文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >java SSLEngine表示NEED_WRAP,调用.wrap(),仍然调用NEED_WRAP

java SSLEngine表示NEED_WRAP,调用.wrap(),仍然调用NEED_WRAP
EN

Stack Overflow用户
提问于 2019-06-21 16:09:03
回答 3查看 5.6K关注 0票数 6

我在SSLEngine上看到了一个奇怪的问题,我想知道我的代码或SSLEngine是否有问题。这是我看到事物的顺序

  1. HandshakeStatus是NEED_WRAP
  2. 我们称之为SSLEngine.WRAP
  3. 之后,将零个数据写入缓冲区,SSLEngineResult.result=OK(既不溢出也不下溢:( )和HandshakeStatus仍然是NEED_WRAP )

最重要的问题:如何彻底调试?如何以某种方式“看到”每条信息?我可以很容易地捕获字节流,但是是否有一些库可以将其解析为SSL握手对象?

第298行(记录先前的握手状态)到第328行(我们用info抛出异常)是这里的相关代码。

https://github.com/deanhiller/webpieces/blob/sslEngineFartingExample/core/core-ssl/src/main/java/org/webpieces/ssl/impl/AsyncSSLEngine3Impl.java

堆栈跟踪是

代码语言:javascript
复制
2019-06-21 08:58:24,562 [-] [webpiecesThreadPool6] Caller+1  at org.webpieces.util.threading.SessionExecutorImpl$RunnableWithKey.run(SessionExecutorImpl.java:123)
  ERROR: Uncaught Exception
java.lang.IllegalStateException: Engine issue.  hsStatus=NEED_WRAP status=OK previous hsStatus=NEED_WRAP
    at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.sendHandshakeMessageImpl(AsyncSSLEngine3Impl.java:328)
    at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.sendHandshakeMessage(AsyncSSLEngine3Impl.java:286)
    at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.doHandshakeWork(AsyncSSLEngine3Impl.java:133)
    at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.doHandshakeLoop(AsyncSSLEngine3Impl.java:246)
    at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.unwrapPacket(AsyncSSLEngine3Impl.java:210)
    at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.doWork(AsyncSSLEngine3Impl.java:109)
    at org.webpieces.ssl.impl.AsyncSSLEngine3Impl.feedEncryptedPacket(AsyncSSLEngine3Impl.java:82)
    at org.webpieces.nio.impl.ssl.SslTCPChannel$SocketDataListener.incomingData(SslTCPChannel.java:175)
    at org.webpieces.nio.impl.threading.ThreadDataListener$1.run(ThreadDataListener.java:26)
    at org.webpieces.util.threading.SessionExecutorImpl$RunnableWithKey.run(SessionExecutorImpl.java:121)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)

有什么想法吗?我怎么才能更深入地研究这个问题呢?我的首选项是一个库,它获取字节,并释放表示每个握手消息或解密数据包的ssl对象(带有原始加密内容附带的任何头信息)。

具体来说,下面是上面提到的代码

代码语言:javascript
复制
        HandshakeStatus previousStatus = sslEngine.getHandshakeStatus();
    //CLOSE and all the threads that call feedPlainPacket can have contention on wrapping to encrypt and
    //must synchronize on sslEngine.wrap
    Status lastStatus;
    HandshakeStatus hsStatus;
    synchronized (wrapLock ) {

        HandshakeStatus beforeWrapHandshakeStatus = sslEngine.getHandshakeStatus();
        if (beforeWrapHandshakeStatus != HandshakeStatus.NEED_WRAP)
            throw new IllegalStateException("we should only be calling this method when hsStatus=NEED_WRAP.  hsStatus=" + beforeWrapHandshakeStatus);

        //KEEEEEP This very small.  wrap and then listener.packetEncrypted
        SSLEngineResult result = sslEngine.wrap(SslMementoImpl.EMPTY, engineToSocketData);
        lastStatus = result.getStatus();
        hsStatus = result.getHandshakeStatus();
    }

    log.trace(()->mem+"write packet pos="+engineToSocketData.position()+" lim="+
                    engineToSocketData.limit()+" status="+lastStatus+" hs="+hsStatus);

    if(lastStatus == Status.BUFFER_OVERFLOW || lastStatus == Status.BUFFER_UNDERFLOW)
        throw new RuntimeException("status not right, status="+lastStatus+" even though we sized the buffer to consume all?");

    boolean readNoData = engineToSocketData.position() == 0;
    engineToSocketData.flip();
    try {
        CompletableFuture<Void> sentMsgFuture;
        if(readNoData) {
            log.trace(() -> "ssl engine is farting. READ 0 data.  hsStatus="+hsStatus+" status="+lastStatus);

            throw new IllegalStateException("Engine issue.  hsStatus="+hsStatus+" status="+lastStatus+" previous hsStatus="+previousStatus);
            //A big hack since the Engine was not working in live testing with FireFox and it would tell us to wrap
            //and NOT output any data AND not BufferOverflow.....you have to do 1 or the other, right!
            //instead cut out of looping since there seems to be no data
            //sslEngineIsFarting = true;
            //sentMsgFuture = CompletableFuture.completedFuture(null);

谢谢,迪恩

java
nio
sslengine
EN

回答 3

Stack Overflow用户

回答已采纳

发布于 2019-09-16 15:17:03

System.setProperty("jdk.tls.server.protocols","TLSv1.2"); System.setProperty("jdk.tls.client.protocols","TLSv1.2");

应该在加载JSSE之前设置系统属性。例如,在命令行中设置属性。是因为系统属性不适合您吗?

..。SSLEngine告诉我们我们需要包装,这是正确的,因为为了防止截断攻击,我们还需要使用close_notify进行应答,但是引擎返回0字节,并告诉我们引擎的状态仍然是NEED_WRAP。

TLS 1.3使用的是半封闭策略(见RFC 8446)。当接收到close_notify时,入站侧将关闭,出站侧保持打开。本地无法接收任何数据,但允许发送更多的应用程序数据。

半封闭策略对兼容性有一些影响(参见JDK 11发行说明,https://www.oracle.com/technetwork/java/javase/11-relnote-issues-5012449.html)。系统属性"jdk.tls.acknowledgeCloseNotify“可用作解决方案。有关更多细节,请参阅JDK 11发行说明。

票数 1
EN

Stack Overflow用户

发布于 2019-06-30 05:42:30

好吧,越来越多的人认为这是jdk的错误,这似乎证明了这一点。我的日志显示我在jdk11.0.3(在MAC上)

2019-06-29 23:37:18,793 main - Caller+1 at Caller+1 INFO:启动java version=11.0.3下的开发服务器

我使用了调试ssl标志设置。

代码语言:javascript
复制
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager -Djava.security.debug=access:stack

我还用自己的日志包围了对sslEngine.wrap和sslEngine.unwrap的所有调用,幸运的是,每个人的日志中都有线程名。

当客户发出警告的时候

代码语言:javascript
复制
javax.net.ssl|DEBUG|14|webpiecesThreadPool1|2019-06-29 23:27:14.860 
MDT|Alert.java:232|Received alert message (
"Alert": {
  "level"      : "warning",
  "description": "close_notify"
}
)

SSLEngine告诉我们我们需要包装,这是正确的,因为为了防止截断攻击,我们还需要使用close_notify进行应答,但是引擎返回0字节,并告诉我们引擎的状态仍然是NEED_WRAP。

而且,在sslEngine.wrap调用之前和之后,我的日志之间没有来自java的零ssl调试日志,几乎就像sslEngine放屁一样,什么也不做。

然后,我认为自己很酷,并将其作为main()方法中的第一行添加。

代码语言:javascript
复制
        System.setProperty("jdk.tls.server.protocols", "TLSv1.2");
        System.setProperty("jdk.tls.client.protocols", "TLSv1.2");

但是调试信息中选择的版本仍然是TLSv1.3....grrrrrr...oh --好吧,我放弃了。

票数 1
EN

Stack Overflow用户

发布于 2019-06-30 06:15:24

哦,更好的是,降级到1.8.0_111就能获得成功

代码语言:javascript
复制
2019-06-30 00:11:54,813 [main] Caller+1  at 
WEBPIECESxPACKAGE.DevelopmentServer.main(DevelopmentServer.java:32)
 INFO: Starting Development Server under java version=1.8.0_111

webpiecesThreadPool5, READ: TLSv1.2 Alert, length = 26
webpiecesThreadPool2, RECV TLSv1.2 ALERT:  warning, close_notify
webpiecesThreadPool2, closeInboundInternal()
webpiecesThreadPool2, closeOutboundInternal()
webpiecesThreadPool5, RECV TLSv1.2 ALERT:  warning, close_notify
webpiecesThreadPool5, closeInboundInternal()
webpiecesThreadPool5, closeOutboundInternal()
webpiecesThreadPool2, SEND TLSv1.2 ALERT:  warning, description = close_notify
webpiecesThreadPool5, SEND TLSv1.2 ALERT:  warning, description = close_notify
webpiecesThreadPool2, WRITE: TLSv1.2 Alert, length = 26
webpiecesThreadPool5, WRITE: TLSv1.2 Alert, length = 26
票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/56707024

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档