[英]debug ssl connection issues using GRPC Java client and NodeJS server
我正在嘗試在Mac OS上使用GRPC將Java客戶端連接到NodeJS服務器。 盡管我可以使用相同的證書將示例JS客戶端連接到NodeJS服務器,但始終遇到ssl握手問題。 關於如何進一步調試的任何想法:
服務器日志:
chttp2_server.c:123] Handshaking failed: {"created":"@1489747510.536841000","description":"Handshake read failed","file":"../src/core/lib/security/transport/security_handshaker.c","file_line":238,"referenced_errors":[{"created":"@1489747510.536836000","description":"Socket closed","fd":27,"file":"../src/core/lib/iomgr/tcp_posix.c","file_line":249,"target_address":"ipv4:127.0.0.1:61964"}]}
客戶
public class Connection implements IConnection {
private static final Logger log = LogManager.getLogger(Connection.class.getName());
private final String host;
private final int port;
public Connection(String host, int port) {
this.host = host;
this.port = port;
}
/*public ManagedChannelBuilder getInsecure() {
return ManagedChannelBuilder.forAddress(host, port)
.usePlaintext(true);
}*/
public ManagedChannelBuilder getSecure() {
ManagedChannelBuilder<?> channelBuilder = null;
Optional<SslContext> optional = getSslContext();
if (optional.isPresent()) {
final SslContext sslContext = optional.get();
log.info("building channel for connection");
channelBuilder = NettyChannelBuilder.forAddress(host, port)
.overrideAuthority("localhost")
.negotiationType(NegotiationType.TLS)
.usePlaintext(false)
.sslContext(sslContext);
}
return channelBuilder;
}
private Optional<SslContext> getSslContext() {
SslContext sslContext = null;
Optional<ICertificateRepository> optional = getCertificates();
if (optional.isPresent()) {
final ICertificateRepository certificateRepo = optional.get();
final File publicCert = certificateRepo.getPublicCert();
final File clientCert = certificateRepo.getClientCert();
final File clientKey = certificateRepo.getClientKey();
try {
java.security.Security.addProvider(
new org.bouncycastle.jce.provider.BouncyCastleProvider()
);
log.info("attempting to create the ssl context");
sslContext = GrpcSslContexts.forClient()
.startTls(true)
.sslProvider(defaultSslProvider())
.trustManager(publicCert)
.keyManager(clientCert, clientKey)
.ciphers(null) //testing
.build();
} catch (SSLException se) {
log.error("ssl exception before connection attempt {}", se);
}
}
Optional<SslContext> sslOptional = Optional.ofNullable(sslContext);
return sslOptional;
}
private Optional<ICertificateRepository> getCertificates() {
ICertificateRepository certificateRepo = null;
try {
certificateRepo = new CertificateRepository();
log.info("path: {} | {} | {}", certificateRepo.getPublicCert().getAbsolutePath(),
certificateRepo.getPublicCert().exists(), certificateRepo.getPublicCert().isFile());
log.info("clientCert: {} | {}", certificateRepo.getClientCert().getAbsolutePath(),
certificateRepo.getClientCert().exists());
log.info("clientKey: {} | {}", certificateRepo.getClientKey().getAbsolutePath(),
certificateRepo.getClientKey().exists());
} catch (Exception fe) {
log.error("unable to read SSL certificates in keys directory");
}
Optional<ICertificateRepository> optional = Optional.ofNullable(certificateRepo);
return optional;
}
private static SslProvider defaultSslProvider() {
log.info("is OpenSsl available: {}", OpenSsl.isAvailable());
return OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK;
}
}
證書文件位置正確,並且證書存儲庫創建為:
public CertificateRepository() {
final ClassLoader classLoader = getClass().getClassLoader();
try {
this.publicCert = new File(classLoader.getResource(
new StringBuilder(MonetagoProps.BASE_DIR_FOR_CERTS)
.append(TestProps.CERT_NAME)
.toString()).getFile());
this.clientCert = new File(classLoader.getResource(
new StringBuilder(MonetagoProps.BASE_DIR_FOR_CERTS)
.append(MonetagoProps.CLIENT_CERT_NAME)
.toString()).getFile());
this.clientKey = new File(classLoader.getResource(
new StringBuilder(TestProps.BASE_DIR_FOR_CERTS)
.append(TestProps.CLIENT_KEY_NAME)
.toString()).getFile());
} catch (Exception fe) {
log.error("unable to read ssl certificate files for testConnection");
throw new IllegalStateException("unable to read ssl certificate files for test Connection");
}
}
我只是注釋掉了通道構建器上的usePlaintext(false)調用,並且能夠與服務器建立SSL連接。
channelBuilder = NettyChannelBuilder.forAddress(host, port)
.overrideAuthority("localhost")
.negotiationType(NegotiationType.TLS)
**//.usePlaintext(false)**
.sslContext(sslContext);
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.