javax.net.ssl,https客户端和close_notify

前端之家收集整理的这篇文章主要介绍了javax.net.ssl,https客户端和close_notify前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
使用 javax.net.ssl的https服务器的简单Netty实现,带有自签名证书.服务器已启动,然后使用 DHC by Restlet发出请求.在服务器端,我得到:

io.netty.handler.ssl.SslHandler setHandshakeFailure
WARNING: SSLEngine.closeInbound() raised an exception due to closed connection.
javax.net.ssl.SSLException: Inbound closed before receiving peer’s close_notify: possible truncation attack?

at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source)
at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:905)
at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:576)
at io.netty.channel.DefaultChannelHandlerContext.invokeChannelInactive(DefaultChannelHandlerContext.java:819)
at io.netty.channel.DefaultChannelHandlerContext.access$1300(DefaultChannelHandlerContext.java:38)
at io.netty.channel.DefaultChannelHandlerContext$5.run(DefaultChannelHandlerContext.java:808)
at io.netty.channel.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:259)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:305)
at io.netty.channel.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:110)
at java.lang.Thread.run(Unknown Source)

在客户端:

No response. Is the certificate valid? Click here to check.

在Chrome的地址栏中发出相同的请求,即相同的服务器端异常.在Firefox的地址栏上发布相同的例外情况,同时Firefox正在显示有关证书不是来自可信CA的警告页面.此异常似乎非常通用,并不直接指示协议的状态.这是否意味着这三个客户端(Chrome,Firefox,DHC by Restlet)没有很好地播放协议而只是在服务器上消失而不是发送close_notify?或者这是SSL RFC所要求的客户端行为,还是仅面向安全的客户端设计?

解决方法

我已经联系了 DHC by Restlet团队,他们告诉我一个解决方法

Chrome doesn’t provide an API for managing certificates. In other words,we have no API to automatically accept your certificate nor a way how to raise ‘untrusted certificate’ dialog. But,you can use a little workaround:

  1. Open the https URL in another tab.
  2. Manually accept the certificate.
  3. Go back to DHC and it will work because your certificate has been accepted manually (is stored in your Chrome) by the prevIoUs step.

Usually you have to do this just once.

猜你在找的Java相关文章