间歇性SSL握手错误
[英]Intermittent SSL handshake error
问题描述
We have an issue with SSL and I am 99% this is not your usual certificates trust store merry-go-round. 
我们有SSL的问题,我99%这不是你通常的证书信任商店旋转木马。
We have a Weblogic server trying to make SSL connections to Active Directory via LDAPS, underlying SSL implementation is the JSSE. 我们有一个Weblogic服务器尝试通过LDAPS与Active Directory建立SSL连接,底层SSL实现是JSSE。
Some of the time, it works. 有些时候,它的工作原理。 Usually for a few hours after restarting Weblogic. 通常在重启Weblogic后的几个小时。
After which we start getting SSL Handshake errors, with SSL debug turned on we see: 之后我们开始获取SSL握手错误,启用SSL调试后,我们看到:
[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)', handling exception: java.net.SocketException: Connection reset [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)', SEND TLSv1 ALERT: fatal, description = unexpected_message [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1 Alert, length = 32 [ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)', Exception sending alert: java.net.SocketException: Broken pipe
So far I have tried the following to understand/replicate it: 到目前为止,我已尝试以下方法来理解/复制它:
- Connecting via OpenSSL with the certs loaded - works OK every time 通过OpenSSL连接加载的证书 - 每次都可以正常工作
- Connecting via secure ldapsearch with the certs loaded - works OK every time 通过安全的ldapsearch连接加载的证书 - 每次都可以正常工作
- Connecting via a custom test Java client - works OK every time 通过自定义测试Java客户端连接 - 每次都可以正常工作
- Decrypting the SSL handshake with Wireshark and the private key. 使用Wireshark和私钥解密SSL握手。
What I noticed with Wireshark for the "bad" hand shake, is that after the client sends a Change Cipher Spec, Finished message AD does not reply in kind. 我注意到Wireshark的“坏”握手,就是在客户端发送Change Cipher Spec之后,完成的消息AD没有以实物形式回复。 More so, Wireshark cannot decrypt the SSL handshake, failing with: 更重要的是,Wireshark无法解密SSL握手,但失败了:
ssl_decrypt_pre_master_secret wrong pre_master_secret length (109, expected 48) dissect_ssl3_handshake can't decrypt pre master secret
Note Wireshark SSL decryption works perfectly when the SSL handshake works perfectly. 注意当SSL握手完美运行时,Wireshark SSL解密工作正常。
I can't see any significant differences in the good and bad SSL handshakes, until the point where the AD server does not respond. 在AD服务器没有响应的那一点上,我看不出好的和坏的SSL握手有任何显着差异。
At this point I'm stumped... I'm really struggling to understand why this would fail for some of the time and work the rest, at this point I am really just hoping for some suggestions as to what might be going on. 在这一点上,我很难过......我真的很难理解为什么这会在某些时候失败而其余的工作,此时我真的只是希望能提出一些可能会发生什么的建议。
Oh yes, almost forgot. 哦,是的,差点忘了。 There is an error in the Active Directory Event log: Active Directory事件日志中存在错误:
Event ID: 36888 The following fatal alert was raised: 20. The state of the internal error is 960.
Which, after a bit of research I managed to discover corresponds to an SSL "BAD_RECORD_MAC" error. 经过一些研究,我设法发现对应于SSL“BAD_RECORD_MAC”错误。
The only theory I have at this point, is that for some reason the wrong public key is being used to encrypt the handshake... I can't see otherwise why the server (and Wireshark) would fail to decrypt the finished message. 我此时唯一的理论是,由于某种原因,错误的公钥被用于加密握手...我无法看到为什么服务器(和Wireshark)无法解密完成的消息。
Thanks! 谢谢!
Updates: 更新:
I've compared the bad and good cases, the cipher spec in both cases is the same: TLS_RSA_WITH_AES_128_CBC_SHA. 我比较了坏的和好的情况,两种情况下的密码规范是相同的:TLS_RSA_WITH_AES_128_CBC_SHA。 I have also compared the packets from both the client and server side, barring the normal Ethernet and IP protocol differences they are all seemingly identical. 我还比较了来自客户端和服务器端的数据包,除了正常的以太网和IP协议差异,它们看起来都是相同的。
2 个解决方案
解决方案1
4 已采纳 2012-09-17 08:38:47
So after a great deal of research, experimentation and soul searching. 经过大量的研究,实验和灵魂搜索。 We eventually tracked this issue down to a third party library we were using to connect to an external system. 我们最终将此问题跟踪到我们用于连接外部系统的第三方库。 Which upon initialization would add itself as a security provider ahead of the JSSE default provider. 在初始化时,它会在JSSE默认提供程序之前将其自身添加为安全提供程序。 I don't know exactly why this then went on to break all subsequent SSL connections... but it did. 我不确切地知道为什么然后继续打破所有后续的SSL连接......但它确实如此。
Thanks for your help. 谢谢你的帮助。
解决方案2
0 2012-08-14 20:29:27
From what I understand, you have the problems intermittent. 据我所知,你有间歇性的问题。 That is you can connect to AD via SSL but occasionally you notice this error. 也就是说,您可以通过SSL连接到AD,但有时您会注意到此错误。 So I guess certificate issues Error LDAPS are not your problem. 所以我猜证书问题错误LDAPS不是你的问题。
From your description I can only think of the following: 根据您的描述,我只能想到以下内容:
First of all you are not giving much actual details here but your comment: 首先,你不是在这里提供太多实际细节,而是你的评论:
Note Wireshark SSL decryption works perfectly when the SSL handshake works perfectly.
Gives me a hint that the ciphersuites is different in the bad case. 给我一个提示,密码套件在坏情况下是不同的。 Note that wireshark is not able to decrypt a connection over a key generated by DHE despite if you have the private key. 请注意,即使您拥有私钥,wireshark也无法通过DHE生成的密钥解密连接。
So you should look in your investigation if the ciphersuites are indeed different in the bad and good case (eg RSA vs DHE). 因此,如果密码套件在坏的和好的情况下确实不同(例如RSA与DHE),那么您应该查看您的调查。
Additionally the way you describe this, it seems like the problem occurs during a renegotiation. 此外,您的描述方式似乎在重新协商期间出现问题。 Perhaps renegotiation is disabled and you can enable it? 也许重新协商已禁用,您可以启用它吗? It has been considered unsafe and can be configured generally in servers 它被认为是不安全的,通常可以在服务器中配置
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.