SSL 连接被 NEED_WRAP 拒绝
[英]SSL connection refused with NEED_WRAP
问题描述
Current situation.
现在的情况。 There are 2 nodes on the same internal network (let's call them Bus and Broker).在同一个内部网络上有 2 个节点(我们称它们为 Bus 和 Broker)。 The internal CA has signed a request made 2 weeks ago.内部 CA 已签署了 2 周前提出的请求。 This signed certificate has been inserted correctly into the Broker's "keystore" as well as the Bus's "truststore".此签名证书已正确插入到 Broker 的“密钥库”以及总线的“信任库”中。 It has been verified that both nodes' software use the appropriate stores.已经验证两个节点的软件都使用了适当的存储。
When trying to setup a secure connection using JMS (or AMQP) the Bus's output is as follows:当尝试使用 JMS(或 AMQP)建立安全连接时,总线的输出如下:
TID: [] [] [2021-06-16 11:47:08,949] ERROR {org.wso2.andes.transport.network.mina.MinaNetworkHandler} - Exception caught by Mina {org.wso2.andes.transport.network.mina.MinaNetworkHandler}
javax.net.ssl.SSLException: Improper close state: Status = OK HandshakeStatus = NEED_WRAP
The error on the broker side is:经纪人方面的错误是:
ERROR {org.wso2.andes.transport.network.mina.MinaNetworkHandler} - Exception caught by Mina but without protocol engine to handle it
java.lang.NullPointerException
Things we've excluded so far:到目前为止我们排除的事情:
- The certificate is valid, as well as it's chain (and it still before expiry date)证书是有效的,以及它的链(它仍然在到期日之前)
- The serial numbers of the entries in truststore and keystore match信任库和密钥库中条目的序列号匹配
- The passwords used on the software to decrypt the entries are correct软件上用于解密条目的密码是正确的
- The actual correct stores are being in use (there is another key in the store matching another service which does work)正在使用实际正确的商店(商店中有另一个键匹配另一个有效的服务)
- The keystore entry is for the exact right domain (and has 2 alternatives)密钥库条目用于完全正确的域(并且有 2 个备选方案)
- The duplicates of the certificates were all removed from the truststore证书的副本全部从信任库中删除
The verification of the certificates using openssl tooling was also done.还使用 openssl 工具验证证书。 The MD5 hashes of the CRT/Key/CSR all match. CRT/Key/CSR 的 MD5 哈希值都匹配。
Any hint/clue is appreciated.任何提示/线索表示赞赏。
1 个解决方案
解决方案1
0 已采纳 2021-07-08 07:14:12
So with the help of support figured it out.所以在支持的帮助下想通了。 If not explicitly mentioned in the broker configuration for the broker profile, the broker will fallback to TLS 1.0 .如果代理配置文件的代理配置中没有明确提及,代理将回退到 TLS 1.0 。 In java version 1.8.0_292 TLS 1 and 1.1 have been deprecated, resulting in an illegal protocol for communication.在 Java 版本 1.8.0_292 中,TLS 1 和 1.1 已被弃用,导致通信协议非法。
It was solved by adding the following line to the broker config:通过在代理配置中添加以下行解决了这个问题:
<sslEnabledProtocols>TLSv1.2</sslEnabledProtocols>
Add this in the sslConnection tag under broker.xml .将此添加到 broker.xml 下的 sslConnection 标记中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.