使用 jdk8 進行 Conscrypt 為 http2 啟用 ALPN
[英]Conscrypt with jdk8 to enable ALPN for http2
問題描述
我一直在搜索如何使用conscrypt-openjdk-uber-1.4.1.jar for jdk8 實現Conscrypt SSL 提供程序以支持ALPN以建立與服務器的http2(使用 apache httpclient 5)連接,因為jdk8 默認不支持 ALPN或另一種解決方案是遷移到 jdk9(或更高版本),這暫時不可行,因為我們的產品嚴重依賴 jdk8
我一直在廣泛搜索一些要實現的文檔或示例,但找不到。
我嘗試將 conscrypt 提供程序作為默認值插入,我的程序將其作為默認提供程序,但仍然無法與 http2 服務器連接,我的示例如下,
public static void main(final String[] args) throws Exception {
Security.insertProviderAt(new OpenSSLProvider(), 1);
final SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(new TrustAllStrategy()).build();
final PoolingAsyncClientConnectionManager connectionManager = PoolingAsyncClientConnectionManagerBuilder.create().setTlsStrategy(new H2TlsStrategy(sslContext, NoopHostnameVerifier.INSTANCE)).build();
final IOReactorConfig ioReactorConfig = IOReactorConfig.custom().setSoTimeout(Timeout.ofSeconds(5)).build();
final MinimalHttpAsyncClient client = HttpAsyncClients.createMinimal(HttpVersionPolicy.FORCE_HTTP_2, H2Config.DEFAULT, null, ioReactorConfig, connectionManager);
client.start();
final HttpHost target = new HttpHost("localhost", 8082, "https");
final Future<AsyncClientEndpoint> leaseFuture = client.lease(target, null);
final AsyncClientEndpoint endpoint = leaseFuture.get(10, TimeUnit.SECONDS);
try {
String[] requestUris = new String[] {"/"};
CountDownLatch latch = new CountDownLatch(requestUris.length);
for (final String requestUri: requestUris) {
SimpleHttpRequest request = SimpleHttpRequest.get(target, requestUri);
endpoint.execute(SimpleRequestProducer.create(request), SimpleResponseConsumer.create(), new FutureCallback<SimpleHttpResponse>() {
@Override
public void completed(final SimpleHttpResponse response) {
latch.countDown();
System.out.println(requestUri + "->" + response.getCode());
System.out.println(response.getBody());
}
@Override
public void failed(final Exception ex) {
latch.countDown();
System.out.println(requestUri + "->" + ex);
ex.printStackTrace();
}
@Override
public void cancelled() {
latch.countDown();
System.out.println(requestUri + " cancelled");
}
});
}
latch.await();
} catch (Exception e) {
e.printStackTrace();
}finally {
endpoint.releaseAndReuse();
}
client.shutdown(ShutdownType.GRACEFUL);
}
這個程序給出的輸出為
org.apache.hc.core5.http.ConnectionClosedException:連接關閉 org.apache.hc.core5.http.ConnectionClosedException:連接在 org.apache.hc.core5.http2.impl.nio.FrameInputBuffer.read(FrameInputBuffer.java) 關閉:146) 在 org.apache.hc.core5.http2.impl.nio.AbstractHttp2StreamMultiplexer.onInput(AbstractHttp2StreamMultiplexer.java:415) 在 org.apache.hc.core5.http2.impl.nio.AbstractHttp2IOEventHandler.inputReady(AbstractHttp2IOEventHandler.java:415) :63) 在 org.apache.hc.core5.http2.impl.nio.ClientHttp2IOEventHandler.inputReady(ClientHttp2IOEventHandler.java:38) 在 org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:117) 在org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:50) 在 org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:173) 在 org.apache.hc.core5。 reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:123) 在 org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(A bstractSingleCoreIOReactor.java:80) 在 org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44) 在 java.lang.Thread.run(Thread.java:748)
如果我打印提供程序和版本,它會打印為Conscrypt version 1.0和JDK 1.8.0_162 ,但它仍然無法與 http2 端點連接
如果我使用帶有默認提供程序的 jdk9 連接,相同的代碼塊可以完美運行,我在 conscrypt 配置中缺少什么?
任何幫助表示贊賞
提前致謝
1 個解決方案
解決方案1
3 已采納 2018-11-20 18:33:09
僅用 Conscrypt 替換默認的 JSSE 提供程序是不夠的。 還需要一個可以利用 Conscrypt API 的自定義TlsStrategy 。
這對我來說適用於 Java 1.8 和 Conscrypt 1.4.1
static class ConscriptClientTlsStrategy implements TlsStrategy {
private final SSLContext sslContext;
public ConscriptClientTlsStrategy(final SSLContext sslContext) {
this.sslContext = Args.notNull(sslContext, "SSL context");
}
@Override
public boolean upgrade(
final TransportSecurityLayer tlsSession,
final HttpHost host,
final SocketAddress localAddress,
final SocketAddress remoteAddress,
final Object attachment) {
final String scheme = host != null ? host.getSchemeName() : null;
if (URIScheme.HTTPS.same(scheme)) {
tlsSession.startTls(
sslContext,
host,
SSLBufferMode.STATIC,
(endpoint, sslEngine) -> {
final SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setProtocols(H2TlsSupport.excludeBlacklistedProtocols(sslParameters.getProtocols()));
sslParameters.setCipherSuites(H2TlsSupport.excludeBlacklistedCiphers(sslParameters.getCipherSuites()));
H2TlsSupport.setEnableRetransmissions(sslParameters, false);
final HttpVersionPolicy versionPolicy = attachment instanceof HttpVersionPolicy ?
(HttpVersionPolicy) attachment : HttpVersionPolicy.NEGOTIATE;
final String[] appProtocols;
switch (versionPolicy) {
case FORCE_HTTP_1:
appProtocols = new String[] { ApplicationProtocols.HTTP_1_1.id };
break;
case FORCE_HTTP_2:
appProtocols = new String[] { ApplicationProtocols.HTTP_2.id };
break;
default:
appProtocols = new String[] { ApplicationProtocols.HTTP_2.id, ApplicationProtocols.HTTP_1_1.id };
}
if (Conscrypt.isConscrypt(sslEngine)) {
sslEngine.setSSLParameters(sslParameters);
Conscrypt.setApplicationProtocols(sslEngine, appProtocols);
} else {
H2TlsSupport.setApplicationProtocols(sslParameters, appProtocols);
sslEngine.setSSLParameters(sslParameters);
}
},
(endpoint, sslEngine) -> {
if (Conscrypt.isConscrypt(sslEngine)) {
return new TlsDetails(sslEngine.getSession(), Conscrypt.getApplicationProtocol(sslEngine));
}
return null;
});
return true;
}
return false;
}
}
public static void main(String[] args) throws Exception {
final SSLContext sslContext = SSLContexts.custom()
.setProvider(Conscrypt.newProvider())
.build();
final PoolingAsyncClientConnectionManager cm = PoolingAsyncClientConnectionManagerBuilder.create()
.setTlsStrategy(new ConscriptClientTlsStrategy(sslContext))
.build();
try (CloseableHttpAsyncClient client = HttpAsyncClients.custom()
.setVersionPolicy(HttpVersionPolicy.NEGOTIATE)
.setConnectionManager(cm)
.build()) {
client.start();
final HttpHost target = new HttpHost("nghttp2.org", 443, "https");
final String requestUri = "/httpbin";
final HttpClientContext clientContext = HttpClientContext.create();
final SimpleHttpRequest request = SimpleHttpRequests.GET.create(target, requestUri);
final Future<SimpleHttpResponse> future = client.execute(
SimpleRequestProducer.create(request),
SimpleResponseConsumer.create(),
clientContext,
new FutureCallback<SimpleHttpResponse>() {
@Override
public void completed(final SimpleHttpResponse response) {
System.out.println(requestUri + "->" + response.getCode() + " " +
clientContext.getProtocolVersion());
System.out.println(response.getBody());
final SSLSession sslSession = clientContext.getSSLSession();
if (sslSession != null) {
System.out.println("SSL protocol " + sslSession.getProtocol());
System.out.println("SSL cipher suite " + sslSession.getCipherSuite());
}
}
@Override
public void failed(final Exception ex) {
System.out.println(requestUri + "->" + ex);
}
@Override
public void cancelled() {
System.out.println(requestUri + " cancelled");
}
});
future.get();
System.out.println("Shutting down");
client.shutdown(CloseMode.GRACEFUL);
}
}
OkHttpClient 如何通過 http2 與不支持 ALPN 的服務器建立 TLS 連接?
[英]How OkHttpClient can establish TLS connection via http2 with server that does not support ALPN?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.