works fine, but when i start server with JDK7 and try to access the security constraint i get the error Exception getting SSL attributes: java.net.SocketException: SSL Cert handshake timeout . 当我使用JDK6启动服务器时,一切正常,但是当我使用JDK7启动服务器并尝试访问安全性约束时,出现错误Exception,获得SSL属性: java.net.SocketException: SSL Cert handshake timeout 。 Here is stacktrace: 这是stacktrace:
2014-10-16 17:39:10,184 WARN [org.apache.coyote.http11.Http11Processor] (http-0.0.0.0-8443-2) Exception getting SSL attributes: java.net.SocketException: SSL Cert handshake timeout
at org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:178) [:6.1.0.Final]
at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:138) [:6.1.0.Final]
at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1144) [:6.1.0.Final]
at org.apache.coyote.Request.action(Request.java:352) [:6.1.0.Final]
at org.apache.catalina.connector.Request.getCertificateChain(Request.java:1112) [:6.1.0.Final]
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:132) [:6.1.0.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:559) [:6.1.0.Final]
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final]
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final]
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567) [:6.1.0.Final]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:631) [:6.1.0.Final]
at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:273) [:6.1.0.Final]
at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final]
at java.lang.Thread.run(Thread.java:745) [:1.7.0_71]
When i switch clientAuth="true" or "want" it's work, but with "false" and accessing security constraint with CLIENT-CERT doesn't work with JDK7. 当我切换clientAuth="true"或"want"它是可行的,但使用"false" ,使用CLIENT-CERT访问安全性约束不适用于JDK7。 I tried to debug JSSESupport.java and saw that there is for cycle in handshake method and with JDK6 when enter for first time in that cycle and read bytes from InputStream browser window is opened and request my client certificate, but with JDK7 this doesn't happend, the error is thrown at the end of the method because client didn't send his certificate. 我尝试调试JSSESupport.java并发现握手方法中存在循环,并且在该循环中首次进入JDK6并从InputStream浏览器窗口读取字节并请求我的客户端证书时使用JDK6,但是对于JDK7,这没有发生这种情况时,由于客户端未发送他的证书,该方法的末尾引发了错误。 Actually this browser window is opened later and when i submit my certificate nothing happens, because handshake is completed with false result. 实际上,此浏览器窗口是稍后打开的,当我提交证书时,什么都不会发生,因为握手已完成,结果是false 。 I tried with Firefox, IE, Chrome and result is the same. 我尝试使用Firefox,IE,Chrome和结果是相同的。 If someone can help me or give me a advice, it would be greatfull. 如果有人可以帮助我或给我建议,那就太好了。
2 个解决方案
解决方案1
0 2014-11-10 09:45:38
In our project we have the simmilar error comes from jboss but I can't remember right now the exact error. 在我们的项目中,类似错误来自jboss,但我现在不记得确切的错误。 In our case we skiped it and applications works fine. 在我们的案例中,我们跳过了它,应用程序运行正常。
解决方案2
0 2014-11-11 14:36:06
So, I debug more and find that with Java 7 in JSSESupport.java:178 when It tries to read AppInputStream from the SSLSocket nothing is happened. 因此,我进行了更多调试,并在JSSESupport.java:178中的 Java 7中尝试从SSLSocket读取AppInputStream时未发现任何问题。 It tries to read 60 times and finally if client not confirm his choice for certificate this " Handhake timeout " error is thrown, and after that tomcat check for certificate and if it's not presented i have log " No certificates included with this request " and response send me error with code 401 SC_UNAUTHORIZED and process stop and my filters aren't invoked. 它尝试读取60次,最后,如果客户端未确认选择证书,则会引发“ 握手超时 ”错误,然后在tomcat中检查证书,如果未显示,则显示日志“ 此请求中未包含证书 ”并响应向我发送错误代码为401 SC_UNAUTHORIZED的代码,进程停止,并且未调用我的过滤器。 In difference with Java 6 , at the first time when it tries to read from AppInputStream , i'm asked for choice my client certificate. 与Java 6不同,在Java 6首次尝试从AppInputStream读取时,要求我选择我的客户端证书。 I think that the problem may have connection with changes in Java 7 in security area and implementation of SSL(TLS) , or some synchronization problem with reading from this AppInputStream , because this request for certificate comes later, after the error is thrown, but error code is already set in response. 我认为该问题可能与安全区域中Java 7的更改以及SSL(TLS)的实现有关,或者与从此AppInputStream读取有关的某些同步问题有关 ,因为此证书请求稍后在引发错误之后出现,但是错误代码已经设置为响应。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.